Privacy Policy

MACHALLY LLC ("MACHALLY," "we," "us," or "our") is a limited liability company organized under the laws of the State of Wyoming, United States of America, and is the Data Controller for personal information collected through machally.com and our related services. This Privacy Policy explains what information we collect, how we use and share it, the choices you have, and how we safeguard it. It applies to users worldwide, including the United States, the European Economic Area (EEA), the United Kingdom, and all other jurisdictions where we operate.

Personal Information You Provide

When you register an account, contact us, request a quote, or place an order, we collect the following information directly from you:

• Account Information: Name, email address, username, and password (stored as a one-way hash — we never see your plaintext password)
• Contact Information: Phone number, business address, shipping and billing addresses
• Business Information: Company name, job title, industry, business registration details
• Order Information: Products purchased, order history, shipping preferences. Payment card details are entered directly into Stripe's secure fields and never touch our servers; we only receive a tokenized reference and non-sensitive metadata (last 4 digits, card brand, billing country).
• Communication: Messages sent through contact forms, customer service inquiries, feedback, and quote-request threads
• Technical Specifications: Machine tool requirements, precision specifications, and custom tool requests

Information Automatically Collected

When you visit our website, we automatically collect certain information:

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages visited, time spent on site, click-through rates, search queries
• Cookies and Tracking: Session data, preferences, shopping cart contents
• Location Data: General geographic location inferred from your IP address, used to route you to the correct regional storefront and to comply with regional privacy laws

Information Received from Meta (Facebook Login)

If you choose to sign in or register with Facebook, Meta Platforms, Inc. shares a limited set of profile fields with us. The specific fields and our handling of that data are described in Section 5 (Facebook Login and Meta Platform Data). We do not receive your Facebook password, friend list, posts, messages, or any data beyond the fields listed there.

Other Third-Party Information

We may receive information about you from business partners, payment processors, shipping companies, and public databases for identity verification and fraud prevention purposes.

We use your personal information for the following purposes:

• Order Processing: Fulfill orders, process payments, arrange shipping, provide customer support
• Account Management: Create and maintain your account, verify identity, manage preferences
• Business Operations: B2B relationship management, credit assessment, approval workflows
• Communication: Send order confirmations, shipping updates, product information, and promotional materials
• Product Development: Understand customer needs, develop new machining tools, improve existing products
• Marketing: Personalized recommendations, targeted advertising, industry newsletters, conversion measurement
• Legal Compliance: Comply with applicable laws, prevent fraud, protect our rights
• Analytics: Improve website performance, analyze user behavior, optimize user experience

Analytics and User Behavior Data with Enhanced Privacy Protection

We use PostHog, a privacy-focused analytics platform, to understand how users interact with our website and improve your experience. Whether we use PostHog Cloud or self-hosted PostHog services, both implementations follow the same strict privacy protection principles and security measures outlined below.

All personal information, payment details, addresses, and sensitive business data is completely protected and never recorded.

Advertising and Conversion Tracking

We use the following third-party advertising tools to measure the effectiveness of our marketing campaigns and deliver relevant ads. In the EEA and UK these tools load only after you opt in via our consent banner.

• Meta Pixel (Facebook): Measures ad conversions from Facebook and Instagram, builds targeted audiences, and enables remarketing. Data is shared with Meta Platforms, Inc. subject to the Meta Data Policy.
• Google Ads (gtag.js): Measures the effectiveness of our Google advertising campaigns. Data is shared with Google LLC subject to the Google Privacy Policy.

Users outside the EEA and UK may opt out of personalized advertising through the following mechanisms:

• Meta: Facebook Ad Preferences
• Google: Google Ads Settings
• Industry opt-out: Digital Advertising Alliance

Your Privacy Controls

You maintain full control over your privacy and can opt out of analytics and advertising tracking through multiple methods:

• Consent Banner: EEA and UK users can accept, reject, or customize consent through our on-site banner
• Browser Settings: Enable "Do Not Track" or similar signals in your browser preferences
• Direct Contact: Email [email protected] to disable tracking for your specific account
• Browser Extensions: Use privacy-focused browser extensions that block analytics scripts
• Account Settings: Manage privacy preferences through your account dashboard

For users in the European Economic Area and the United Kingdom, we process your personal data based on the following legal grounds under Article 6 of the GDPR and UK GDPR:

• Contract Performance: To fulfill our contractual obligations when you make a purchase
• Legitimate Interest: For business operations, fraud prevention, and improving our services
• Consent: For marketing communications, non-essential cookies, Facebook Login, and similar purposes
• Legal Obligation: To comply with applicable laws and regulations

We do not sell your personal information. We share it only as described below, and only with recipients bound by written confidentiality and data-protection obligations.

Service Providers (Processors)

We engage the following categories of vetted service providers who process data on our behalf:

• Stripe, Inc. (USA) — payment processing and tax calculation
• Amazon Web Services, Inc. (USA) — cloud hosting, databases, and backups
• Cloudflare, Inc. (USA) — CDN, DNS, and DDoS protection
• Resend (USA) — transactional email delivery
• PostHog, Inc. (USA or self-hosted) — product analytics with strict PII masking
• MeiliSearch (self-hosted) — on-site search index
• Shipping carriers (e.g., FedEx, UPS, DHL, SF Express) — order fulfillment

Affiliated Companies

MACHALLY LLC has affiliated manufacturing and operations entities in the People's Republic of China (including Shenzhen-based affiliates). Authorized personnel at these affiliates may access a limited subset of your information — such as name, shipping address, and order details — strictly for order fulfillment, customer service, warranty handling, and product sourcing. Access is governed by intra-group confidentiality and data-protection obligations, with appropriate cross-border safeguards described in Section 6.

Business Partners

Authorized distributors and manufacturing partners (including for custom tool orders), subject to confidentiality obligations.

Advertising and Analytics Partners

Meta Platforms, Inc. and Google LLC receive event data (e.g., page views, add-to-cart, purchase events) via the Meta Pixel and Google Ads tag, subject to the consent controls described in Section 2.

• Legal Requirements: When required by law, court order, subpoena, or to protect our legal rights, our users, or the public.
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity under the same protections described here.
• With Your Consent: For any other purpose disclosed to you at the time of collection.

We do not sell, rent, or lease your personal information to third parties for their own marketing purposes, and we have not done so in the preceding 12 months.

We offer Facebook Login as an optional sign-in and registration method. When you choose to use it, you authorize Meta Platforms, Inc. ("Meta") to share specific information with us ("Platform Data"). This section describes our handling of Platform Data in accordance with the Meta Platform Terms and Developer Policies.

Fields We Receive From Meta

• Facebook User ID — a stable identifier used to link your Facebook identity to your MACHALLY account
• Name (first and last) as registered on Facebook
• Email address associated with your Facebook account, if you grant the email permission
• Profile picture URL
• A short-lived OAuth access token, used only server-side to verify your identity during sign-in and then discarded or stored encrypted for session continuity

We do not receive your Facebook password, friend list, posts, messages, groups, likes, or any other data beyond the fields listed above.

How We Use Platform Data

• Authenticate you and create or match your MACHALLY account
• Pre-fill your profile (name, email, avatar) to streamline registration
• Provide customer support when you contact us

We do not use Platform Data for advertising, targeting, profile enrichment, resale, or any purpose not disclosed here.

Retention

Platform Data is retained for the lifetime of your MACHALLY account. Upon account deletion or access-token expiry, we delete Platform Data within 30 days, except for information we are legally required to retain (e.g., invoice records that reference your name).

How to Disconnect and Delete Your Facebook Login Data

You have two ways to remove your Facebook Login data from our systems:

• Revoke the permission in your Facebook account: go to Settings & Privacy → Settings → Apps and Websites → MACHALLY → Remove. Meta will then send a deletion callback to our servers, and we will delete your Platform Data within 30 days.
• Email [email protected] with the subject "Delete my Facebook Login data" from the email address linked to your account. We will process the request within 30 days and confirm completion in writing.

For step-by-step instructions, see: Data Deletion Instructions

MACHALLY LLC, the Data Controller, is organized under the laws of the State of Wyoming, USA. Our primary website and backend systems are hosted on Amazon Web Services servers in the United States. By using our services, you acknowledge that your personal information will be transferred to, processed, and stored in the United States, where data protection laws may differ from those of your country of residence.

As disclosed in Section 4, authorized personnel at our affiliated entities in the People's Republic of China may access a limited subset of your personal information for order fulfillment, customer service, and product sourcing. We rely on the following safeguards for cross-border transfers:

• EEA → USA and EEA → China: EU Standard Contractual Clauses (Commission Decision 2021/914), supplemented by appropriate technical and organizational measures.
• UK → USA and UK → China: UK International Data Transfer Addendum (IDTA) to the EU SCCs, or the UK IDTA as a standalone instrument, as issued by the Information Commissioner's Office.
• China-based personnel access: Access by authorized personnel at our affiliates in the People's Republic of China to limited personal information stored in the United States is governed by intra-group confidentiality and data-protection agreements and is limited to the purposes described in Section 4.

To request a redacted copy of the safeguards in place, email [email protected].

We implement comprehensive security measures to protect your personal information:

• Encryption: SSL/TLS for data in transit; encrypted storage for sensitive data at rest
• Access Controls: Role-based access, multi-factor authentication, regular access reviews
• Infrastructure: Secure hosting on AWS, firewalls, intrusion detection, Cloudflare DDoS protection
• Monitoring: Regular security audits, vulnerability assessments, incident response procedures
• Staff Training: Regular privacy and security training for all employees and affiliated personnel
• Breach Notification: In the event of a personal data breach, we will notify affected users and supervisory authorities as required by applicable law (including GDPR / UK GDPR Articles 33 and 34, where applicable).

General Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal obligations)
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests or for direct marketing
• Restriction: Request limitation of processing in certain circumstances

To exercise any of these rights, email [email protected]. We will respond within 30 days (or as otherwise required by applicable law) and we do not charge a fee for handling a request.

EEA-Specific Rights (GDPR)

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation:

• Right to withdraw consent at any time, without affecting the lawfulness of prior processing
• Right to lodge a complaint with your local supervisory authority
• Right to object to automated decision-making, including profiling, where applicable

UK-Specific Rights (UK GDPR)

If you are located in the United Kingdom, you have equivalent rights under the UK GDPR and the Data Protection Act 2018, including the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

California Privacy Rights (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information (subject to exceptions)
• Right to opt out of the sale or sharing of personal information (we do not sell personal information, and we share it for cross-context behavioral advertising only after you consent via our banner)
• Right to correct inaccurate personal information
• Right to limit the use of sensitive personal information
• Right to non-discrimination for exercising your privacy rights

Other U.S. State Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, and other states with comprehensive privacy laws have rights substantially similar to those above. Email [email protected] to exercise these rights.

We use cookies and similar technologies to enable core site functionality and, with your consent, to measure site performance and advertising effectiveness. Our on-site consent banner lets you accept or customize the following categories:

• Essential Cookies (always active): Shopping cart, login sessions, checkout flow, load balancing, CSRF protection. These cannot be disabled without breaking core site functionality.
• Analytics & Marketing Cookies (opt-in in EEA and UK): PostHog (behavioral analytics with strict PII masking), Meta Pixel (Facebook and Instagram ad measurement), and the Google Ads tag (Google ad measurement). These tools load only after you click "Accept" or save your preferences on our consent banner.

You can withdraw or change your consent at any time by clearing our cookies and reopening the banner, or by emailing [email protected]. You can also control cookies through your browser settings; note that disabling essential cookies will limit website functionality.

We retain your personal information for as long as necessary to fulfill the purposes outlined in this policy:

• Account Data: Until account deletion or after 24 months of inactivity
• Order Information: 7 years for tax and accounting purposes
• Communication Records: 3 years for customer service purposes
• Marketing Data: Until you unsubscribe or object to processing
• Facebook Login / Platform Data: Lifetime of the linked account; deleted within 30 days after account deletion or access-token expiry
• Legal Requirements: As required by applicable laws and regulations

Our services are designed for businesses and professional machinists. We do not knowingly collect personal information from children under 13 years of age, and our services are not directed to children under 13. If you are under 13, you may not use our services or provide any personal information to us. For users aged 13–16 in the EEA and the UK, parental consent is required before we process personal information. If we become aware that we have collected personal information from a child in violation of this policy, we will delete it promptly. Parents or guardians who believe we may have collected information from a child may contact us at [email protected].

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting a notice on our website
• Sending an email notification to registered users
• Updating the "Last Updated" date at the top of this policy

Data Controller: MACHALLY LLC, a Wyoming limited liability company (United States).

For any questions about this Privacy Policy, to exercise your privacy rights, or to submit a complaint — including from the EEA or the United Kingdom — contact us at the addresses below. We acknowledge requests within a reasonable time and respond within 30 days.

Privacy: [email protected] · Support: [email protected]

This Privacy Policy and any disputes arising from or related to it are governed by the laws of the State of Wyoming, United States of America, without regard to conflict-of-law principles. Nothing in this section limits any mandatory rights you may have under the consumer-protection or privacy laws of your country of residence.