Privacy Policy

Who we are

BesiaBIM is operated by Sebastian Maciuszko trading as SeboticAI (ABN 76 842 369 494), based in South Australia. We are the data controller for personal information collected through besiabim.com and through any BesiaBIM add-in or tool you install.

What we collect

Account: your name and email address. We never store your password in clear text — Supabase handles password hashing and authentication on our behalf.

Billing: Lemon Squeezy processes all card transactions. We receive a customer ID, subscription state, billing country, and the last four digits of the card for reference. We never see or store raw card data.

Licence activation: when a BesiaBIM add-in or tool is activated on a workstation, we store the machine fingerprint hash and the timestamps of activations and refreshes so we can enforce the per-licence device limit and let you re-bind your licence to a new machine.

Device session (where supported):when you sign in to a BesiaBIM tool inside a host application (such as Revit, AutoCAD, DraftSight, Inventor, or one of our standalone desktop or web tools), we additionally store a long-lived session token (90-day sliding expiry, hashed on our server so we never hold the raw value), the machine's fingerprint hash, and a small device descriptor: the operating system version and the host application version (e.g. "Revit 2026", "DraftSight 2026"). We do notcollect your computer's name (hostname) or any other personally identifying device detail — the fingerprint hash alone identifies the device for your activation limit. This lets you list your active devices and sign out from any of them at any time on the Devices page in your dashboard.

Support and intake: if you contact us through the site or by email, we keep that correspondence so we can pick up where we left off next time.

How we use it

Your data is used solely to operate the service: authenticating you, issuing and validating licences, processing payments through Lemon Squeezy, sending transactional emails (verification, trial reminders, invoices, security alerts), and providing support.

We do not sell, rent, or share your data for advertising. We do not use third-party advertising or behavioural-tracking cookies on this site.

Custom-build engagements

When we deliver a custom add-in or tool, we may receive samples of your business data (measurement sheets, sample jobs, drawings, internal conventions) so we can build and test against real inputs. We treat that material as confidential under the confidentiality clause of the relevant service agreement and don't use it outside the engagement. We may use anonymised, non-identifying technical learnings in our own product development and documentation.

Third-party processors

• Lemon Squeezy — payment processing and subscription management (Merchant of Record).
• Supabase — authentication and database hosting.
• Resend — transactional email delivery.
• Vercel — web hosting and edge functions.
• Upstash — rate limiting and ephemeral counters.

Each of these providers may process data in their own data-centre regions. We choose providers that publish public security documentation and offer encryption in transit and at rest as standard.

Cookies

We use cookies that are strictly necessary to keep you signed in, preserve your CSRF protection, and remember which step of the sign-up flow you're on. We do not use advertising or cross-site tracking cookies. Any analytics we add in the future will be privacy-friendly and will not fingerprint individual users; we will update this page before turning anything on.

Your rights

You may request a copy of the data we hold about you, ask us to correct inaccuracies, or delete your account at any time. Email [email protected] from the address on file and we will respond within 30 days.

If you are in Australia and believe we have mishandled your personal information, you can complain to the Office of the Australian Information Commissioner (oaic.gov.au). We'd rather you raise it with us first so we have a chance to make it right.

Retention

We retain account data for as long as your subscription is active. After cancellation we keep minimal records required by law (invoices and tax-relevant records for 7 years). Licence activation logs are kept for 90 days. Device-session records slide forward 90 days from your last use and are permanently removed when you sign that device out from the dashboard or delete your account.

Security

All traffic to this site and our APIs is served over HTTPS with HSTS enforced. Passwords are hashed by Supabase; session tokens are hashed before storage so the raw value is never recoverable from our database. Admin access supports multi-factor authentication (TOTP) — enforced once enrolled — and sensitive admin actions are written to an append-only audit log.

Changes to this policy

We may update this policy as we add or remove features. We will update the "Last updated" date at the top, and for any material change we will notify active customers by email at least 14 days before it takes effect.