Privacy Policy
Last updated: [DATE]
This Privacy Policy explains how [LEGAL ENTITY NAME] (“we”, “us”) collects, uses and protects your personal data when you use [SERVICE NAME] (the “Service”), in accordance with the European Union’s General Data Protection Regulation (GDPR) and other applicable law.
1. Data controller
The controller of your data is [LEGAL ENTITY NAME], with registered address at [REGISTERED ADDRESS]. You can contact us on privacy matters at [CONTACT EMAIL].
Where applicable, our representative in the European Union for the purposes of Art. 27 GDPR is [EU REPRESENTATIVE].
2. Data we collect
Account data: name, email address, password (stored encrypted via hashing) and preferred language.
Project data: information about projects, disciplines, deliverables, dates and other content you upload or generate in the Service.
Integration data: access tokens and file metadata from Autodesk Construction Cloud when you connect that integration. Access is read-only.
Technical data: IP address, device and browser type, and activity logs needed to operate and secure the Service.
3. Purposes and legal bases
We process your data to: (i) provide and maintain the Service and manage your account — legal basis: performance of the contract (Art. 6(1)(b) GDPR); (ii) send you operational notifications and reminders — legitimate interest (Art. 6(1)(f)); (iii) ensure security and prevent fraud — legitimate interest; (iv) comply with legal obligations (Art. 6(1)(c)); and (v) purposes for which you have given consent (Art. 6(1)(a)), which you may withdraw at any time.
4. Cookies
We use strictly necessary and functional cookies to operate the Service. You can find the details in our Cookie Policy.
5. Recipients and processors
We share data with providers acting as processors on our behalf, under the relevant data-processing agreements: Supabase (database and hosting), Vercel (application hosting), Resend (email delivery), Google (sign-in) and Autodesk (Construction Cloud integration).
We do not sell your personal data to third parties.
The full, up-to-date list of subprocessors is available on our Subprocessors page.
6. International transfers
Some of our providers may process data outside the European Economic Area. In those cases, we ensure an adequate level of protection through valid mechanisms, such as the Standard Contractual Clauses (SCCs) approved by the European Commission.
7. Data retention
We retain your data while your account is active and for as long as necessary to fulfill the purposes described or applicable legal obligations. We then securely delete or anonymize it.
8. Security
We apply reasonable technical and organizational measures to protect your data, including password hashing and restricted access. No system is completely secure; in the event of a data breach affecting your rights, we will act in accordance with the notification obligations under the GDPR.
9. Your rights
Under the GDPR, you may exercise the rights of access, rectification, erasure, restriction of processing, portability and objection, and you may withdraw your consent at any time.
To exercise them, write to us at [CONTACT EMAIL]. You also have the right to lodge a complaint with the competent supervisory authority.
10. Minors
The Service is intended for professionals and not for minors. We do not knowingly collect data from individuals under the age legally required in their jurisdiction.
11. Changes to this policy
We may update this Privacy Policy. We will publish the current version with its last-updated date and, where changes are material, we will endeavor to notify you.
12. Contact and data protection officer
For privacy inquiries or to exercise your rights, contact us at [CONTACT EMAIL]. Our data protection officer (DPO), where applicable, is [DATA PROTECTION OFFICER].