Privacy Policy (EN)
Effective date: 2026‑03‑17
Purpose of this Privacy Policy
This Privacy Policy explains how we collect, use, store, share, and protect personal data when providing our Services. Its purpose is to offer clear and transparent information to all individuals who interact with our platform and to ensure compliance with applicable data protection laws, including the GDPR.
Who this Policy is for
This Privacy Policy applies to all users, visitors, customers, administrators, and any individuals whose personal data is processed when they access or use our Services. It includes employees, contractors, project participants, bidders, and any end‑users whose information is uploaded, generated, or managed within the platform.
Introduction
This Privacy Policy explains how UAB Engman Arccon (“Company”, “we”, “us”, “our”) collects, uses, stores, shares, and protects personal data across all our digital products and cloud‑based platforms, including:
- 3D/BIM viewing tools
- Common Data Environment (CDE)
- Document Management Systems (DMS)
- Tendering/bidding modules (BID)
- Collaboration, workflows, audit trails
- Any future modules
(collectively, the “Services”).
We process personal data in line with the EU GDPR and applicable laws.
Data Controller
UAB Engman Arccon Company Code: 304861433 VAT: LT100013026815 Registered office: A. Goštauto g. 8, LT‑01108 Vilnius, Lithuania Email: info@engman-arccon.com / support@sofidus.tech
Definitions
- Services – the full suite of our cloud products (3D/BIM Viewer, CDE, DMS, BID, workflows, and future modules).
- Personal Data – any information relating to an identified or identifiable natural person.
- Processing – any operation on Personal Data (collection, storage, access, transfer, deletion).
- Controller / Processor / Sub‑processor – as defined by GDPR.
- Customer Content / Project Data – files and data uploaded or generated in the Services (BIM, 3D files, drawings, PDFs, metadata, versions, bids, audit logs, etc.).
What our Services do
Our Services allow users to:
- upload, store, view, render, manage, and share project files,
- collaborate on BIM/3D models and documents,
- run workflows (approvals, issues, RFI, tasks),
- manage tenders/bids,
- maintain version history and audit logs.
Data we collect
Identity & contact
- name, email, organization, role
Account & authentication data
- credentials, hashed passwords, SSO identifiers (Microsoft Entra ID, Google, LinkedIn)
- we never receive your password from SSO providers
Roles & permissions
- team/project membership
- access levels
Project Data
- BIM/3D models, CAD/DWG/IFC, PDFs, office docs
- comments, issues, markups, attachments
- version history
BID/Tendering
- submissions, files, bidder details
- commercial info
Events & interactions
- registration forms, badge scans, agenda choices
Support
- tickets, chat, email threads
Data collected automatically
- Telemetry: IP, device/browser, OS, session IDs
- Usage logs: authentication, file views, uploads, approvals
- Audit logs: permission changes, workflow events
- Geolocation: region‑level based on IP
Payments
If you upgrade to a paid plan, we process:
- payer’s name
- address
- tax/VAT data
- invoicing data
We do not currently collect or store card data.
If online payments are introduced in the future, payment card data will be processed only by certified PCI‑DSS compliant providers.
From partners, events, and integrations
- Partners: business contact details for co‑hosted solutions
- Events: badge scans, preferences, session data
- API/SSO Integrations: identity attributes required to authenticate
Purposes and legal bases
We process Personal Data to:
- provide and operate BIM/CDE/DMS/BID Services (contract)
- secure accounts and content (legitimate interest, legal obligation)
- improve performance and features (legitimate interest; sometimes consent)
- support and assist customers (contract, legitimate interest)
- process payments (contract, legal obligation)
- manage events (contract, legitimate interest; photos/videos with consent)
- send optional marketing communications (consent)
Cookies
We use only essential cookies, required for secure Service operation (authentication, session stability). No analytics or marketing cookies are used. If optional cookies are added later — we will request consent.
AI functionality
We may introduce low‑risk AI features (search assistance, summarization, recommendations). All AI use complies with EU AI Act principles for low‑risk systems.
AI principles:
- No use of Customer Content for AI training without explicit opt‑in
- AI vendors act as GDPR Sub‑processors
- No high‑risk automated decisions
- AI outputs are assistive only, always reviewable by the Customer
- Additional transparency provided if new AI tools require consent
Microsoft ecosystem
Customer data is not used to train Microsoft AI models unless: 1) A feature explicitly provides opt‑in 2) The Customer enables that opt‑in
Sharing and disclosure
We share data only with:
- authorized sub‑processors (hosting, security, email delivery, signatures)
- partners for co‑hosted solutions
- legal/audit advisors
- authorities where required by law
- entities in mergers/acquisitions
We do not sell Personal Data.
Core hosting and identity are provided by Microsoft Azure and Microsoft Entra ID. Sub‑processors list is maintained in Annex III of our DPA.
International Data Transfers
Transfers outside the EEA (if any) use:
- Standard Contractual Clauses (SCCs)
- additional safeguards where needed
Security
We apply technical and organizational measures:
- encryption
- access controls
- monitoring
- integrity safeguards
Security controls are detailed in Annex II of our DPA.
Retention
We retain data only as long as necessary:
- Project files: for the project or subscription duration
- Logs: only as required for security
- Billing: legally required periods
After termination:
- Customer Content is retained up to 90 days
- Then soft‑deleted → permanently erased
- Customer may request earlier deletion
Your rights
You may:
- access, rectify, erase
- restrict or object
- port your data
- withdraw consent (optional processing)
Requests: info@engman-arccon.com / info@sofidus.tech
If we process data on behalf of a Customer, we refer you to that Controller.
Events & media
Event participation may involve:
- registration data
- photography/video
Notices and alternatives are provided where feasible.
Minors
We do not knowingly collect data from minors. If identified, such data is deleted.
Changes
We may update this Policy periodically. Material changes will be communicated clearly before taking effect. The effective date is always shown at the top.
Contact
UAB Engman Arccon info@engman-arccon.com / support@sofidus.tech A. Goštauto str. 8, LT‑01108 Vilnius, Lithuania
Participation in Microsoft Commercial Marketplace
When Services are acquired via Azure Marketplace/AppSource:
- Microsoft receives limited data for subscription, billing, metering
- Microsoft acts as an independent controller
- We receive only minimal publisher‑level data (tenant ID, subscription info)
- Microsoft privacy policies apply to Microsoft-owned data flows
Microsoft Identity (Entra ID) SSO Transparency
We receive only necessary attributes for authentication:
- Object ID
- Name
- Tenant ID
- Roles/groups (if assigned)
We do not receive passwords.
Data Processing Agreement (DPA)
The DPA applies automatically when we process Personal Data on behalf of a Customer:
- GDPR Article 28 compliance
- sub‑processors listed in Annex III
- SCCs for transfers
- deletion and security processes (Annex II)
Marketplace Customers are covered automatically; no separate signature is required unless requested.
DPA available via: info@engman-arccon.com / support@sofidus.tech