Privacy Policy
Last updated: January 2026
1. Introduction
Bombajom Patterns ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web-based SaaS application for digitally modifying sewing pattern PDFs.
By using our service, you agree to the collection and use of information in accordance with this policy. This policy applies to all visitors, users, and others who access or use the Service.
2. Data Controller
For the purposes of the EU General Data Protection Regulation (GDPR) and UK GDPR, the data controller is:
- Company: Bombajom Patterns
- Email: privacy@bombajom.com
- Data Protection Officer: dpo@bombajom.com
3. Information We Collect
3.1 Information You Provide
- Account Information: Email address, password (hashed and salted), and profile information you choose to provide
- Pattern Files: PDF sewing patterns you upload for modification
- Measurements: Body measurements (bust, high bust, waist, etc.) you enter for pattern adjustments
- Payment Information: Processed securely through Stripe - we do not store credit card numbers, CVVs, or full card details on our servers
- Communications: Emails, support requests, and feedback you send us
3.2 Automatically Collected Information
- Usage Data: Pages visited, features used, time spent on the application, and interaction patterns
- Device Information: Browser type and version, operating system, device type, and screen resolution
- Log Data: IP address, access times, referring URLs, and error logs
- Cookies and Similar Technologies: See our Cookie Policy for details
4. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing pattern adjustment services | Performance of Contract (Art. 6(1)(b) GDPR) |
| Processing payments and subscriptions | Performance of Contract (Art. 6(1)(b) GDPR) |
| Sending service-related communications | Performance of Contract (Art. 6(1)(b) GDPR) |
| Analytics and service improvement | Legitimate Interest (Art. 6(1)(f) GDPR) |
| Security and fraud prevention | Legitimate Interest (Art. 6(1)(f) GDPR) |
| Marketing communications (where applicable) | Consent (Art. 6(1)(a) GDPR) |
| Non-essential cookies | Consent (Art. 6(1)(a) GDPR) |
| Legal compliance and disputes | Legal Obligation (Art. 6(1)(c) GDPR) |
5. How We Use Your Information
- Provide, maintain, and improve our pattern adjustment services
- Process payments and manage subscriptions
- Send service-related communications (account updates, support responses, important notices)
- Monitor and analyze usage patterns to improve user experience
- Detect, prevent, and address technical issues and security threats
- Comply with legal obligations and enforce our Terms of Service
- Respond to your inquiries and provide customer support
6. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of account + 30 days after deletion request |
| Pattern Files | Duration of account (deleted upon account deletion) |
| Body Measurements | Duration of account (can be deleted anytime via settings) |
| Payment Records | 7 years (legal/tax requirements) |
| Server Logs | 90 days |
| Analytics Data | 26 months (anonymized after) |
7. Data Storage and Security
We use industry-standard security measures to protect your data:
- Data encryption in transit (TLS 1.3) and at rest (AES-256)
- Secure authentication via Supabase with password hashing (bcrypt)
- Payment processing through PCI-DSS Level 1 compliant Stripe
- Regular security audits and penetration testing
- Access controls and authentication requirements for all staff
- Continuous monitoring and logging for security events
Your pattern files and measurements are stored securely in our cloud infrastructure. While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure.
8. Data Sharing and Disclosure
We do not sell your personal information. We may share your data only in the following circumstances:
8.1 Service Providers (Data Processors)
We use trusted third-party services to operate our platform:
- Supabase: Database and authentication services (EU data centers available)
- Stripe: Payment processing (PCI-DSS Level 1 certified)
- Vercel: Hosting and CDN (SOC 2 Type II certified)
- Sentry: Error monitoring and performance tracking
All service providers are bound by Data Processing Agreements (DPAs) that ensure GDPR-compliant data handling.
8.2 Other Disclosures
- Legal Requirements: When required by law, court order, or government regulation
- Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to users)
- Protection of Rights: To protect the safety, rights, or property of Bombajom Patterns or others
- With Your Consent: When you explicitly authorize sharing
9. Your Rights (GDPR, UK GDPR & CCPA)
You have the following rights regarding your personal data:
- Right to Access (Art. 15 GDPR): Request a copy of your personal data
- Right to Rectification (Art. 16 GDPR): Correct inaccurate or incomplete data
- Right to Erasure (Art. 17 GDPR): Request deletion of your account and data ("Right to be Forgotten")
- Right to Data Portability (Art. 20 GDPR): Export your data in a machine-readable format (JSON/CSV)
- Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests
- Right to Restrict Processing (Art. 18 GDPR): Request limitation of processing in certain circumstances
- Right to Withdraw Consent (Art. 7 GDPR): Withdraw consent at any time where processing is based on consent
How to Exercise Your Rights
You can exercise most rights directly through your account settings. For data export, account deletion, or other requests, contact us at privacy@bombajom.com. We will respond within 30 days (as required by GDPR).
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. For EU residents, you can contact your local Data Protection Authority.
10. International Data Transfers
Your data may be transferred to and processed in countries other than your country of residence, including the United States. When we transfer data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our service providers
- Adequacy Decisions: Transfers to countries with adequate data protection (e.g., UK, Switzerland)
- Data Processing Agreements: All processors are bound by GDPR-compliant DPAs
11. Children's Privacy
Our Service is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately at privacy@bombajom.com, and we will take steps to delete such information.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
- Posting the new policy on this page with an updated date
- Sending an email notification to registered users for significant changes
- Displaying a prominent notice in the application
Your continued use of the Service after changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.
13. Contact Us
If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about our data practices, please contact us:
- General Privacy Inquiries: privacy@bombajom.com
- Data Protection Officer: dpo@bombajom.com
- Security Concerns: security@bombajom.com