This Privacy Policy describes how OpenConstructionERP ("the Software", "we") handles personal data when you self-host the Software or use an instance operated by DataDrivenConstruction ("DDC", the "Operator"). It is written to satisfy the baseline transparency obligations of the EU General Data Protection Regulation 2016/679 ("GDPR"), the United Kingdom Data Protection Act 2018, the California Consumer Privacy Act / CPRA, and the Brazilian Lei Geral de Protecao de Dados (LGPD).
Self-hosting note. When you deploy the Software on your own infrastructure, you become the data controller for your users, and DDC has no access to any data. This document is then a template you may adapt for your own users. The operator-specific clauses below apply only to the instance at openconstructionerp.com operated by DDC.
| Category | Examples | Legal basis |
|---|---|---|
| Account data | email, password hash, display name, locale | Contract (GDPR 6(1)(b)) |
| Authentication data | session tokens, API keys | Contract |
| Project content | BOQ items, documents, CAD/BIM files, annotations | Contract |
| Usage telemetry (anonymised) | page timings, error reports | Legitimate interest (GDPR 6(1)(f)) |
| Support correspondence | emails, issue comments | Legitimate interest |
| AI interaction logs (if configured) | prompts and responses | Consent (GDPR 6(1)(a)) |
We do not collect special-category data (GDPR Art. 9), nor do we sell personal data as defined by the CCPA.
| Category | Default retention |
|---|---|
| Account data | Until account deletion |
| Project content | Until you delete it; deleted content is purged from backups within 35 days |
| Telemetry | 90 days |
| Support correspondence | 24 months |
| AI logs | 30 days unless you opt into a longer window |
Under GDPR / UK DPA / LGPD you may:
Under CCPA / CPRA you may additionally:
You can delete your account and all associated personal data at any time from Settings, under the account danger zone. To exercise any other right, email info@datadrivenconstruction.io. We respond within 30 days (GDPR) or 45 days (CCPA).
The DDC-operated instance uses these processors (self-hosted deployments may use different providers):
The Software uses only first-party, strictly-necessary and functional browser storage. No third-party advertising or tracking cookies are set. See the Cookie Policy for the full inventory.
The Software is intended for professional use. We do not knowingly process personal data of children under 16 (or under 13 in the US).
Material changes to this policy are announced via the release notes and, for registered users on the DDC-operated instance, via email at least 30 days before taking effect.
This policy provides a baseline and is not a substitute for legal advice. Before relying on it for a production deployment with third-party users, have it reviewed by a qualified privacy lawyer in the jurisdictions where you offer the service.