StudioDatum LogomarkStudioDatum

Privacy Policy

Effective DateDecember 11, 2025
Last UpdatedDecember 11, 2025
Version1.0.0

1. Introduction

Welcome to StudioDatum. We operate DatumOS, an AI-powered construction data platform that helps architecture, engineering, and construction (AEC) professionals search, analyze, and interact with their project data.

This Privacy Policy explains how StudioDatum, Inc. ("StudioDatum," "we," "our," or "us") collects, uses, discloses, and protects your personal information when you use our services, including:

  • DatumOS Application (datumos.app)
  • StudioDatum Website (studiodatum.com)
  • Mobile Applications (iOS and Android)
  • API Services
  • Related Services and Integrations

By using our services, you agree to the collection and use of information in accordance with this Privacy Policy.

Key Principles:

  • Transparency: We clearly explain what data we collect and why
  • User Control: You have rights to access, modify, and delete your data
  • Security: We implement industry-standard security measures
  • Minimal Collection: We only collect data necessary to provide our services
  • No Selling: We never sell your personal information to third parties

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

  • Name and email address (via Clerk authentication)
  • Profile information (optional: company, role, avatar)
  • Account preferences and settings

Content You Create:

  • Chat conversations with AI assistants
  • Artifacts (code, documents, diagrams generated by AI)
  • User-uploaded files and documents
  • Search queries
  • Feedback and support requests

Integration Credentials:

  • OAuth tokens for third-party services (encrypted):
    • Autodesk Construction Cloud (ACC)
    • Microsoft 365 / Azure AD
    • Google Workspace
  • Connection preferences and configurations

2.2 Information Collected Automatically

Usage Data:

  • Pages visited and features used
  • AI model selections (Claude, GPT-4, Gemini)
  • Tool invocations and AI interactions
  • Conversation metadata (timestamps, length, model used)
  • Error logs and diagnostic information

Device Information:

  • Browser type and version
  • Operating system
  • IP address (anonymized for analytics)
  • Device identifiers (for mobile apps)
  • Screen resolution and viewport size

Cookies and Tracking:

  • Session cookies (authentication)
  • Preference cookies (theme, settings)
  • Analytics cookies (Vercel Analytics)
  • See Section 8 for cookie details

2.3 Information from Third-Party Integrations

When you connect external services, we may access:

Autodesk Construction Cloud:

  • Project names and metadata
  • Document names and metadata (not file contents unless explicitly requested)
  • BIM model metadata
  • Project team information
  • Issues, RFIs, submittals metadata

Microsoft 365:

  • Email metadata (sender, subject, date)
  • Calendar event metadata
  • SharePoint document metadata
  • Teams conversation metadata
  • User directory information

Google Workspace:

  • Gmail metadata
  • Google Drive file metadata
  • Calendar event metadata
  • Google Docs metadata

Important: We only access this data when you explicitly use AI tools that require it. We do not continuously sync or store all your third-party data.

3. How We Use Your Information

3.1 Primary Purposes

To Provide Our Services:

  • Authenticate and manage your account
  • Process AI chat conversations and generate responses
  • Execute AI tools and integrations (search, data retrieval)
  • Store and retrieve your conversations and artifacts
  • Provide file upload and storage functionality
  • Enable multi-model AI selection

To Improve Our Services:

  • Analyze usage patterns to enhance features
  • Monitor performance and fix bugs
  • Train and improve AI tool performance (aggregated, anonymized)
  • Develop new features based on usage data

To Communicate With You:

  • Send service updates and announcements
  • Respond to support requests
  • Notify about security issues or policy changes
  • Send account-related emails (password resets, etc.)

To Ensure Security:

  • Detect and prevent fraud and abuse
  • Monitor for security vulnerabilities
  • Enforce our Terms of Service
  • Comply with legal obligations

3.2 Legal Basis for Processing (GDPR)

For users in the European Union, we process your data based on:

  • Contractual Necessity: To provide the services you requested
  • Legitimate Interest: To improve our services, ensure security, and prevent fraud
  • Consent: For optional features like analytics (you may withdraw consent anytime)
  • Legal Compliance: To comply with applicable laws and regulations

4. Data Storage and Security

4.1 Where We Store Your Data

Primary Infrastructure:

  • Hosting: Vercel (United States)
  • Database: Vercel Postgres (PostgreSQL with pgvector extension)
  • File Storage: Vercel Blob Storage
  • Authentication: Clerk (ISO 27001, SOC 2 Type II certified)

AI Processing:

  • Vercel AI Gateway: Routes requests to AI providers
  • AI Providers:
    • OpenAI (GPT-4, GPT-4o)
    • Anthropic (Claude 3.5 Sonnet, Claude Opus)
    • Google (Gemini Pro)
  • AI prompts are processed in real-time and not stored by providers (per our agreements)

Third-Party APIs:

  • Autodesk Platform Services (APS) - United States
  • Microsoft Graph API - Microsoft Azure datacenters
  • Google Cloud APIs - Google Cloud Platform datacenters

4.2 Security Measures

Encryption:

  • In Transit: TLS 1.3 for all connections
  • At Rest: AES-256 encryption for database and file storage
  • Credentials: OAuth tokens encrypted with industry-standard algorithms

Access Controls:

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) available
  • Principle of least privilege for system access
  • Regular access audits

Infrastructure Security:

  • Vercel Enterprise-grade infrastructure
  • DDoS protection and rate limiting
  • Automated security updates
  • Regular vulnerability scanning

Application Security:

  • OWASP Top 10 protections
  • Content Security Policy (CSP)
  • SQL injection prevention (parameterized queries)
  • XSS protection (React automatic escaping)

4.3 Data Retention

Conversations and Artifacts:

  • Active Users: Retained for 90 days from creation
  • Deleted by User: Permanently deleted within 30 days
  • Inactive Accounts: Data deleted after 180 days of inactivity

Account Data:

  • Retained until you delete your account
  • Account deletion: All data permanently deleted within 30 days

Audit Logs:

  • Security logs retained for 1 year
  • Analytics data (anonymized) retained for 2 years

Backups:

  • Encrypted backups retained for 30 days
  • Deleted data removed from backups within 30 days

You can request early deletion of your data at any time (see Section 7).

5. Third-Party Services

We use the following third-party services to operate DatumOS:

Service Purpose Privacy Policy
Clerk Authentication and user management Clerk Privacy Policy
Vercel Hosting, database, blob storage, analytics Vercel Privacy Policy
OpenAI AI model inference (GPT-4, GPT-4o) OpenAI Privacy Policy
Anthropic AI model inference (Claude) Anthropic Privacy Policy
Google AI model inference (Gemini) Google Privacy Policy
Autodesk Construction Cloud API access Autodesk Privacy Policy
Microsoft Microsoft 365 / Graph API access Microsoft Privacy Policy
Google Cloud Google Workspace API access Google Cloud Privacy
Tavily Web search API Tavily Privacy Policy

Data Processing Agreements:

  • We have Data Processing Agreements (DPAs) with all critical vendors
  • GDPR-compliant Standard Contractual Clauses (SCCs) for EU data transfers
  • Regular vendor security assessments

Your Third-Party Data:

  • When you connect Autodesk, Microsoft, or Google accounts, you authorize us to access specific data via OAuth
  • We only access data when you use features requiring it (on-demand, not continuous sync)
  • You can revoke access anytime in Settings → Connections

6. Data Sharing and Disclosure

6.1 We Do NOT Sell Your Data

We never sell, rent, or trade your personal information to third parties for marketing purposes.

6.2 When We Share Data

Service Providers:

  • Third-party processors listed in Section 5
  • Only share data necessary for service delivery
  • Bound by contractual confidentiality obligations

AI Providers:

  • Prompts sent to AI models for inference
  • Anthropic, OpenAI, Google do not use our data for training (per our agreements)
  • AI Gateway anonymizes requests

At Your Direction:

  • When you explicitly share artifacts or links
  • When you export data
  • When you grant access to team members (future feature)

Legal Compliance:

  • In response to valid legal requests (subpoenas, court orders)
  • To comply with applicable laws and regulations
  • To protect our rights, privacy, safety, or property
  • To enforce our Terms of Service

Business Transfers:

  • In the event of a merger, acquisition, or sale of assets
  • Your data would be transferred under the same privacy protections
  • You would be notified via email and given opt-out options

6.3 Aggregated Data

We may share aggregated, anonymized data that does not identify you:

  • Usage statistics (e.g., "50% of users prefer Claude over GPT-4")
  • Performance metrics
  • Industry research and trends

7. Your Rights and Choices

7.1 Access and Portability

Right to Access:

  • View all your conversations and artifacts in the app
  • Request a copy of your data via Settings → Data Export
  • Receive data in JSON format within 30 days

Data Portability:

  • Export conversations as Markdown
  • Export artifacts as source files
  • Download uploaded files

7.2 Correction and Deletion

Right to Rectify:

  • Update your profile information in Settings
  • Correct inaccuracies in your account data

Right to Delete:

  • Delete individual conversations and artifacts
  • Delete your entire account via Settings → Delete Account
  • All data permanently deleted within 30 days

7.3 Opt-Out and Consent

Marketing Communications:

  • Unsubscribe from promotional emails (link in footer)
  • Transactional emails (security alerts, password resets) cannot be disabled

Analytics:

  • Opt out of Vercel Analytics via Settings → Privacy
  • Browser Do Not Track (DNT) signal honored

Third-Party Connections:

  • Disconnect Autodesk, Microsoft, or Google in Settings → Connections
  • Revoke OAuth access in respective provider settings

7.4 EU User Rights (GDPR)

If you are in the European Union, you have additional rights:

  • Right to Object: Object to processing based on legitimate interest
  • Right to Restrict: Request limited processing of your data
  • Right to Complain: Lodge a complaint with your local data protection authority
  • Right to Withdraw Consent: Withdraw consent for optional features anytime

To Exercise Your Rights:

  • Email: privacy@studiodatum.com
  • Subject: "GDPR Data Request - [Your Request]"
  • We will respond within 30 days

7.5 California User Rights (CCPA)

If you are a California resident, you have rights under CCPA:

Categories of Data Collected: See Section 2 Sources: Directly from you, automatically, from third-party integrations Business Purpose: See Section 3 Third Parties: See Section 5

Your CCPA Rights:

  • Right to Know: Request details about data collection (once per year)
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We don't sell data, so no opt-out needed
  • Non-Discrimination: We won't discriminate for exercising your rights

To Exercise Your Rights:

  • Email: privacy@studiodatum.com
  • Subject: "CCPA Data Request - [Your Request]"
  • We may verify your identity before fulfilling requests

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

Essential Cookies (Required):

  • __clerk_db_jwt - Authentication session
  • __session - User session management
  • Purpose: Required for app functionality
  • Expiration: Session or 7 days

Preference Cookies (Optional):

  • theme - Dark/light mode preference
  • sidebar_state - UI state
  • model_preference - Default AI model
  • Purpose: Remember your settings
  • Expiration: 1 year

Analytics Cookies (Optional):

  • Vercel Analytics (anonymous)
  • Purpose: Understand usage patterns
  • Expiration: 1 year
  • Opt-out: Settings → Privacy

8.2 Third-Party Cookies

We do not use third-party advertising cookies or tracking pixels.

8.3 Managing Cookies

Browser Settings:

  • Block cookies in browser settings
  • May affect functionality

App Settings:

  • Disable analytics in Settings → Privacy
  • Essential cookies cannot be disabled (required for security)

Do Not Track:

  • We honor DNT browser signals for analytics

9. Children's Privacy (COPPA)

DatumOS is not intended for children under 13 years old.

  • We do not knowingly collect data from children under 13
  • If we discover we have collected data from a child under 13, we will delete it immediately
  • Parents: If you believe your child has provided us with personal information, contact us at privacy@studiodatum.com

Age Verification:

  • Users must be at least 13 years old to create an account
  • Users under 18 should have parental consent

10. International Users and Data Transfers

10.1 Data Transfer to the United States

DatumOS is operated from the United States. If you are located outside the U.S., your data will be transferred to and processed in the United States.

For EU Users:

  • We use Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all vendors
  • GDPR compliance measures in place

For UK Users:

  • We comply with UK GDPR and UK data protection laws
  • International Data Transfer Agreement (IDTA) in place

For Other Jurisdictions:

  • We comply with applicable data protection laws
  • Contact us for jurisdiction-specific questions: privacy@studiodatum.com

10.2 Cross-Border Data Flows

Your data may be accessed by:

  • Vercel (US infrastructure)
  • AI providers (OpenAI, Anthropic, Google - US-based)
  • Third-party API providers (Autodesk, Microsoft, Google - global)

All transfers are protected by appropriate safeguards (DPAs, SCCs, encryption).

11. Changes to This Privacy Policy

11.1 How We Update This Policy

We may update this Privacy Policy to reflect:

  • Changes in our services or features
  • Legal or regulatory requirements
  • Industry best practices
  • User feedback

11.2 Notification of Changes

Minor Changes (version x.x.1 → x.x.2):

  • Updated "Last Updated" date
  • No additional notification

Significant Changes (version x.1.0 → x.2.0 or 1.x → 2.x):

  • Email notification to all users
  • In-app banner for 30 days
  • 30-day notice before changes take effect (when possible)

Your Continued Use:

  • Continued use of DatumOS after changes constitutes acceptance
  • If you disagree, you may delete your account

11.3 Version History

See Revision History section below for all changes.

12. Contact Information

12.1 Privacy Questions

Email: privacy@studiodatum.com

Mail: StudioDatum, Inc. [Street Address] [City, State ZIP] United States

Response Time: We aim to respond within 5 business days.

12.2 Data Protection Officer

For GDPR-related inquiries:

Email: dpo@studiodatum.com (If we have not appointed a DPO, use privacy@studiodatum.com)

12.3 Security Vulnerabilities

For security issues, see our Security Policy.

Email: security@studiodatum.com

13. Additional Resources

Revision History

Version Date Changes Commit Diff
1.0.0 2025-12-11 Initial publication [Pending] -

How to view changes:

  1. Click commit link to see specific change
  2. Click "View diff" to compare versions
  3. All changes tracked in GitHub repository

Summary

What we collect:

  • Account info (name, email)
  • Conversations and artifacts you create
  • Usage data and analytics
  • Data from connected third-party services (when you use them)

Why we collect it:

  • To provide AI-powered construction data search and chat
  • To improve our services
  • To ensure security and prevent abuse

What we DON'T do:

  • Sell your data
  • Use your data to train AI models
  • Continuously sync third-party data without your action
  • Share data except as described in this policy

Your control:

  • Access, export, and delete your data anytime
  • Disconnect third-party integrations anytime
  • Opt out of analytics
  • Full transparency via this policy

Questions? Contact privacy@studiodatum.com

Last Updated: December 11, 2025 Effective Date: December 11, 2025 Version: 1.0.0

This Privacy Policy was drafted with care, but is not a substitute for legal counsel. StudioDatum recommends having this reviewed by a qualified attorney before publication.