Legal

Privacy Policy

Last updated: May 17, 2026

1. Who We Are

LocusBIM Inc. ("LocusBIM", "we", "us", "our") is a Canadian corporation that develops and distributes BIM coordination software for Architecture and Engineering firms. Contact us at privacy@locusbim.com.

2. Scope

This policy covers:

  • The LocusBIM desktop application (Windows and macOS)
  • This website (locusbim.com) and its subdomains
  • Any related services we operate (license validation, LocusSync)

It does not cover third-party websites or services linked from our site.

3. Data We Collect

3.1 Application data — stored locally, never transmitted

By default, the LocusBIM desktop application stores all project data exclusively on your local machine:

  • PDF documents you open
  • 3D model files (GLB/GLTF)
  • Markup annotations and comments
  • Issues, screenshots, and coordination records
  • Layer configurations, custom stamps, and signatures

This data is stored in a SQLite database on your device. We have no access to it, we do not receive copies, and we do not process it on our servers.

3.2 License activation

When you activate a license key, the application makes a one-time validation request to our license server containing:

  • Your license key (opaque token)
  • An anonymous machine identifier (UUID, not linked to personal identity)
  • Application version number

We do not collect your name, email address, or IP address during offline HMAC-based validation. Online activation logs are purged automatically after 90 days.

3.3 Website

When you visit locusbim.com we may collect standard server access logs (IP address, browser user-agent, page requested, timestamp), retained for 30 days.

We use Google Analytics 4 to understand which pages are used and which tools convert. Analytics is opt-in: the gtag library loads with Consent Mode v2 defaults of denied, so no analytics cookies are set and no hits are sent to Google until you explicitly accept via the cookie banner at the bottom of the page. If you decline (or simply don't accept), no Google Analytics data is collected for your visit — the entire site, including all free in-browser PDF tools, continues to work normally.

We do not use advertising pixels, behavioural retargeting, third-party trackers, or social-login telemetry. The free in-browser PDF tools (split, combine, sign, annotate, rotate, convert) run entirely on your machine; the files you process never reach our servers regardless of your analytics choice.

3.4 Communications

If you email us or purchase a license, we collect your name, email address, and the content of your message, used only to respond to your inquiry or fulfill your purchase.

3.5 Application crash and error reports

Crash reports are off by default. When you opt in via Preferences → "Help improve LocusBIM" or via the first-run wizard, the desktop application sends crash dumps to our private observability backend — a self-hosted Grafana / Loki / Tempo / Prometheus stack running in AWS ca-central-1 (Montreal). Each report contains:

  • The error message and stack trace
  • The code location where the error occurred (file, function, line)
  • App version and OS platform (Windows / macOS / Linux)
  • A brief context object describing what the application was doing (e.g. opening PDF, rendering page 5, checking out PW document)
  • The most recent ~200 log lines and ~50 anonymised user actions ("tool selected", "page changed", "panel opened") leading up to the crash — IDs only, no titles, descriptions, or document content

We do not include user identity, file contents, project data, file paths, drawing geometry, markup annotations, or any PDF / 3D model bytes. Crash reports flow only to our private observability infrastructure — they are not sent to a third-party crash service. Reports help us fix bugs in subsequent releases and are retained for 90 days, then automatically deleted.

3.6 Manual bug reports

When you file a bug report from Help → Report a problem, the application shows you the full payload before submission so there are no surprises. The payload may include the items listed under 3.5 above plus your typed description, optional reproduction steps, and an optional screenshot you choose to attach. Bug reports are retained for 2 years to support follow-up correspondence, then deleted.

3.7 Funnel and lifecycle events

If you opt in (Preferences → "Send anonymous usage events"), the desktop application records anonymous lifecycle and behaviour events — for example: "first markup created", "BCF export used", "ProjectWise checked-out". These events feed our internal Conversion dashboard and help us understand which workflows are valuable to which kinds of firms.

Identity is stored only as HMAC hashes against a server-side pepper kept in AWS Secrets Manager (never in the database). The hash makes it impossible to recover your email or license key from a database read alone. Events are retained for 13 months, then deleted; permanent aggregates (counts only, no PII, no joinability) are kept for trend analysis. Opt-out at any time in Preferences — the toggle is the same surface as the crash report toggle, both default off.

3.8 Trial and conversion emails

When you request a download via locusbim.com, we collect your email address, name, and (optionally) role. The address receives the download link plus a CASL-compliant transactional cadence: a 7-day check-in, a 24-hour trial-end reminder, and occasional product updates. Every email carries the required CASL identity block and a one-click unsubscribe. The trial record is retained as long as the address remains subscribed; unsubscribing purges the record on the next nightly job.

4. How We Use Your Data

We use collected data only to:

  • Validate licenses and prevent fraud
  • Respond to support and sales inquiries
  • Comply with legal obligations

We do not sell, rent, or trade personal data to any third party, and we do not use your data for advertising.

5. Data Residency

LocusBIM is designed from the ground up for Canadian data residency:

  • All cloud services we operate run on AWS ca-central-1 (Montreal, Canada)
  • No project data is ever routed through US-hosted infrastructure
  • License validation requests are handled by our Canadian servers

See our PIPEDA Statement for a detailed compliance mapping.

6. Data Retention

  • Local application data: Retained on your device until you delete it. We hold no copy.
  • License activation logs: 90 days, then automatically deleted.
  • Application crash and error reports (opt-in only): 90 days, then automatically deleted. Deduplicated counts are kept indefinitely with no identifying data.
  • Manual bug reports: 2 years, then automatically deleted.
  • Funnel and lifecycle events (opt-in only): 13 months. Permanent aggregates (counts only, no PII) are kept for trend analysis.
  • Trial records: Retained while you remain subscribed; purged on unsubscribe.
  • Google Analytics (only if you accept): Retained per Google's default GA4 settings (currently 14 months); resettable per visitor via the cookie banner.
  • Email correspondence: Retained until the matter is resolved, then deleted.
  • Website access logs: 30 days.

7. Your Rights

Under PIPEDA and applicable Canadian privacy law, you have the right to know what personal information we hold, request correction of inaccurate data, withdraw consent for non-essential processing, and request deletion.

7.1 In-app self-serve deletion

From the desktop application, open Help → License → "Delete my data". The button purges every row we hold that is keyed by your license key or machine fingerprint hash — crash dumps, bug reports, lifecycle events, trial records, license activation history. Deletion is immediate; a summary lists what was removed.

Deduplicated group counts (e.g., "this crash has happened to N installs") may persist after deletion. These rows hold no identifying data — only a hashed fingerprint plus aggregate counters — so they cannot be linked back to you, but we keep them to track regression frequency. If you want these removed too, email us at privacy@locusbim.com.

7.2 Email-based deletion

For deletion requests that do not involve a desktop install (e.g., you only used the marketing site or the free PDF tool), email privacy@locusbim.com. We respond within 30 days.

8. Security

Our license validation and LocusSync collaboration servers run in AWS ca-central-1 (Montreal, Canada). None of your project data — PDFs, 3D models, markup annotations, issues, comments — passes through them; they handle only license key validation, anonymous session signaling for real-time collaboration, and update checks. See Section 3 for the full scope of what the application transmits.

We protect data in transit and at rest using TLS 1.3 for all server communication, HMAC-SHA256 for license key validation, IP-restricted admin access to license-server consoles, automated dependency security reviews on every release, and pre-startup database backups before each migration. To report a vulnerability, contact security@locusbim.com.

9. Children

Our software and services are not directed at children under 13. We do not knowingly collect personal information from children.

10. Changes to This Policy

Material changes will be noted on this page with an updated "Last updated" date. Continued use of the software or website after a change constitutes acceptance of the revised policy.

11. Contact

Privacy questions or requests: privacy@locusbim.com — subject line "Privacy Request — [your name]".