Privacy Policy

Effective: 1 May 2026

1. Who we are

Planscape Ltd is a private limited company registered in Uganda, with offices in Kampala. We operate the Planscape platform — a Revit plugin, mobile app, and cloud service for BIM coordination. In the language of the Uganda Data Protection and Privacy Act 2019 (DPPA) and the EU General Data Protection Regulation (GDPR), Planscape Ltd is the data controller for personal data collected through our marketing site and account systems, and a data processor for project content uploaded by our customers.

2. What data we collect

We collect only what we need to operate the service:

• Account data — your name, email, organisation, role, and password hash (we use BCrypt; we never store plain-text passwords).
• Project metadata — project names, ISO 19650 codes, team membership, RIBA stages, and tag identifiers. We do not mine the geometric content of your Revit models.
• Usage logs — request URLs, response codes, timestamps, IP address, and user agent. Retained for 90 days for security and debugging.
• Device tokens — Firebase or Apple push notification tokens, used solely to deliver the notifications you've subscribed to.
• Billing information — name, billing address, currency preference, and a transaction ID from our payment processor. We do not store full card numbers; that data is held by Flutterwave or Stripe.
• Support correspondence — emails and chat transcripts when you contact us, retained while your account is open.

3. How we use it

We use your data to:

• Deliver the service you signed up for — authenticate you, sync your projects, send notifications, render documents.
• Maintain the audit-grade trail required by ISO 19650-2 §5.6 — every write operation is logged with actor, timestamp, and a hash chain.
• Bill your subscription and produce VAT-compliant invoices in your chosen currency.
• Provide support — respond to your questions, investigate issues you report.
• Improve the product — aggregate usage statistics tell us which features matter. We never sell or share individual usage data with third parties.

4. Lawful basis

Under DPPA 2019 and GDPR Article 6, our lawful bases are:

• Contract performance — for everything required to deliver the service you've paid for.
• Legitimate interests — for security logs, fraud prevention, and aggregate analytics.
• Legal obligation — for billing records (Uganda Income Tax Act, statutory retention) and audit trail records (ISO 19650-2, contract requirements with your appointing party).
• Consent — for marketing emails. You can withdraw consent at any time by clicking unsubscribe or emailing us.

5. Who we share it with

We share data only with the third-party processors needed to operate the service:

• Flutterwave (for African currency billing) and Stripe (for USD/EUR/GBP) — receive only what's required to process your subscription payment.
• Mapbox — receives anonymous tile-render requests when your team uses map-based features.
• Crisp — provides the in-app support chat. If you start a chat we share the message contents, your name, and email with Crisp.
• Firebase Cloud Messaging (Google) and Apple Push Notification Service — receive a notification token and message body when we send you a push notification.
• Hosting infrastructure — our primary database and object storage are operated in EU (Frankfurt) data centres under EU-standard physical security controls.

We do not sell your data. We do not share it with advertisers. We have no third-party tracking cookies on this site.

6. Data retention

• Active account data — kept while your account is open, plus 2 years after closure to support legitimate business and legal needs.
• Audit chain records — retained for 7 years to satisfy contract and statutory audit requirements. Erasure of these records would break the chain and invalidate the audit trail; see Section 7.
• Trial data — purged 30 days after a trial expires without conversion. We email a reminder 7 days before purge so you can export your data.
• Usage logs — 90 days.
• Support correspondence — duration of the account, then 90 days after closure.

7. Your rights

Under DPPA 2019 and GDPR, you have the right to:

• Access the data we hold about you.
• Rectification of inaccurate data.
• Erasure of your account data, except where we are legally required to retain it (audit chain records, billing records).
• Portability — export your project data in JSON, CSV, or BCF 2.1.
• Objection to processing based on legitimate interests; you can opt out of analytics anytime.
• Withdrawal of consent for marketing emails.

To exercise any of these rights, email privacy@planscape.build. We respond within 30 days. If you're not satisfied with our response you can complain to the Personal Data Protection Office of Uganda (PDPO) or, if you're an EU data subject, your local supervisory authority.

8. Cookies

We use a small number of cookies:

• Session cookie — required to keep you logged in. First-party, HTTPS-only, SameSite=Lax. No tracking.
• Mapbox — when the map renders, Mapbox may set functional cookies for tile caching.
• Crisp — the chat widget sets a cookie to remember your conversation across page loads.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking cookie.

9. International transfers

Our primary data region is EU (Frankfurt, Germany). When you sign up from Uganda or elsewhere outside the EU, your data is transferred to and stored in the EU. This transfer is covered by EU-standard contractual clauses (SCCs) between Planscape Ltd and our infrastructure providers, satisfying both DPPA 2019 §38 and GDPR Article 46. If you require in-country data residency, ask about our self-host option which lets you run Planscape on your own infrastructure.

10. Contact

Privacy questions: privacy@planscape.build
General questions: hello@planscape.build

We commit to acknowledge any privacy enquiry within 5 working days and to provide a substantive response within 30 days.

11. Changes to this policy

We will update this policy as the product and the regulatory landscape evolve. The effective date at the top of this page reflects the most recent revision. For material changes — anything that meaningfully affects what data we collect, how we use it, or who we share it with — we will email all account holders at least 30 days before the change takes effect, so you have time to review and, if you wish, close your account before the new terms apply.