Privacy Policy

MADCAP is a service operated by RedBeard, an Israeli entity (the "Company," "we," "us"). This Privacy Policy explains how we collect, use, share, and protect personal data when you use mad-cap.com and related services.

For the purposes of the EU General Data Protection Regulation ("GDPR"), RedBeard is the data controller for personal data we collect about you. For the purposes of California, Virginia, Colorado, Connecticut, Utah, and other US state privacy laws, we act as the "business," "controller," or equivalent term.

If you have any questions about this policy or our practices, contact us at eytan@redbeard.co.il.

We collect data in three buckets:

(a) Data you give us directly. Your name, email address, phone number, and shipping address when you place an order or create an account. Your prompts and any designs you upload. The payment information you enter is processed by PayPal. We never see your card details.

(b) Data we generate about you. The designs MADCAP generates from your prompts, your order history, your iteration history within a session, and the stitchability verdicts we calculated for your designs.

(c) Data we collect automatically. Standard web analytics: IP address (truncated for analytics), browser, device type, pages viewed, and how you interact with the site. This data is only collected if you grant analytics consent in the cookie banner.

Under GDPR Article 6, every use of your personal data must rest on a lawful basis. Ours:

Contract performance (Art. 6(1)(b)).To take and fulfill your order: generating your design, processing payment via PayPal, shipping your cap, and providing customer support. Without this data we can't deliver what you bought.

Consent (Art. 6(1)(a)).Analytics cookies and marketing communications. You can withdraw consent at any time via the "Manage cookies" link in our footer or by emailing us.

Legitimate interest (Art. 6(1)(f)).Fraud prevention, IP / trademark moderation on prompts, securing the service, and improving our AI generation quality. We've balanced this against your rights and concluded the impact is minimal.

Legal obligation (Art. 6(1)(c)). Tax records, anti- money-laundering checks where applicable, and responses to lawful requests from authorities.

We share data only with sub-processors that help us run the service. As of the last-updated date above, our sub-processors are:

• Google Cloud / Firebase: hosting, database, authentication. Data centers may be in the EU or US depending on region.
• Google AI (Gemini): generates your embroidery design from your prompt. Your prompt is sent to Google for processing.
• PayPal: payment processing. PayPal collects payment-method data directly from you; we never store it.
• Resend: transactional email delivery (order receipts, sign-in codes, status updates).
• Morning (Greeninvoice): tax invoice issuance under Israeli tax law. Receives your name, email, and order total so the invoice can be issued in your name. Israeli service provider; data stays in Israel.
• Google Cloud Vision SafeSearch: automated moderation of any image you upload as a design reference. Receives the uploaded image only; no other personal data.
• Monday.com: our internal operations CRM. Receives order metadata (id, status, shipping address, your email, design preview link) so our team can fulfill the order. Not used for marketing.
• Google Tag Manager / Google Analytics: only if you grant analytics consent.
• Our embroidery production partner: receives the production-ready file for your design plus your shipping address to ship the physical cap. We share only what they need.

We do notsell your personal data. For California residents, this includes the CCPA/CPRA meaning of "sale." See Privacy Choices for US state-specific opt-out controls.

RedBeard is based in Israel. Our sub-processors operate globally (Google, PayPal, Resend). When personal data flows out of the EU or UK to a country without an adequacy decision, we rely on Standard Contractual Clauses ("SCCs") or equivalent safeguards as required by Article 46 GDPR.

Israel has been recognized by the European Commission as providing an adequate level of data protection (Decision 2011/61/EU), so EU → Israel transfers are permitted without additional safeguards.

We keep your data only as long as we need it. Concretely:

• Account data: for as long as your account is active, plus 12 months after deletion (to handle late-arising disputes or refund requests).
• Order records: 7 years, as required by Israeli tax law and standard accounting practice.
• Designs you generated: kept indefinitely while your account is active. Deleted on request unless we need them for an open dispute.
• Analytics data: 14 months (Google Analytics default).

If you're in the EU, UK, or any country with similar rights, you can:

• Access the personal data we hold about you (Article 15).
• Correct inaccurate or incomplete data (Article 16).
• Delete your data, subject to our legal retention requirements above (Article 17).
• Restrict our processing of your data (Article 18).
• Object to processing based on legitimate interest (Article 21).
• Data portability: receive your data in a machine-readable format (Article 20).
• Withdraw consent at any time, where consent was the basis (Article 7(3)).
• Complain to a data protection authority, your local one in the EU, or any one that hears your complaint.

To exercise any of these rights, email us at eytan@redbeard.co.il. We'll respond within 30 days. There's no fee unless your request is excessive or repetitive.

If you're a resident of California, Virginia, Colorado, Connecticut, Utah, or another US state with comprehensive privacy law, you have specific rights including:

• The right to know what personal information we collect, use, disclose, and (where applicable) sell or share.
• The right to delete personal information.
• The right to correct inaccurate personal information.
• The right to opt out of the "sale" or "sharing" of personal information (CCPA/CPRA), or "targeted advertising" (VCDPA / CPA / CTDPA / UCPA).
• The right not to be discriminated against for exercising any of these rights.

We don't sell personal information in the traditional sense. However, using marketing cookies for cross-context behavioral advertising may qualify as "sharing" under CCPA/CPRA. You can opt out at any time at Privacy Choices.

MADCAP is not directed at children under 16, and we don't knowingly collect personal data from anyone under 16. If you believe a child has provided us their data, contact us and we'll delete it.

We use industry-standard safeguards: TLS encryption for data in transit, encrypted storage at rest via Google Cloud, access controls scoped to least-privilege, and regular review of our security posture. No system is perfectly secure; if we learn of a breach affecting your data, we'll notify you and the relevant authorities as required by applicable law.

We may update this policy from time to time. The "Last updated" date at the top reflects when. Material changes will be communicated via email to active account holders and a banner on the site before they take effect.

Questions, requests, or complaints: eytan@redbeard.co.il. We respond within 30 days.