BIMMONT
Sign inSign up

Legal

Privacy Policy

Last updated: 2 June 2026

This Privacy Policy describes how BIMMONT (“we”, “us”, “our”) collects, uses, and protects information when you use the BIMMONT platform at tools.bimmont.com.

For the data you enter while using the platform (your Customer Data), your Organization is the data controller and BIMMONT acts as a data processor on its behalf. For account and usage information, BIMMONT is the controller.

1. Information We Collect

1.1 Account information

When you create an account we collect your name, email address, and a hashed version of your password. Your profile may also include details you choose to add, such as a profile photo, short bio, phone number, and timezone. If you create or join an Organization, we also collect the organization name and your role within it.

1.2 Customer Data

Data you enter into the platform, including process flows, register rows, asset records, comments, and attachments, is stored to provide the service. We treat all Customer Data as confidential and do not use it for advertising or profiling.

1.3 Usage and device data

We collect basic usage information such as page views, feature usage, error logs, IP address, and browser type. Analytics that rely on cookies are collected only with your consent (see Cookies below); operational logs needed to run and secure the service are collected on the basis of our legitimate interest.

1.4 Security and audit data

To protect accounts we record sign-in events, including the time of your last sign-in, failed sign-in counts, and any temporary lockout status. Within a project we keep an append-only, tamper-evident audit log of changes (who changed what and when) to support security, accountability, and data integrity.

1.5 Integration credentials

If you connect an external system such as Aconex or Autodesk Construction Cloud, we store the OAuth access and refresh tokens needed to perform the transfers you configure. These tokens are encrypted at rest and can be revoked by disconnecting the integration.

2. How We Use Your Information

  • To provide, maintain, and improve the platform.
  • To send transactional emails (account verification, password changes, invitations, support replies).
  • To run the integrations and data transfers you configure with external systems.
  • To provide optional AI-assisted features when you choose to use them (see AI-Assisted Features below).
  • To understand how the platform is used, where you have consented to analytics cookies.
  • To detect and prevent fraud, abuse, and security incidents.
  • To respond to support requests and communicate about your account.

We do not sell your personal information, and we do not use Customer Data for advertising or profiling.

3. Cookies and Similar Technologies

We use a small number of cookies. They fall into the following categories:

  • Strictly necessary — a session cookie set when you sign in, which keeps you authenticated as you move between pages. This cannot be switched off, as the service does not work without it.
  • Functional — preferences that remember your active organization and active project so the workspace opens where you left off, plus a cookie that stores your cookie choice.
  • Analytics (optional) — with your consent, Google Analytics 4 sets cookies (such as the _ga cookie) to measure page views and feature usage. These run in Google Consent Mode and set no analytics cookies or identifiers until you select Accept in the cookie banner. You can change or withdraw your choice at any time using the Cookie settings link in the footer.
  • Advertising — none. We do not use advertising or cross-site tracking cookies.

4. AI-Assisted Features

Some optional features, such as AI-assisted flow generation and governance document drafting, use the Anthropic Claude API. When you choose to use one of these features, the project information you provide for that task (for example a project name, descriptions, process steps, and outline content) is sent to Anthropic to produce the result. We do not send your password or stored integration tokens.

Anthropic processes this input to return output and, under its commercial API terms, does not use it to train its models. AI-generated content is labelled as such in the product and should be reviewed before you rely on it. These features stay off unless you trigger them.

5. Third-Party Services and Sub-Processors

We use the following third-party services to operate the platform:

  • Neon (database hosting) — stores account and Customer Data in encrypted PostgreSQL databases.
  • Vercel (application hosting) — serves the web application and serverless functions, and processes request and operational logs.
  • Resend (transactional email) — delivers account verification, notification, and support emails.
  • Google (Google Analytics 4) — product analytics, used only after you consent to analytics cookies.
  • Anthropic (AI processing) — powers the optional AI-assisted features described above.

Each provider processes data under its own privacy terms and our applicable data-processing agreements.

6. Integrations You Connect

BIMMONT connects to external construction systems when you authorize them, currently Aconex (Oracle) and Autodesk Construction Cloud (Autodesk Platform Services). When you connect one, data moves between BIMMONT and that system according to the transfer rules you configure, and we store encrypted access tokens so those transfers can run. Those platforms process data under their own privacy policies. You can disconnect an integration at any time, which revokes our stored access.

7. International Data Transfers

Some of our providers process data in other countries, including the United States (for example Google and Anthropic). Where personal data is transferred outside your jurisdiction, we rely on appropriate safeguards such as the providers’ Standard Contractual Clauses and equivalent mechanisms.

8. Data Security

We implement industry-standard security measures including encrypted connections (TLS), hashed passwords (bcrypt), and secrets and integration tokens encrypted at rest (AES-256-GCM). We apply rate limiting and account lockout to resist brute-force attacks, role-based and attribute-based access controls to limit who can see what, and an append-only, tamper-evident audit log of changes within a project. Access to production systems is restricted to authorized personnel.

No system is perfectly secure. If you discover a security vulnerability, please report it to support@bimmont.com.

9. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will remove your personal information and Customer Data from active systems within 30 days. Backups may contain residual data for up to 90 days before automatic expiry. Audit-log records may be retained for the life of the relevant project to preserve integrity and accountability.

10. Your Rights

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — update or correct inaccurate information through your account settings or by contacting us.
  • Deletion — request deletion of your account and associated data.
  • Export — download your Customer Data in a portable format.
  • Objection — object to processing of your data for specific purposes.
  • Withdraw consent — change or withdraw your analytics cookie choice at any time using the Cookie settings link in the footer.

To exercise any of these rights, contact us at support@bimmont.com.

11. Children

The platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the platform at least 14 days before they take effect.

13. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at support@bimmont.com or through the contact form.