Privacy Policy
Last Updated: April 8, 2026
1. Introduction
Collibri ("we", "our", "us") is an online project management platform for 3D building architecture designers.
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights
you have regarding your data. We are committed to protecting your privacy in accordance with the EU General
Data Protection Regulation (GDPR).
By registering an account and using Collibri, you confirm that you have read and accepted this Privacy Policy.
2. Data We Collect
| Category | Data | Purpose | Legal Basis |
|---|
| Account | Name, email address, password (hashed) | Authentication & identification | Contract (Art. 6(1)(b)) |
| Profile | Profile photo (optional), job role (optional) | Personalisation | Consent (Art. 6(1)(a)) |
| OAuth login | Name, email, profile picture URL from Google or Facebook | Authentication via third-party provider | Contract (Art. 6(1)(b)) |
| Project content | Uploaded 3D model files, rendered images, snapshots | Core service functionality | Contract (Art. 6(1)(b)) |
| Communication | Chat messages, file comments, task comments | Collaboration features | Contract (Art. 6(1)(b)) |
| Activity | Action logs (file uploads, task changes, project events) | Audit trail, project history | Legitimate interest (Art. 6(1)(f)) |
| Technical | Last login timestamp, account creation date | Security & session management | Legitimate interest (Art. 6(1)(f)) |
We do not collect IP addresses, browser fingerprints, or any tracking/analytics data.
3. Third-Party Services
The following third-party services may receive your data as part of normal platform operation:
-
Google OAuth 2.0 — Used for "Sign in with Google". Google receives an authentication
request and returns your name, email, and profile picture. Governed by
Google's Privacy Policy.
-
Facebook Login — Used for "Sign in with Facebook". Facebook returns your name and email.
Governed by Meta's Privacy Policy.
-
Google Gemini API — Used for the AI Image Generation feature only. When you use this
feature, the text prompt you enter and any reference images you select are sent to Google's Gemini API
for processing. Do not include sensitive personal data in AI prompts. Governed by
Google's Privacy Policy.
This processing only occurs when you explicitly click "Generate Image".
-
3D Model Conversion Service — When uploading certain 3D model file formats
(.max, .skp, .rvt, .dwg), the file is sent to an external conversion service for format conversion.
The converted file is returned and the original is processed locally.
-
SMTP Email Provider (Gmail) — Used to send account confirmation emails and
project invitation emails. Only your email address and the relevant confirmation link are transmitted.
4. Data Retention
We retain your data for as long as your account is active. Automated cleanup rules apply:
- Chat messages are deleted after 365 days.
- Activity log entries are deleted after 180 days.
- Task history entries are deleted after 365 days.
- Expired project invitations are deleted automatically.
- Unconfirmed accounts (email not confirmed) are deleted after 7 days.
- Accounts with no login activity for 5 years are automatically anonymised.
5. Your Rights (GDPR)
Under the GDPR, you have the following rights:
- Right of Access (Art. 15) — You can request a copy of all personal data we hold about you
via Profile → Export My Data.
- Right to Rectification (Art. 16) — You can update your name, email, and profile photo
at any time via your profile settings.
- Right to Erasure (Art. 17) — You can permanently delete your account and all associated
personal data via Profile → Danger Zone → Delete Account.
- Right to Data Portability (Art. 20) — Your data export (see above) is provided in
machine-readable JSON format.
- Right to Object (Art. 21) — You may object to processing based on legitimate interest
by contacting us.
6. Data Security
We implement the following technical measures to protect your data:
- Passwords are hashed using bcrypt (cost factor 12) — they are never stored in plain text.
- Authentication uses short-lived JWT tokens (24-hour expiry).
- Email confirmation is required before an account becomes active.
- CORS policy restricts cross-origin access to the Collibri domain only.
- All uploaded files are stored with randomised filenames to prevent enumeration.
7. Cookies
Collibri uses a single functional cookie (auth_token) to maintain your login session.
This cookie is strictly necessary for the service to function and does not require consent under GDPR.
We do not use any tracking, advertising, or analytics cookies.
8. Changes to This Policy
We may update this Privacy Policy when features change. The "Last Updated" date at the top of this page
reflects the most recent revision. Continued use of the service after changes constitutes acceptance.
9. Contact
For any questions or data subject requests, please contact:
Email: nagyhazi@gmail.com
Website: https://collibri.ai