Privacy Policy

Effective: March 19, 2026

Machestra | machestra.com

General Contact: support@machestra.com

Contact: support@machestra.com

Machestra ("Machestra", "we", "us", or "our") operates a production scheduling platform for small and medium manufacturing businesses. This Privacy Policy explains how we collect, use, process, store, and protect information when you use our website and services.

This policy applies to all users of the Machestra platform and website.

By creating an account or using Machestra, you agree to the practices described in this Privacy Policy. This policy should be read together with our Terms of Service, Cookie Policy, and Security Policy.

1. Introduction

Machestra provides a cloud-based production scheduling platform used by manufacturers to manage machines, jobs, materials, and shop floor operations.

Because manufacturing companies often store sensitive operational data, protecting that data is central to our design and policies.

Key privacy principles at Machestra:

  • Customers retain full ownership of their operational data
  • We never sell customer data
  • We never use customer data for advertising
  • We never share data across tenants
  • We never train AI models on customer data
  • We only process customer data to provide the service

2. Information We Collect

2.1 Personal Information

Information you provide when creating or using an account may include:

  • Full name
  • Email address
  • Phone number (optional)
  • Company name
  • Job title or role (admin, manager, operator)

Authentication data:

  • Hashed password (bcrypt, never stored in plaintext)
  • Google OAuth profile data (email) when you choose Google sign-in

2.2 Usage Data

We automatically collect information about how users interact with the platform:

  • Activity logs (creating jobs, editing machines, updating materials, etc.)
  • Login timestamps
  • IP addresses
  • Browser type
  • Device type
  • Operating system

This information helps us operate the service securely and maintain audit trails.

2.3 Business Data (Customer Operational Data)

Machestra allows customers to store operational manufacturing data.

This data is owned entirely by the customer organization and may include:

  • Machine details, configurations, custom fields, notes, status
  • Job schedules and multi-step operations
  • Operator assignments and scheduling
  • Material and inventory records
  • Quantities, units, and stock levels
  • Custom operational fields and notes
  • Any information imported through CSV uploads

This information is referred to throughout this policy as Customer Business Data.

2.4 Cookies and Authentication Tokens

Machestra uses only essential cookies required for security and authentication.

Authentication cookies:

  • JWT Access Token — HTTP-only secure cookie, expires after 5 minutes
  • JWT Refresh Token — HTTP-only secure cookie, expires after 7 days (or 30 days when "remember me" is selected)

Security cookies provided by Cloudflare:

  • __cf_bm — bot management and DDoS protection
  • cf_clearance — security verification

Machestra does not use advertising cookies, marketing trackers, or third-party analytics cookies.

For more information, see our Cookie Policy.

3. How We Collect Information

Information you provide directly

  • Creating an account
  • Inviting users to your company workspace
  • Uploading CSV files
  • Entering operational data into the platform

Information collected automatically

  • Usage logs
  • Login records
  • System diagnostics
  • Security monitoring

Information from third-party authentication

If you choose Google sign-in, we receive limited profile information from Google, such as:

  • Email address

We only receive this information when you explicitly choose Google authentication.

4. Legal Basis for Processing (GDPR)

For users in the European Union, United Kingdom, or EEA, our legal basis for processing personal data includes:

Contract Performance

Processing necessary to provide the Machestra service you signed up for.

  • Account authentication
  • Managing users and permissions
  • Operating production scheduling features

Legitimate Interests

We process certain information to:

  • Maintain platform security
  • Prevent abuse and fraud
  • Monitor service performance
  • Maintain system logs

These interests are balanced against user privacy rights.

Consent

Used when applicable, such as:

  • Push notification permissions
  • Optional communications

Consent can be withdrawn at any time.

Legal Obligations

We may process data to comply with applicable laws or legal requests.

5. How We Use Information

We use collected information only to operate and improve the Machestra platform. Examples include:

  • Providing the production scheduling platform
  • Authenticating users and managing secure sessions
  • Enforcing role-based permissions (admin, manager, operator)
  • Sending transactional emails (email verification, password resets, user invitations)
  • Sending notification emails based on user preferences (job assignments, deadline reminders, job blocked alerts, machine status changes, low inventory alerts)
  • Delivering push notifications when users opt in (Growth plan). Push subscription tokens are stored on our servers and can be revoked at any time by unsubscribing.
  • Delivering weekly digest emails summarizing production activity (Growth plan, when enabled)
  • Providing real-time updates via WebSocket connections (Socket.io) — authenticated using the same JWT session; no additional credentials collected
  • Processing CSV imports and exports of your production data (machines, materials, jobs, users)
  • Generating analytics dashboards within each company workspace — metrics are computed from your own company data only, never aggregated across tenants
  • Maintaining activity logs for auditing
  • Detecting abuse, fraud, and suspicious activity
  • Rate limiting and security protection
  • Maintaining and improving the service

6. How We Do NOT Use Data

Machestra maintains strict limitations on how customer data is used. We do not:

  • Sell personal data or business data to any third party
  • Use customer operational data for advertising or marketing
  • Share data between companies (no cross-tenant access)
  • Train artificial intelligence or machine learning models on customer data
  • Perform cross-tenant analytics or benchmarking
  • Profile users for advertising purposes
  • Share data with data brokers
  • Use customer operational data to generate market insights

Your manufacturing operational data remains private to your company.

We may use anonymized, aggregated data that cannot identify any individual customer or company for internal analytics, service improvement, and general marketing statements (e.g., "we serve 500+ manufacturers"). This data is stripped of all identifying information and cannot be traced back to any specific customer.

7. Data Ownership

Customers retain full ownership of all data uploaded or created in Machestra. This includes:

  • Machines and machine configurations
  • Production schedules
  • Jobs and operations
  • Materials and inventory
  • Operator assignments
  • Custom fields and operational notes
  • Any CSV-imported information

Machestra acts solely as a data processor, processing this information only to provide the service.

We do not claim intellectual property rights over customer data.

Customers can export their data at any time using CSV export features available on all plans.

Upon account deletion, customer data is permanently removed within 30 days.

Customers requiring a Data Processing Agreement (DPA) may request one by contacting privacy@machestra.com.

8. How We Share Information

We do not sell or rent personal information.

We only share information with trusted service providers necessary to operate the platform.

These providers act as data sub-processors and are contractually required to maintain strong privacy protections.

Legal and Regulatory Disclosure

We may disclose your information if required to do so by law, or in response to valid legal process such as a subpoena, court order, or government request.

If we receive a legal request for your data, we will notify the affected customer before disclosure unless we are legally prohibited from doing so (e.g., by a court-issued gag order or applicable law).

9. Sub-Processors

Provider Purpose Data Handled Location
MongoDB Atlas (MongoDB Inc.) Database hosting All application data United States
Cloudflare (Cloudflare Inc.) CDN, DNS, DDoS protection, frontend hosting Security logs, cookies United States
Render (Render Services Inc.) Backend hosting Application processing United States
Redis / Upstash Rate limiting, background jobs Minimal operational data United States
Resend Email delivery Email addresses, notification content United States
Google OAuth authentication Email United States
Paddle Payment processing (Merchant of Record) Billing information, email address United Kingdom, Global

Paddle acts as our Merchant of Record and processes payment card data directly and securely. Machestra does not store payment card numbers. Paddle handles tax calculation, currency conversion, and compliance globally. Purchasing power parity (PPP) adjustments may apply based on your country.

10. Cookies and Tracking Technologies

Machestra uses only essential cookies required for authentication and security.

We do not use advertising trackers or behavioral analytics tools.

For detailed cookie information, see our Cookie Policy.

11. Data Retention

Business Data

  • Free Plan — 6 months
  • Starter Plan — 2 years
  • Growth Plan — 10 years

If a subscription is downgraded, data exceeding the new retention limit may be deleted after a 30-day grace period.

Account Status

  • Unverified accounts are deleted after 24 hours by an automated cleanup process.

Token Expiration

  • Access tokens — 5 minutes
  • Refresh tokens — 7 days (or 30 days with "remember me")
  • Invite tokens — 24 hours
  • Password reset tokens — 1 hour
  • Email verification tokens — 2 hours

Account Deletion

When a customer deletes their account, all company data is permanently deleted within 30 days.

12. Data Security Measures

Machestra implements multiple technical safeguards to protect data. Security measures include:

  • Password hashing using bcrypt
  • JWT tokens stored as HTTP-only cookies (protects against XSS)
  • TLS/HTTPS encryption for all data in transit
  • Encryption at rest via MongoDB Atlas
  • Role-based access control (admin, manager, operator)
  • Multi-tenant database isolation using companyId scoping
  • Rate limiting (150 requests/min general, 8 requests/min auth)
  • API input validation using Zod schemas
  • CORS restrictions
  • Admin account force-logout capability
  • Account activation and deactivation controls

While we implement strong safeguards, no system can guarantee absolute security.

13. Your Privacy Rights

Users may exercise privacy rights depending on their jurisdiction.

Requests can be sent to: privacy@machestra.com

GDPR Rights (EU / UK)

You have the right to:

  • Access your personal data
  • Correct inaccurate information
  • Request deletion of your data
  • Receive your data in a portable format
  • Restrict processing
  • Object to processing
  • Withdraw consent at any time
  • File a complaint with a supervisory authority

Machestra does not use automated decision-making or profiling.

We will respond to GDPR requests within 30 days.

CCPA / CPRA Rights (California Residents)

California residents have the right to:

  • Know what personal information we collect
  • Request deletion of personal information
  • Correct inaccurate information
  • Opt-out of sale of personal information (we do not sell data)
  • Limit use of sensitive personal information
  • Receive equal service regardless of exercising privacy rights

We will respond to requests within 45 days.

14. International Data Transfers

Machestra's infrastructure providers operate primarily in the United States.

Your information may therefore be processed in the United States regardless of your location.

For users in the EU, EEA, or UK:

  • Data transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.

All sub-processors are required to maintain adequate data protection standards.

If required under GDPR Article 27, information about our appointed EU representative will be made available on this page.

15. Children's Privacy

Machestra is designed for business use by professionals.

The service is not directed at individuals under 16 years old.

We do not knowingly collect personal data from children under 16.

If we discover such data has been collected, it will be deleted immediately.

16. Third-Party Links

Our website or platform may contain links to third-party websites.

We are not responsible for the privacy practices of those websites.

17. Do Not Track Signals

Some browsers send "Do Not Track" (DNT) signals.

Because Machestra does not track users for advertising or behavioral profiling, our services do not respond to DNT signals.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

  • Email notification
  • In-app notification

We will provide at least 30 days notice before significant changes take effect.

Continued use of the service after updates indicates acceptance of the revised policy.

19. Contact Information

For general inquiries: support@machestra.com

For privacy requests or data protection questions: privacy@machestra.com