OpenConstructionERP Back to home
Privacy

Privacy Policy

Effective and last updated: April 18, 2026

This Privacy Policy describes how OpenConstructionERP ("the Software", "we") handles personal data when you self-host the Software or use an instance operated by DataDrivenConstruction ("DDC", the "Operator"). It is written to satisfy the baseline transparency obligations of the EU General Data Protection Regulation 2016/679 ("GDPR"), the United Kingdom Data Protection Act 2018, the California Consumer Privacy Act / CPRA, and the Brazilian Lei Geral de Protecao de Dados (LGPD).

Self-hosting note. When you deploy the Software on your own infrastructure, you become the data controller for your users, and DDC has no access to any data. This document is then a template you may adapt for your own users. The operator-specific clauses below apply only to the instance at openconstructionerp.com operated by DDC.

1. Data we process

CategoryExamplesLegal basis
Account dataemail, password hash, display name, localeContract (GDPR 6(1)(b))
Authentication datasession tokens, API keysContract
Project contentBOQ items, documents, CAD/BIM files, annotationsContract
Usage telemetry (anonymised)page timings, error reportsLegitimate interest (GDPR 6(1)(f))
Support correspondenceemails, issue commentsLegitimate interest
AI interaction logs (if configured)prompts and responsesConsent (GDPR 6(1)(a))

We do not collect special-category data (GDPR Art. 9), nor do we sell personal data as defined by the CCPA.

2. Where data is stored

  • The Software stores all content in the database you configure (PostgreSQL) and the object store you configure (local disk or S3-compatible).
  • For the DDC-operated instance, servers are located in the European Economic Area. No personal data is transferred outside the EEA except under Standard Contractual Clauses (EU 2021/914) when an AI provider you have configured is based outside the EEA.

3. Retention

CategoryDefault retention
Account dataUntil account deletion
Project contentUntil you delete it; deleted content is purged from backups within 35 days
Telemetry90 days
Support correspondence24 months
AI logs30 days unless you opt into a longer window

4. Your rights

Under GDPR / UK DPA / LGPD you may:

  • Access the personal data we hold about you (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Request erasure (Art. 17)
  • Restrict or object to processing (Art. 18 / 21)
  • Obtain your data in a portable format (Art. 20)
  • Withdraw consent at any time

Under CCPA / CPRA you may additionally:

  • Know what categories of personal information are collected
  • Opt out of sale or sharing (we do not sell)
  • Request deletion
  • Not be discriminated against for exercising these rights

You can delete your account and all associated personal data at any time from Settings, under the account danger zone. To exercise any other right, email info@datadrivenconstruction.io. We respond within 30 days (GDPR) or 45 days (CCPA).

5. Third-party processors

The DDC-operated instance uses these processors (self-hosted deployments may use different providers):

  • Infrastructure: Hetzner Online GmbH (EEA)
  • Email delivery: Amazon SES (SCC in place)
  • Error reporting: Sentry (optional)
  • AI providers: only those you enable, with API keys you supply. Each AI provider has its own privacy policy. Your prompts pass through the provider you selected.

6. Security

  • Passwords hashed with bcrypt
  • Transport over HTTPS / TLS 1.2+
  • Database encryption-at-rest (recommended for self-hosters)
  • Role-based access control with least-privilege defaults
  • Security issues: see the security policy on GitHub

7. Cookies

The Software uses only first-party, strictly-necessary and functional browser storage. No third-party advertising or tracking cookies are set. See the Cookie Policy for the full inventory.

8. Children

The Software is intended for professional use. We do not knowingly process personal data of children under 16 (or under 13 in the US).

9. Changes

Material changes to this policy are announced via the release notes and, for registered users on the DDC-operated instance, via email at least 30 days before taking effect.

10. Contact

  • Data controller (DDC instance): DataDrivenConstruction, Artem Boiko
  • Email: info@datadrivenconstruction.io
  • Supervisory authority: the data-protection authority in your EU member state; for users in the UK, the Information Commissioner's Office (ICO).

This policy provides a baseline and is not a substitute for legal advice. Before relying on it for a production deployment with third-party users, have it reviewed by a qualified privacy lawyer in the jurisdictions where you offer the service.

Home Imprint Privacy Policy Terms of Service Cookies

© 2026 OpenConstructionERP. AGPL-3.0 License.