Privacy Policy

1. Who we are and what this covers

For personal data tied to workspaces (names, billing contacts, telemetry rows with user or firm identifiers), Keplerworks operates as data controller.

For BIM deliverables uploaded solely to fulfil your embodied carbon workflows, Keplerworks predominantly acts under your instructions (processor role in EU law terms) although we jointly determine analytical methodology.

This policy applies to browsers visiting keplerworks.io plus registered firms using IFC upload, embodied carbon routing, dashboards and CSV/PDF/JSON artefacts.

2. Data we collect

• Account & billing metadata: work email address, hashed password, firm label, Stripe customer linkage, tier/allowances, optional team seat manifests.
• Carbon workflow artefacts: IFC binaries during ingestion, BIM metadata parsed from them, embodied carbon aggregates, methodological labels, hotspots, summaries, persisted export bundles.
• Analysis geography signals: ISO country anchor you confirm, whether you accepted an auto-suggestion or overrode it, last remembered country for convenience.
• Session & security telemetry: signed session cookies, CSRF tokens, coarse IP/User-Agent metadata for rate limiting, authentication success/failure counters.
• Product analytics (server-side): firm-scoped events such as page views, sign-ins, analysis runs, exports, subscription changes — stored in our operational database, not shared with ad networks.

3. Storage and isolation

Structured state lives in managed PostgreSQL with firm-scoped access controls at the application layer. IFC blobs are written to application disk only for the parse/analyse window described in §5. Production hosting is currently provisioned in EU regions (for example Frankfurt) via providers such as Render and Neon; regions may change with notice to enterprise customers.

Optional voluntary profile fields (such as country, region, locality, optional contact number, job title, or notes you enter on the Manage Account page) are stored with your user record. We use them for product analytics and internal service improvement—for example to understand regional adoption—and we do not sell them to third parties. Retention follows your account lifecycle and the deletion practices in §5.

4. Lawful bases (UK GDPR / GDPR)

• Contract (Art. 6(1)(b)) — running accounts, parsing IFC, computing embodied carbon, rendering dashboards, enforcing quotas, delivering upgrades and invoices you purchase.
• Legitimate interests (Art. 6(1)(f)) — securing the platform, preventing abuse, debugging outages, and logging firm-scoped product analytics to understand feature adoption. You may object to non-essential analytics as described in §10; we will balance your rights against our needs.
• Legal obligation (Art. 6(1)(c)) — retaining purchase records, responding to lawful information requests, or meeting tax and accounting duties.

We do not use optional marketing cookies at this revision; only essential authentication cookies are set without a consent banner.

5. Retention & deletion

• IFC files: after a successful Carbon tool analysis run the platform deletes the uploaded IFC blob from application storage while retaining derived numeric results in the database. Interrupted uploads may leave fragments until routine cleanup; contact us to expedite removal.
• Analysis history: kept for active paid subscriptions until you delete an analysis or close the account (subject to legal holds).
• Free tier: analyses older than 30 days may be removed automatically when you load your history (see Pricing).
• Backups & logs: may persist for a limited period for disaster recovery and security investigations.

Immediate deletion requests (for example before routine windows elapse) can be submitted under §10.

6. Cookies & similar technologies

• Session cookie (keplerworks.sid): httpOnly session identifier for logged-in users; marked Secure and SameSite=Lax in production.
• CSRF token: supplied to the browser for authenticated uploads and other mutating API calls.
• No behavioural advertising stack runs on the marketing site or app shell at this policy date.

If we add optional analytics later, we will list cookie names, purposes and consent controls here.

7. Third-party processors & factor catalogues

• Stripe — cardholder data tokenisation, subscription state, invoices.
• Hosting & database vendors (e.g. Render, Neon) — compute, storage, backups.
• Transactional email providers — password resets and operational notices.
• Embodied carbon data services — we may query EC3 (Building Transparency), ECO Portal and Ökobaudat for material-level factors; their privacy policies govern any telemetry they collect from those API calls. National EPD programmes and industry databases also feed our internal factor tables.
• Reference datasets such as ICE v3.0 ship inside our application for default coverage.

Factor API calls send material search metadata, not your IFC geometry. Your model never leaves Keplerworks for those lookups.

8. International transfers

Some subprocessors process data outside the UK or EEA (for example US-based payment or email infrastructure). Where required we rely on UK IDTA / EU Standard Contractual Clauses, adequacy regulations or vendor accreditation schemes. You may request a summary of current safeguards via info@keplerworks.io.

9. Security

We apply tiered controls: password hashing, scoped database access, HTTPS transport, session hardening, rate limits and operational monitoring. No online service is perfectly secure — protect credentials, exports and locally cached IFC copies within your own IT policies.

10. Data subject rights

Where UK GDPR or GDPR applies you may request access, rectification, erasure, restriction, portability and may object to legitimate-interest processing. To exercise a right:

1. Email info@keplerworks.io from your registered address with subject line GDPR REQUEST.
2. Describe the workspace, whether you seek export, correction or deletion of specific analyses/users, and any deadlines (tenders, divestments).
3. We verify ownership (for example confirming control of the account email or firm admin delegation) before acting.

We aim to acknowledge within a few business days and conclude within statutory timeframes absent complex disputes.

For complaints, EU/UK supervisory authorities remain available (ico.org.uk guidance for UK users).

11. Children

Keplerworks is aimed at organisational users and is not directed at anyone under 16. If you believe we collected a child's data in error contact info@keplerworks.io and we will delete it promptly.