Your privacy at Adalense

We collect only the data needed to provide and bill the service. Four categories:

• Account data. First name, last name, email, company, phone (optional), password (bcrypt-hashed — we never see your password in clear text).
• Billing data. Postal address, Stripe customer ID. Your payment card details never pass through our servers — they are entered directly with Stripe (PCI-DSS level 1).
• License and usage data. License keys, named-seat assignments, anonymised machine IDs, last heartbeat timestamp. No Revit modelling data is transmitted.
• Technical data. Server logs (IP, user agent, page, HTTP status) kept locally for diagnostics. No advertising pixel, no third-party analytics tool.

The data we collect is used only for the following purposes:

• • Provide and operate the SmartRouting service (authentication, license validation, downloads).
• • Handle billing, renewals and refunds through Stripe.
• • Provide technical support when you reach out.
• • Improve the product through aggregated, anonymous statistics (never individual-level).

Legal basis

We process your data on the basis of: (i) performance of the contract — to provide the service and handle billing; (ii) our legitimate interest — support and product improvement; (iii) our legal obligations — notably accounting and tax; (iv) your consent, where required.

Sharing with subprocessors

We rely on three technical subprocessors, each bound to Adalense by a GDPR-compliant data processing agreement:

• Stripe — payment processing and storage of payment methods. Data limited to email, billing address and customer ID.
• Microsoft (Entra ID, SharePoint, Graph) — federated authentication for our team (Entra ID), MSI installer storage (SharePoint). Data limited to professional email and tenant ID.
• IONOS / hébergeur SMTP — website hosting, transactional email delivery. Data limited to the recipient email and message content.

Adalense never sells, rents or transfers your data to third parties for commercial or advertising purposes.

For professional customers acting as data controllers, a Data Processing Agreement (DPA) compliant with Article 28 of the GDPR is available on request at privacy@adalense.com.

At any time you can exercise the following rights over your personal data:

• Right of access. Obtain a copy of the data we hold about you.
• Right to rectification. Correct any inaccurate or outdated data from your account area or by contacting us.
• Right to erasure. Request deletion of your account and associated data, subject to legal retention obligations (e.g. invoices).
• Right to portability. Retrieve your data in a structured, machine-readable format.
• Right to object. Object to the processing of your data on legitimate grounds, or withdraw consent.
• Right to restriction. Request restriction of the processing of your data in the cases provided for by the GDPR (e.g. when you contest the accuracy of the data).

To exercise any of these rights, write to us at privacy@adalense.com. You also have the right to lodge a complaint with your local data protection authority (CNIL in France — cnil.fr).

Your data security is enforced by dedicated technical and organisational measures:

• • TLS 1.2+ encryption required for every exchange between your browser and our servers.
• • Passwords stored exclusively as bcrypt hashes (adaptive cost, unique salt per password).
• • Short-lived authentication tokens (15 min access, 30-day refresh), rotated on each use, revoked on sign-out.
• • Database access restricted to the strict minimum, auditable logging of administrative actions.

Adalense only uses strictly necessary cookies. No advertising or third-party analytics cookies.

We use neither Google Analytics, Meta Pixel, nor any third-party cookie for audience measurement or advertising.

We keep your data only as long as needed for the stated purposes, or to comply with legal obligations:

• • Account data: as long as your account is active, plus 30 days after deletion to allow restoration in case of error.
• • Billing data: 10 years (French legal obligation).
• • Technical logs: 12 months maximum.

Your data is hosted in the European Union. Some subprocessors (Stripe, Microsoft) may operate in the United States; in that case, the transfer is governed by the Standard Contractual Clauses adopted by the European Commission.

For any question about your personal data or this policy:

For sales or product questions, please use the contact page.

We may update this policy to reflect product or legal changes. Any significant change is notified by email to users with an active account at least 30 days before it takes effect. The last-updated date is shown at the top of this page.