Privacy Policy

This Privacy Policy explains how Smart Building Group(“we”, “us”, “our”) collects, uses, stores, and discloses personal information when you use Smart Building Design+(the “Service”), including the website, application, and APIs that we operate. It also describes the limited information we access from third-party platforms such as Pinterest on your behalf.

By creating an account or otherwise using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

We collect only the information needed to operate the Service:

• Account data. Name, email address, hashed password, and account status that you provide when you register or that an administrator provides for you.
• Project data. Map coordinates, addresses, captured Street View imagery, 3D models, semantic JSON, CAD/DXF files, and BIM outputs generated when you run the design pipeline.
• Inspiration data. Pin URLs, board identifiers, board names, image thumbnails, and notes that you save inside the Service or that you import from connected accounts such as Pinterest.
• Technical data. Log entries, IP address, browser user-agent, error reports, and basic usage metrics needed to operate and secure the Service.
• Cookies and session tokens. A signed NextAuth session cookie that keeps you logged in, and (where you have connected a third-party account) a short-lived httpOnly token cookie such as pinterest_access_token.

We do not knowingly collect data from children under 16. We do not collect special categories of data (health, biometric, political opinions, etc.).

If you connect a Pinterest account to Smart Building Design+, we use the official Pinterest API in accordance with the Pinterest Developer Guidelines and Developer Agreement. Specifically:

• What we request. We request only the minimum OAuth scopes required to read your boards and pins (for example boards:read andpins:read) so that you can browse them inside the inspiration workspace.
• How we use it. Pinterest data is used solely to display your boards and pins to you inside the Service and to let you organise them alongside your own project material. We do not use Pinterest data to train AI models, to build advertising profiles, or to enrich data about other users.
• How we store it. Your Pinterest access token is stored in an httpOnly, secure cookie that is sent only to our backend and is never exposed to browser JavaScript. We do not persist copies of your full Pinterest library on our servers; pin and board content is fetched on demand and cached only briefly to keep the interface responsive.
• What we never do. We do not sell, rent, or share Pinterest data with third parties. We do not republish your pins. We do not use Pinterest data for any purpose other than rendering the inspiration workspace you have asked us to render.
• Disconnection and deletion. You can disconnect Pinterest at any time from the inspiration workspace. When you do, your access token is deleted from our systems and we stop calling the Pinterest API on your behalf.

We process personal information to:

• operate, secure, and improve the Service;
• authenticate you and protect your account from unauthorised access;
• run the BIM automation pipeline and return the outputs to you;
• connect to third-party APIs (Google Maps, Meshy, Anthropic, Fal.ai, Pinterest) that you ask us to use on your behalf;
• respond to support requests and communicate service-related notices;
• comply with our legal obligations and enforce our terms.

The lawful bases on which we rely under UK GDPR / EU GDPR are: performance of a contract with you, our legitimate interests in operating a secure service, your consent (for example when you connect a third-party account), and compliance with legal obligations.

We rely on a small number of trusted processors to provide the Service. Each one receives only the data needed for its function:

• Google Cloud Run — application hosting (containerised) in europe-west2.
• Google Maps / Street View APIs — capturing site imagery you request.
• Meshy AI — generating 3D meshes from captured imagery.
• Anthropic (Claude) — semantic analysis of imagery and Revit command generation.
• Fal.ai — optional visualisation step.
• Pinterest — read access to your boards and pins when you connect your Pinterest account (see Section 3).

We do not sell personal information. We do not share personal information for cross-context behavioural advertising.

We retain account data for as long as your account is active. Pipeline outputs are stored on the application’s container disk and are retained while the associated job is active; long-term retention will move to durable storage as the Service matures. Pinterest tokens are retained only until you disconnect or until they expire, whichever comes first.

You can request deletion of your account and associated data at any time by emailing us at the address in Section 10.

We protect personal data with industry-standard controls: HTTPS in transit, signed session cookies, httpOnly storage of access tokens, secret management for API keys, principle-of-least-privilege scopes for third-party APIs, and isolation of the FastAPI backend behind an authenticated nginx ingress so that it is never reachable directly from the public internet.

No system is perfectly secure. If we become aware of a breach that affects your personal data, we will notify you and the relevant supervisory authority in accordance with applicable law.

The Service is hosted in Google Cloud’s europe-west2 region (London). Some of our processors (for example Anthropic, Meshy, Fal.ai, and Pinterest) may process data in the United States. Where required, we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses to safeguard such transfers.

Subject to applicable law, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion of your data;
• object to or restrict certain processing;
• withdraw consent at any time (for example by disconnecting Pinterest);
• lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local supervisory authority.

To exercise any of these rights, contact us using the details in Section 10. We respond within 30 days.

Smart Building Group is the data controller for personal data processed through Smart Building Design+. Questions, deletion requests, or privacy concerns can be sent to:

Email: info@smartbuildinggroup.co.uk

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you inside the Service. Continued use of the Service after a change becomes effective constitutes acceptance of the updated policy.