Privacy Policy
Last updated: April 2026
1. Introduction
ACD Group (“we”, “us”, or “our”) operates boqmanager.com (“BOQ Manager” or the “Service”). This Privacy Policy explains how we collect, use, store, and protect information about you when you use our Service, and describes your rights with respect to that information.
By using BOQ Manager, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use the Service.
2. Data We Collect
We collect the following categories of personal and business data:
| Category | Examples | Source |
|---|---|---|
| Account information | Email address, display name, company name, bcrypt-hashed password, role | Provided by you at registration |
| Project data | Bills of Quantities, drawings, specifications, cost estimates, comments | Uploaded or created by you in the Service |
| Usage data | AI analysis call counts, feature usage metrics, page views, session timestamps | Automatically collected |
| Payment data | Billing address, last 4 digits of card (tokenised), subscription status | Handled directly by Stripe — not stored by us |
| Security data | AES-encrypted TOTP secrets, login timestamps, IP addresses for audit logs | Generated during account setup and use |
We do not collect credit card numbers, full payment card details, or bank account information. All payment processing is handled by Stripe, Inc., under their own privacy policy.
3. How We Use Your Data
We use the data we collect for the following purposes:
- To provide and maintain the Service — including storing your project data, authenticating your identity, and enforcing subscription limits.
- To send transactional emails — account verification, password reset links, team invitations, and billing receipts are delivered via AWS Simple Email Service (SES).
- To improve the product — aggregated and anonymised usage data helps us understand how features are used and prioritise improvements.
- To process payments — subscription and billing information is shared with Stripe solely for payment processing.
- To comply with legal obligations — we may process your data to comply with applicable laws, regulations, court orders, or lawful requests from public authorities.
- To communicate service updates — we may send you important notices about changes to the Service, these Terms, or our pricing.
We do not sell your personal data to third parties. We do not use your project data to train AI models or for any purpose other than providing the Service to you.
4. Data Storage & Security
Your project files (BOQs, drawings, specifications) are stored in Amazon Web Services (AWS) S3 in the eu-west-1 (Ireland) region. All files are stored under a path prefixed by your unique tenantId, ensuring strict isolation between different organisations using the Service.
We implement the following security measures:
- Passwords are hashed using bcrypt with a work factor of 12 before storage. We never store plaintext passwords.
- TOTP secrets for two-factor authentication are encrypted at rest using AES-256 before being stored in our database.
- All data in transit is encrypted using TLS 1.2 or higher.
- AWS S3 buckets are configured with server-side encryption (SSE-S3) enabled by default.
- Access to production systems is restricted to authorised personnel and protected by multi-factor authentication.
- Tenant data isolation is enforced at the application layer: every S3 operation is scoped to the requesting tenant’s
tenantIdprefix.
Despite these measures, no system is completely secure. In the event of a data breach that affects your personal data, we will notify you in accordance with applicable law.
5. Data Retention
- Active accounts: Account information and project data are retained for as long as your account is active.
- After account deletion: Account information is permanently deleted within 30 days of your deletion request. Project data stored in S3 is permanently deleted within the same window.
- After subscription cancellation: Your account remains accessible in a read-only state until the end of the current billing period. Project data is retained for 30 days after your final subscription end date, after which it is permanently and irreversibly deleted.
- Billing records: We retain billing and transaction records for 7 years to comply with financial and tax regulations.
- Audit logs: Security audit logs (login events, IP addresses) are retained for 12 months.
6. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: You have the right to request a copy of the personal data we hold about you.
- Correction: You have the right to request that we correct inaccurate or incomplete personal data.
- Deletion: You have the right to request that we delete your personal data, subject to our legal retention obligations.
- Portability: You have the right to request your data in a structured, commonly used, machine-readable format.
- Restriction: You have the right to request that we restrict the processing of your personal data in certain circumstances.
- Objection: You have the right to object to the processing of your personal data for direct marketing purposes.
To exercise any of these rights, please submit a written request to privacy@boqmanager.com. We will respond to all legitimate requests within 30 days.
7. Cookies
BOQ Manager uses a minimal number of cookies necessary to operate the Service:
__session— A secure, HTTP-only session cookie used for authentication. This cookie is strictly necessary for the Service to function and does not expire until you sign out or the session times out. It contains a signed JWT and no personally identifiable information in plaintext.
We do not use advertising cookies, third-party tracking cookies, or fingerprinting technologies. If we add analytics in the future, it will be opt-in and disclosed here.
You can configure your browser to refuse all cookies; however, doing so will prevent you from signing in to the Service.
8. Third-Party Services
We use the following third-party services to operate BOQ Manager. Each provider processes data under their own privacy policies:
- Amazon Web Services (AWS SES) — Used to send transactional emails (verification, password reset, invitations). AWS may process your email address on our behalf. See AWS Privacy Policy.
- Stripe, Inc. — Handles all payment processing. We do not store full payment card details; Stripe stores payment information under Stripe’s Privacy Policy and is PCI DSS Level 1 certified.
- Anthropic (Claude API) — Provides AI analysis features. When you use AI-powered features, relevant excerpts of your project data (such as BOQ line items or drawing descriptions) may be transmitted to Anthropic’s API for processing. See Anthropic’s Privacy Policy.
9. GDPR Compliance
Data Controller: ACD Group, United Arab Emirates, is the data controller for personal data processed by BOQ Manager.
For users in the European Economic Area (EEA) or United Kingdom, we process personal data on the following legal bases:
- Contract performance — processing necessary to provide the Service you have subscribed to.
- Legitimate interests — service improvement, security monitoring, and fraud prevention.
- Legal obligation — retention of billing records.
- Consent — for any optional communications (e.g., marketing emails).
EU/UK users have additional rights under GDPR/UK GDPR, including the right to lodge a complaint with a supervisory authority. As data is transferred to and stored in systems outside the EEA (UAE, AWS eu-west-1), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required.
A Data Processing Agreement (DPA) is available on request to enterprise customers. Please email privacy@boqmanager.com to request a DPA.
10. Children's Privacy
BOQ Manager is a professional business tool not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a person under 18, please contact us immediately at privacy@boqmanager.com and we will take prompt steps to delete such information.
11. Changes to This Policy
We may update this Privacy Policy periodically. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email. We encourage you to review this page periodically to stay informed about how we protect your information.
Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.
12. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact our privacy team:
ACD Group — Privacy Team
Email: privacy@boqmanager.com
© 2026 ACD Group. All rights reserved.