1. Who We Are
1.1 This Privacy Policy is issued by Stellamaris Cyprus Ltd, a private company limited by shares incorporated in the Republic of Cyprus under registration number HE 468345, with its registered office at A.G. Leventi 5, Leventis Gallery Tower, 13th floor, Flat/Office 1301, 1097 Nicosia, Republic of Cyprus ("QolorBeam", "we", "us", or "our").
1.2 QolorBeam operates a cloud-based business-to-business Software-as-a-Service platform designed for professionals working with Building Information Modelling (BIM). The Service assists customers in processing BIM Models and generating structured quantity data, comparisons, exports, material-related analytics, reports and other Outputs.
1.3 We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the data protection laws of the Republic of Cyprus, and other applicable data protection laws.
1.4 We have not appointed a formal Data Protection Officer at this stage because we do not currently consider such appointment mandatory under applicable law. Privacy-related questions and requests may be sent to privacy@qolorbeam.com.
2. Scope of This Policy
2.1 This Privacy Policy explains how we collect, use, share, retain and protect personal data in connection with the QolorBeam website, application, integrations, Customer Workspaces, Autodesk authentication, billing, support, analytics, marketing and related business communications.
2.2 The Service is intended exclusively for business customers and authorized professional users. It is not directed at consumers, private individuals acting in a personal capacity, or children.
2.3 This Privacy Policy should be read together with the QolorBeam Terms of Service, which include the Data Processing Terms applicable where QolorBeam processes personal data contained in Customer Data on behalf of a business customer. This Privacy Policy does not replace a business customer's own privacy notice to its personnel, clients, contractors or project participants.
2.4 Third-party services, including Autodesk, Stripe, Google and other providers, may process personal data under their own terms and privacy notices. This Privacy Policy does not replace those third-party notices.
3. Our Roles: Controller and Processor
3.1 Under data protection law, a controller decides why and how personal data is processed, while a processor processes personal data on behalf of, and under the instructions of, a controller.
3.2 We act as an independent controller for personal data processed for our own purposes, including Customer Workspace administration, Autodesk authentication, billing, payment, tax, customer relationship management, support, marketing, security, analytics, fraud prevention, legal compliance and business administration.
3.3 Where a business customer makes BIM Models, Customer Data or other content available through the Service and such data contains personal data, and we process that data on the customer's behalf and according to its instructions, we act as processor or sub-processor and the business customer acts as controller or processor, as applicable. That processing is governed by the Data Processing Terms included in our Terms of Service.
3.4 This Privacy Policy primarily describes processing for which QolorBeam acts as controller. Where we act as processor or sub-processor, the relevant business customer remains responsible for providing its own privacy notices and for ensuring a lawful basis for the personal data contained in Customer Data.
4. Customer Workspace and Autodesk Authentication
4.1 QolorBeam uses the concept of a Customer Workspace. A Customer Workspace is the workspace within QolorBeam assigned to a single business customer. It may contain one or more Authorized Users depending on the customer's Plan, seats and applicable limits.
4.2 Each Authorized User authenticates through their own individual Autodesk Account connected to Autodesk Construction Cloud or other supported Autodesk services. Unless QolorBeam provides otherwise, there is no independent QolorBeam password-based login.
4.3 We may receive, store and process Autodesk-related information such as Autodesk Account identifiers, name, business email address, authorization status, OAuth authorization data, OAuth tokens, refresh tokens, authorization grants, API access tokens, project and model permissions and integration logs required to connect to Autodesk services and provide the Service. We use this information only to operate the Autodesk integration, maintain authorized access, secure the Service and provide related support.
4.4 We do not collect or store Autodesk passwords. If an Autodesk Account is revoked, suspended, unavailable, insufficiently permissioned or disconnected, the Service may not function fully or at all for the affected Authorized User or Customer Workspace.
4.5 The business customer is responsible for ensuring that each Authorized User uses their own Autodesk Account and has the permissions and rights required to make relevant BIM Models available to QolorBeam.
5. Personal Data We Collect
5.1 We collect different categories of personal data depending on how you interact with QolorBeam. The main categories are set out below.
5.2 Account and identity data: name, business email address, job title, employer or organization, Customer Workspace role, Autodesk Account identifier and related account information.
5.3 Authentication and integration data: Autodesk authorization information, access status, project and model permissions, integration logs and related technical data needed to connect QolorBeam with Autodesk services. We do not collect or store Autodesk passwords.
5.4 Business and billing data: business name, registered or billing address, VAT or tax identification number, billing contact, Plan, subscription details, invoices, transaction records, payment status, refunds, chargebacks and related billing information. Full card numbers, CVV/CVC codes and similar payment credentials are processed directly by Stripe and are not stored by QolorBeam.
5.5 Usage and technical data: IP address, device information, browser type, operating system, log data, timestamps, pages or screens viewed, features used, exports, downloads, error logs, performance data and similar information generated when you use the Website or the Service.
5.6 Communications data: the content and metadata of communications with us, including support requests, emails, feedback, demos, sales communications and other correspondence.
5.7 Marketing and prospective customer data: business contact information that you provide to us, that we receive through referrals, events or business communications, or that we collect from publicly available business sources such as company websites, professional directories and professional networks, where permitted by law.
5.8 Customer Data: BIM Models, model metadata, project information, comments, tags, annotations, configuration settings, reports, exports and other content made available through the Service. Customer Data may incidentally contain personal data, for example names or contact details in BIM metadata, project documentation or file names.
5.9 We do not intentionally collect special categories of personal data, such as health, biometric, genetic, religious, political or similar sensitive data, through the Service. Such data should not be submitted to the Service unless expressly agreed in writing and supported by an appropriate legal basis.
6. BIM Models, Customer Data, Processed Data and Outputs
6.1 The Service is designed to process BIM Models and related Customer Data for business customers. BIM Models may be accessed through Autodesk Construction Cloud or other supported Autodesk services and may also be uploaded, submitted or otherwise made available through the Service if such functionality is offered.
6.2 Original BIM Models normally remain in Autodesk Construction Cloud and are accessed by QolorBeam through the Autodesk integration. QolorBeam does not normally store original BIM Models. QolorBeam stores extracted data, metadata, processed results, Outputs, configuration data and logs needed to provide, secure, support, maintain and improve the Service.
6.3 Processed data and Outputs may include geometric data, element properties, parameters, classifications, material-related information, quantity take-off results, comparisons, reports, exports, visualizations, AI-assisted insights and similar generated information.
6.4 As between QolorBeam and the business customer, Customer Data remains the customer's property. QolorBeam processes Customer Data only as described in this Privacy Policy, the Terms of Service, the Data Processing Terms included in the Terms of Service where applicable, and the customer's instructions where QolorBeam acts as processor.
6.5 The business customer is responsible for ensuring that it has all rights, permissions, notices, consents and lawful bases required to make Customer Data available to QolorBeam, including where Customer Data contains personal data, confidential information or third-party project information.
7. How We Collect Personal Data
7.1 We collect personal data directly from you when you register, authenticate, subscribe, use the Service, communicate with us, request support, attend a demo, provide feedback or otherwise interact with us.
7.2 We collect certain personal data automatically through your use of the Website and the Service, including via cookies, logs, analytics tools and similar technologies, subject to the cookie choices described in Section 10.
7.3 We receive certain personal data from third parties, including Autodesk for authentication and integration, Stripe for billing and payment confirmation, Google Analytics for website analytics where you consent, and business sources for B2B sales and marketing where permitted by law.
8. Purposes and Legal Bases for Processing
8.1 We process personal data only where we have a valid legal basis under the GDPR or other applicable data protection laws. The main purposes and legal bases are set out below.
| Purpose | Examples of processing | Legal basis |
|---|---|---|
| Providing the Service | Creating and managing Customer Workspaces, authenticating Authorized Users, connecting Autodesk Accounts, processing Customer Data and delivering Outputs. | Performance of a contract; legitimate interests in providing the Service to business customers. |
| Billing, payments and tax | Processing subscriptions, invoices, VAT/tax information, payment confirmations, refunds, chargebacks and accounting records. | Performance of a contract; legal obligations; legitimate interests in payment administration. |
| Support and communications | Responding to enquiries, support tickets, service notices, security notices and product-related communications. | Performance of a contract; legitimate interests in supporting customers. |
| Security and fraud prevention | Monitoring logs, detecting abuse, preventing fraud, investigating incidents, enforcing Terms and protecting the Service. | Legitimate interests; legal obligations where applicable. |
| Analytics and improvement | Understanding use of the Website and Service, improving performance, fixing defects and developing product features. | Consent for non-essential analytics cookies where required; legitimate interests for internal service analytics; aggregated or anonymized data where possible. |
| AI-assisted features | Automated extraction, classification, comparison, analytics, report generation and similar assistive features. | Performance of a contract; legitimate interests in providing and improving the Service; consent where required. |
| B2B marketing | Sending business-related marketing, product updates, invitations and sales communications to business contacts. | Consent where required; legitimate interests in B2B marketing, subject to opt-out rights. |
| Legal compliance and claims | Complying with law, responding to lawful requests, maintaining required records, resolving disputes and defending claims. | Legal obligations; legitimate interests in protecting rights and complying with law. |
8.2 Where we rely on legitimate interests, we balance those interests against your rights and freedoms. You may contact us at privacy@qolorbeam.com to request more information about our legitimate interest assessments.
9. Artificial Intelligence and Automated Processing
9.1 The Service may include features powered or assisted by artificial intelligence, machine learning, statistical models, automated classification, language models or similar technologies ("AI Features"). AI Features may assist with classification, extraction, comparison, analytics, anomaly detection, report generation and other functionality.
9.2 AI Features are assistive tools. They may process Customer Data, BIM metadata, Outputs, user instructions, configuration settings and related technical data only as necessary to provide the relevant functionality.
9.3 QolorBeam does not use Customer Data to train, fine-tune, retrain, develop, evaluate or improve AI or machine learning models, whether QolorBeam's own models or third-party models, unless the business customer has given explicit, separate opt-in consent for that specific purpose.
9.4 AI Features that process Customer Data are currently operated by QolorBeam on QolorBeam-controlled infrastructure and hardware. We do not currently use third-party AI providers to process Customer Data for AI Features. If this changes, we will update this Privacy Policy before such use or as otherwise required by law, and we will use appropriate contractual and technical safeguards.
9.5 QolorBeam does not make decisions based solely on automated processing, including profiling, that produce legal effects concerning individuals or similarly significant effects within the meaning of Article 22 GDPR.
9.6 Business customers and Authorized Users remain responsible for human review of AI-assisted Outputs, as further described in the Terms of Service.
10. Cookies, Google Analytics and Similar Technologies
10.1 We use cookies and similar technologies on the Website and, where necessary, within the Service. Strictly necessary cookies are required for security, authentication, session management, fraud prevention and operation of the Website or Service. These cookies do not require consent where they are strictly necessary.
10.2 We use Google Analytics to understand how visitors use our Website. Google Analytics may set cookies and collect usage and technical data such as IP address, device information, browser information and pages visited. Google Analytics is activated only after you consent through our cookie banner.
10.3 We do not use advertising pixels, remarketing cookies or social media tracking pixels unless this Privacy Policy, our cookie notice and the relevant consent mechanism are updated accordingly.
10.4 You can manage or withdraw cookie consent at any time through the cookie settings on our Website. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
| Cookie / technology category | Purpose | Consent |
|---|---|---|
| Strictly necessary cookies | Authentication, session management, security, fraud prevention and operation of the Website or Service. | No consent required where strictly necessary. |
| Google Analytics cookies | Website analytics, usage measurement and product improvement. | Used only after consent. |
| Functional preferences | Remembering basic preferences where such functionality is offered. | Consent where required. |
| Advertising or remarketing pixels | Not currently used unless introduced with updated notice and consent. | Would require consent before use. |
10.5 More detailed cookie names, durations and settings may be displayed and updated through the cookie banner or cookie settings on the Website.
11. Marketing Communications
11.1 We may send business-related marketing communications, newsletters, product updates, demo invitations or event invitations to business contacts where permitted by law.
11.2 Where consent is required, we will rely on consent. Where applicable law permits B2B marketing based on legitimate interests, we may rely on our legitimate interest in promoting QolorBeam to relevant business contacts, subject to your right to object or opt out at any time.
11.3 You can opt out of marketing communications at any time by using the unsubscribe link in our emails, by adjusting preferences where available, or by contacting privacy@qolorbeam.com. Service, billing, legal and security communications may still be sent where necessary.
12. When Personal Data Is Required
12.1 Certain personal data is necessary to provide the Service. If you do not provide required account, authentication or Autodesk authorization data, you may not be able to access or use the Service.
12.2 If required billing, payment, legal entity or tax information is not provided, we may be unable to process a subscription, issue invoices, apply VAT treatment or provide paid access.
12.3 If you do not consent to non-essential analytics cookies, you may still use the Website and Service, but analytics cookies will not be activated for your visit.
12.4 If a business customer does not provide Customer Data or Autodesk access rights required for a feature, QolorBeam may be unable to generate the relevant Outputs.
13. Service Providers, Sub-processors and Recipients
13.1 We use trusted third-party providers to operate, secure, support and improve the Service. Depending on the activity, a third party may act as our processor, our sub-processor, an independent controller, or a separate third-party service provider. We require processors and sub-processors to maintain appropriate confidentiality and security measures and to process personal data only in accordance with applicable contractual obligations.
13.2 The principal providers and recipient categories used or expected to be used by QolorBeam are listed below. The current sub-processor list is available on request.
| Provider / category | Purpose | Location / transfer safeguards |
|---|---|---|
| Autodesk | Autodesk Account authentication, Autodesk Construction Cloud access, Autodesk Platform Services integration and BIM Model access via Autodesk. | United States / global. Governed by Autodesk's own terms and privacy notice, with lawful transfer mechanisms such as Standard Contractual Clauses where applicable. |
| Stripe | Payment processing, subscription billing, invoicing, payment confirmation, fraud screening, refunds and chargebacks. | Stripe Payments Europe, Ltd. in Ireland, with group operations including the United States. EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses where applicable. Stripe may act as an independent controller for certain payment and compliance activities. |
| Contabo | Cloud hosting and infrastructure for the Service, including storage and processing of Service data in the selected hosting region. | European Union / Germany where the selected server region is Germany or another EU region. Data processing agreement in place or to be maintained. |
| Google Analytics | Website analytics, usage measurement and product improvement, subject to cookie consent. | United States / global. EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses where applicable. Used only after consent. |
| Email and communication providers | Transactional emails, service notices, support communications and business communications. | EU/EEA where available; Standard Contractual Clauses or other lawful transfer safeguards where applicable. |
| QolorBeam AI infrastructure | AI-assisted extraction, classification, comparison, analytics and report generation using QolorBeam-controlled infrastructure and hardware. | QolorBeam-controlled infrastructure and hardware. No third-party AI provider is currently used for Customer Data processed by AI Features. |
| Professional advisers | Legal, accounting, tax, audit, insurance and compliance advice. | EU/EEA or other locations as necessary. Disclosures limited to what is necessary and subject to confidentiality obligations. |
13.3 We may also disclose personal data where required by law, court order, regulator, tax authority or competent public authority; to establish, exercise or defend legal claims; to investigate fraud or security incidents; or in connection with a merger, acquisition, financing, restructuring or sale of business assets, subject to appropriate safeguards.
13.4 We do not sell personal data. We do not use Customer Data for third-party advertising. We do not use Customer Data to train AI models without explicit separate opt-in consent as described in Section 9.
14. International Data Transfers
14.1 We aim to host and process Service data within the European Union or European Economic Area (EEA) where reasonably practicable, including through EU-based hosting infrastructure when using Contabo's EU/Germany region.
14.2 Some providers, including Autodesk, Stripe and Google, may process personal data outside the EEA, including in the United States or other jurisdictions. QolorBeam currently operates AI Features that process Customer Data on QolorBeam-controlled infrastructure and hardware rather than through third-party AI providers.
14.3 Where personal data is transferred outside the EEA, we rely on appropriate safeguards recognized under the GDPR, which may include adequacy decisions, the EU-U.S. Data Privacy Framework for certified recipients, Standard Contractual Clauses, Binding Corporate Rules, data processing agreements and supplementary measures where appropriate.
14.4 You may contact us at privacy@qolorbeam.com to request more information about the safeguards used for a specific international transfer.
15. Data Retention
15.1 We retain personal data only for as long as necessary for the purposes for which it was collected, including to provide the Service, comply with legal, tax and accounting obligations, resolve disputes, maintain security, enforce agreements and protect legal rights.
15.2 The general retention periods or criteria we apply are set out below, unless a longer or shorter period is required or permitted by law, the Data Processing Terms, an Order Form, a legal hold, a security investigation or a customer instruction where we act as processor.
| Data category | Typical retention period / criteria |
|---|---|
| Account and identity data | For the duration of the customer relationship and normally up to 180 days after ordinary cancellation or expiry, unless longer retention is required or permitted for legal, tax, accounting, security, fraud prevention or dispute resolution purposes. |
| Customer Workspace data, Processed Data and Outputs | During the active subscription. Following ordinary cancellation or expiry: normally 90 days read-only access, followed by up to 90 days frozen storage, then deletion from active systems after approximately 180 days, except retained records. |
| Billing, invoices, VAT, tax and accounting records | For the period required or permitted under applicable Cyprus tax, accounting and legal obligations. |
| Support and communications data | Normally up to 24 months after the relevant request or communication is closed, unless needed longer for dispute, legal, security or compliance reasons. |
| Security logs and audit records | Normally up to 12 months from the relevant event, unless needed longer for security investigation, fraud prevention, legal or compliance reasons. |
| IP addresses and technical logs | Retained for security and operational purposes for limited periods according to system configuration, then deleted, anonymized or aggregated where appropriate. |
| Google Analytics data | Retained according to the configured Google Analytics retention settings and your cookie choices. |
| Marketing preferences and suppression records | Until you unsubscribe or object, plus a reasonable suppression period to ensure we respect your opt-out. |
| Legal claims and compliance records | For the duration of the relevant matter and the applicable limitation periods under Cyprus or other applicable law. |
| Backups | Retained for limited periods and overwritten in the ordinary course of operations; data in backups is protected and not used for active processing except restoration, security, legal or compliance purposes. |
15.3 Where we act as processor or sub-processor on behalf of a business customer, retention and deletion of personal data contained in Customer Data are governed by the Terms of Service, including the Data Processing Terms and the data export, retention and deletion provisions included in them.
16. Security
16.1 We implement appropriate technical and organizational measures designed to protect personal data and Customer Data against unauthorized access, loss, misuse, alteration and unlawful disclosure, taking into account the nature of the data, the Service and the risks involved.
16.2 These measures may include encryption in transit, secure hosting, access controls, role-based permissions, least-privilege internal access, logging, monitoring, backups, internal access restrictions, confidentiality obligations, sub-processor contractual controls and incident response procedures.
16.3 The business customer and Authorized Users are responsible for keeping Autodesk Accounts, devices, networks, access permissions and exported Outputs secure, and for promptly disabling access for people who no longer require it.
16.4 No method of transmission over the internet, electronic storage or processing system is completely secure. We cannot guarantee absolute security.
16.5 Where a personal data breach occurs and notification is required by applicable law, we will notify the competent supervisory authority and/or affected individuals as required by law. Where we act as processor, we will notify the relevant business customer in accordance with the Data Processing Terms included in our Terms of Service.
17. Your Rights
17.1 Subject to applicable law and the conditions set out in the GDPR, you may have the following rights in relation to your personal data: access, rectification, erasure, restriction, portability, objection to processing based on legitimate interests, objection to direct marketing, withdrawal of consent where processing is based on consent, and the right not to be subject to solely automated decisions producing legal or similarly significant effects.
17.2 To exercise your rights, please contact privacy@qolorbeam.com. We may need to verify your identity and authority before responding to your request.
17.3 We aim to respond to valid requests within one (1) month of receipt. Where a request is complex or numerous, this period may be extended by up to two (2) further months where permitted by law, in which case we will inform you of the extension and the reasons for it.
17.4 Where we process personal data as processor on behalf of a business customer, requests from individuals should be directed to that business customer as controller. We will assist the customer in responding to such requests as set out in the Data Processing Terms included in our Terms of Service.
17.5 You have the right to lodge a complaint with a supervisory authority. In Cyprus, this is the Office of the Commissioner for Personal Data Protection. You may also contact the supervisory authority in your country of residence, place of work or place of the alleged infringement.
18. Intended Audience and Children
18.1 QolorBeam is a professional B2B service intended for businesses and professionals working in architecture, engineering, construction, real estate development, BIM, quantity take-off, estimating, procurement and related sectors.
18.2 The Service is not designed for, marketed to, or intended for children or private consumers. We do not knowingly collect personal data from children through the Service.
18.3 If you believe that a child or private individual has provided personal data to us outside the intended scope of the Service, please contact privacy@qolorbeam.com.
19. Changes to This Privacy Policy
19.1 We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, technology, providers, legal requirements or operational needs.
19.2 Where changes are material, we will take reasonable steps to notify affected customers, for example by email, through the Service or through the Website. Your continued use of the Service after the updated Privacy Policy takes effect constitutes acknowledgement of the updated Privacy Policy to the extent permitted by applicable law.
20. Contact Us
20.1 For privacy-related questions, requests or complaints, please contact QolorBeam at privacy@qolorbeam.com.
20.2 For general support, please contact QolorBeam at support@qolorbeam.com.
20.3 Legal entity: Stellamaris Cyprus Ltd, a private company limited by shares incorporated in the Republic of Cyprus under registration number HE 468345.
20.4 Registered office: A.G. Leventi 5, Leventis Gallery Tower, 13th floor, Flat/Office 1301, 1097 Nicosia, Republic of Cyprus.