Privacy Policy

1. Introduction

Bezalel Design Lab ("Company," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, purchase our products, or use our software and services. This policy applies to all users worldwide, including those in the European Economic Area (EEA) and United Kingdom who are protected under the General Data Protection Regulation (GDPR).

2. Data Controller

Bezalel Design Lab is the data controller for the personal data we collect through our website and services. If you have questions about how your data is processed, contact us at privacy@bezaleldesignlab.com.

3. Information We Collect

We collect the following categories of personal data:

Information You Provide:

Account Information: Name, email address, and password when you create an account
Billing Information: Payment card details (processed securely by our payment processor, Stripe), billing address, and transaction history
Contact Information: Name, email, and message content when you submit a contact form or support request
Profile Information: Company name, job title, and professional details you optionally provide

Newsletter:

Email Address: When you subscribe to our newsletter via the signup form on our website

Information Collected Automatically:

Usage Data: Pages visited, features used, session duration, and interaction patterns
Device Information: Browser type, operating system, screen resolution, and device identifiers
Network Information: IP address, approximate geographic location, and referring URL
Cookies and Tracking: We use cookies and similar technologies as described in Section 8

Information Collected by Our Desktop Software:

Our desktop software products (such as HydraLink and other engineering tools) collect limited technical data when communicating with our licensing servers. We recognize that some of this data—particularly the machine identifier described below—may constitute personal data under the GDPR and similar data protection laws, because it can be linked to an identifiable individual through the associated license and account information.

License Validation: Each time the software validates your license, it transmits your license key, a machine identifier, and your computer’s machine name to our server. The machine identifier is a one-way hash (SHA-256) derived from your computer name and operating system version. We use this hash—rather than the raw values—as a data minimization measure. This data is used solely to verify that your license is valid, to enforce per-seat license limits, and to allow you to manage which computers are activated under your license.
Machine Name: Your computer’s name (e.g., “DESKTOP-ABC123”) is transmitted alongside the machine identifier to help you distinguish between activated machines in your account dashboard. Because users often include personal names in their computer name, we treat this as personal data.
Crash Reports: If the software encounters an error, it may send a crash report containing the machine identifier, software version, exception type, error message, and stack trace. Crash reports are used solely to diagnose and fix software defects and are not linked to your account for marketing purposes.

4. Legal Basis for Processing (GDPR)

For users in the EEA and UK, we process personal data under the following legal bases:

Contract Performance: Processing necessary to provide our software and services to you, including account management, license delivery, license validation, machine-binding enforcement, and customer support. The collection of machine identifiers during license validation is necessary to perform the license agreement you have entered into.
Legitimate Interests: Improving our products, diagnosing software defects via crash reports, preventing fraud and license abuse, ensuring security, and communicating about relevant product updates. We have assessed that these interests do not override your fundamental rights and freedoms.
Consent: Marketing communications and non-essential cookies, where you have given explicit consent
Legal Obligation: Compliance with tax, accounting, and other legal requirements

5. How We Use Your Information

We use collected data to:

Create and manage your account
Process payments and deliver software licenses
Provide customer support and respond to inquiries
Send transactional emails (purchase confirmations, license keys, password resets)
Send product updates and marketing communications (with your consent)
Analyze usage patterns to improve our software and website
Enforce license terms, including tracking which computers have activated a license to manage per-seat limits. Machine identifiers are used to count distinct activations and are not used to track your location or behavior.
Diagnose and fix software defects using crash report data. Crash data is processed in aggregate and is not used for profiling.
Detect and prevent fraud or unauthorized access
Comply with legal obligations

6. Data Sharing and Third Parties

We do not sell your personal data. We share data with the following categories of third parties only as necessary:

Payment Processor: Stripe processes your payment information. We do not store credit card numbers on our servers. See Stripe's Privacy Policy.
Email Service: We use a transactional email provider to send account-related communications
Analytics: We may use Google Analytics to understand website usage patterns. Data is aggregated and anonymized where possible.
Hosting Provider: Our website and database are hosted by IONOS (1&1) on servers located in the United States
Legal Requirements: We may disclose data if required by law, subpoena, or to protect our legal rights

7. Data Retention

We retain your data for as long as necessary to fulfill the purposes described in this policy:

Account Data: Retained while your account is active and for 30 days after deletion request to allow recovery
Billing Records: Retained for 7 years to comply with tax and accounting regulations
Support Communications: Retained for 3 years after resolution
Usage Analytics: Aggregated data retained indefinitely; individual-level data deleted after 26 months
License Machine Bindings: Machine identifiers and machine names are retained while the associated license is active. When a license expires, is cancelled, or you deactivate a machine, the corresponding machine binding data is deleted within 30 days.
Crash Reports: Retained for 12 months, then automatically deleted
Newsletter Subscriptions: Retained until you unsubscribe

8. Cookies and Tracking Technologies

We use the following types of cookies:

Essential Cookies: Required for the website to function (session management, CSRF protection, authentication). These cannot be disabled.
Analytics Cookies: Help us understand how visitors use our website. Set only with your consent.
Preference Cookies: Remember your settings and preferences. Set only with your consent.

You can manage cookie preferences through the cookie consent banner displayed on your first visit or by adjusting your browser settings.

9. Your Rights (GDPR — EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, you have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you, including any machine identifiers and machine names associated with your license
Rectification: Request correction of inaccurate or incomplete data
Erasure: Request deletion of your personal data ("right to be forgotten"), including machine binding records. Note that deleting machine bindings may require you to re-activate your software.
Restriction: Request that we limit processing of your data in certain circumstances
Data Portability: Request your data in a structured, machine-readable format
Objection: Object to processing based on legitimate interests or for direct marketing purposes
Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
Machine Deactivation: You may deactivate a machine from your license at any time through your account dashboard or by contacting us. Deactivation removes the stored machine identifier and machine name for that activation.

To exercise any of these rights, email us at privacy@bezaleldesignlab.com. We will respond within 30 days (or sooner as required by applicable law). You also have the right to lodge a complaint with a supervisory authority in your jurisdiction.

10. Your Rights (CCPA/CPRA — California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collection, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations).
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

Categories of personal information we collect (as defined by the CCPA):

Identifiers: Name, email address, IP address, machine identifiers, machine names
Commercial Information: Purchase history, license records
Internet/Electronic Activity: Website usage data, browser type, pages visited
Professional Information: Company name, job title (if provided)

To exercise your rights, email privacy@bezaleldesignlab.com or submit a request through your account dashboard. We will verify your identity before processing your request and respond within 45 days as required by law.

11. Your Rights (Other US States)

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with consumer privacy laws have similar rights to access, correct, delete, and opt out of certain data processing. To exercise these rights, email privacy@bezaleldesignlab.com. We will respond within the timeframe required by your state’s applicable law.

12. International Data Transfers

Our servers are located in the United States. If you are accessing our services from outside the US, your data will be transferred to and processed in the United States. For EEA/UK users, we rely on Standard Contractual Clauses approved by the European Commission to ensure adequate protection for cross-border data transfers.

13. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption of data in transit (TLS/SSL), encryption of sensitive data at rest, regular security audits, access controls limiting employee access to personal data, and secure software development practices. While we strive to protect your data, no method of transmission over the Internet is 100% secure.

14. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and post the updated policy on this page with a new "Last updated" date. We encourage you to review this policy periodically.

16. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Bezalel Design Lab
Attn: Privacy
Email: privacy@bezaleldesignlab.com