Privacy Policy
Last updated: February 2026
1. Introduction
This Privacy Policy describes how Dijital Inovasyon ve Yapi Teknolojileri A.S. (trading as "Algomim", "we", "us", or "our") collects, uses, stores, shares, and protects your personal data when you use the Algomim platform, including our web application, desktop plugins (for Autodesk Revit, Autodesk AutoCAD, McNeel Rhinoceros, and GRAPHISOFT ArchiCAD), and related services (collectively, the "Service").
By accessing or using the Service, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use the Service.
Data Controller: Dijital Inovasyon ve Yapi Teknolojileri A.S. Address: Mustafa Kemal Mah. Dumlupinar Blv. ODTU TEKNOKENT Bilisim Inovasyon Merkezi CoZone 280/G No: 1260 Cankaya / Ankara 06520 Email: info@algomim.com MERSIS No: 0295103853200001 Tax ID: 2951038532
2. Information We Collect
2.1 Account Information
- Email address (required for registration)
- Display name (user-provided)
- Profile photo URL (if you sign in with Google)
- Firebase Authentication UID (unique identifier generated automatically)
2.2 AI Interaction Data
- Chat messages — prompts you send and responses generated by the AI assistant
- Scripts and code generated through the execute_script tool
- Tool calls and their results within the chat context
- Message metadata — timestamps, AI model used, token counts
- Message feedback — your ratings or feedback on AI-generated responses (if you choose to provide it)
2.3 Files and Resources
- Uploaded files — images, PDFs, DXF files, and other documents you attach to chats
- File metadata — file name, MIME type, file size, image dimensions
- File content hash (SHA-256, for deduplication)
2.4 Plugin and Connection Data
- Plugin connection status — which design applications (Revit, AutoCAD, Rhino, ArchiCAD) are connected
- Project metadata — project name and project path from your connected design application
- Session tokens for plugin communication
2.5 Payment and Billing Data
- Subscription tier and status
- Compute Unit (CU) consumption — usage tracking for billing purposes
- Billing period information
- Payment details — name, billing address, and tax ID are collected and processed by our payment processor Polar (see Section 5)
2.6 Usage Data
- Daily and monthly message counts
- Feature usage patterns (which tools and features you use)
- Session duration and interaction frequency
2.7 Technical Data
- IP address (logged in server access logs)
- Browser type and version
- Operating system
- Error logs and stack traces (collected via Sentry for debugging)
2.8 Cookies and Local Storage
- Sidebar state cookie — stores your sidebar preference (essential, functional)
- Language preference — stored in browser localStorage via
i18nextLngkey - Session flags — temporary flags stored in sessionStorage (cleared when browser tab closes)
- Firebase Authentication tokens — stored in browser IndexedDB by Firebase SDK (persistent until logout)
3. How We Use Your Information
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Providing the AI assistant service | Chat messages, uploaded files, plugin data | Contract performance (Art. 6(1)(b)) |
| Processing AI requests | Chat messages, file contents, project context | Contract performance (Art. 6(1)(b)) |
| Account management | Email, display name, UID | Contract performance (Art. 6(1)(b)) |
| Billing and subscription management | Payment data, CU consumption, subscription status | Contract performance (Art. 6(1)(b)) |
| Customer support | Email, chat history, usage data | Legitimate interest (Art. 6(1)(f)) |
| Error detection and debugging | Error logs, stack traces, technical data | Legitimate interest (Art. 6(1)(f)) |
| Service improvement and analytics | Aggregated usage patterns | Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | IP address, authentication data | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | All data as required | Legal obligation (Art. 6(1)(c)) |
4. AI Data Processing
This section is particularly important. Please read it carefully.
4.1 How Your Data Is Processed by AI
When you use the Algomim AI assistant, your chat messages (prompts) and any attached files or project context are sent to third-party AI model providers for processing. This includes:
- Your chat messages (the full conversation history for context)
- System instructions (predefined prompts that guide the AI's behavior)
- Tool definitions (descriptions of available tools for the AI to use)
- File contents (if you attach documents for the AI to analyze)
4.2 AI Model Providers
We access AI models through the OpenRouter gateway service. Your data is processed as follows:
| Provider | Purpose | Data Sent | Personal Data Sent? | Location |
|---|---|---|---|---|
| OpenRouter | Multi-model AI gateway for chat completions, reasoning, and tool calling | Chat messages, prompts, file contents, pseudonymous session ID | No — only a pseudonymous Firebase UID is included as a session identifier. Your email, name, or other identifying information is never sent. | United States |
| OpenAI (OpenAI Group PBC) | AI model provider (accessed via OpenRouter) for embeddings, reasoning, and tool calling | Chat messages, prompts, file contents (via OpenRouter) | No — no user identity information is sent; only pseudonymous session data via OpenRouter. | United States |
| FAL.ai | Image generation, image editing, upscaling, SVG conversion | Image generation prompts, image URLs | No — no user identity information is included in any request. | United States |
Important: Your personal information (email address, name, billing details) is never sent to AI model providers. Only your chat content (messages and file contents) is transmitted for AI processing. Note that your chat messages may contain personal data that you voluntarily include in your prompts — please be mindful of the information you share in chat.
4.3 What We Do NOT Do With Your AI Data
- We do NOT send your personal information to AI providers. Your email, name, and account details are never transmitted to OpenRouter, FAL.ai, or any AI model provider.
- We do NOT use your data to train AI models. Your prompts, project files, and chat history are not used for model training, fine-tuning, or improvement of any AI models.
- We do NOT share your chat content with other users.
- We do NOT sell your personal data to third parties.
4.4 AI Output Disclaimer
AI-generated outputs (scripts, code, design suggestions) are provided as assistive tools. They do not constitute professional engineering, architectural, or construction advice. You are solely responsible for reviewing and validating all AI-generated outputs before use.
5. Data Sharing and Third-Party Services
We categorize our third-party service providers into two groups based on whether they receive your personal identifying information:
Services That Receive Personal Data
These services receive your identifying information (email, name) solely for the purposes described:
| Service Provider | Purpose | Personal Data Shared |
|---|---|---|
| Polar (Polar.sh) | Payment processing and subscription management | Email address, name, billing address, tax ID, subscription status |
| Resend (Resend, Inc.) | Email delivery (login OTP codes) | Email address only |
| Crisp (Crisp IM SAS) | Customer support chat widget | Email address, display name, subscription tier, CU usage and limits, connected plugin types and count, active chat ID |
Services That Do NOT Receive Personal Data
These services process your content but never receive your email, name, or other identifying information:
| Service Provider | Purpose | Data Shared (Non-Identifying) |
|---|---|---|
| OpenRouter (OpenRouter, Inc.) | AI model gateway for chat processing | Chat messages, prompts, file contents, pseudonymous session ID |
| FAL.ai (fal.ai, Inc.) | Image generation, editing, and processing | Image prompts, temporary image URLs |
| Sentry (Functional Software, Inc.) | Error tracking, performance monitoring, and session replay (with maskAllText: true and blockAllMedia: true — no readable text or media is captured) | Error logs and stack traces only (authorization headers stripped, no user identity attached) |
| Google Fonts (Google LLC) | Font delivery | Standard HTTP request data (IP address at transport level) |
Own Infrastructure (Not Third-Party Sharing)
| Service | Purpose | Note |
|---|---|---|
| Google Firebase / Google Cloud Platform (Google LLC) | Authentication, database, file storage, server hosting | This is our own infrastructure where all your data is stored and processed. Data is encrypted in transit and at rest. |
We require all third-party processors to handle your data in accordance with applicable data protection laws.
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside of Turkey and the European Economic Area (EEA), primarily the United States, where our AI model providers and some infrastructure services are located.
For these transfers, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Turkish Standard Contractual Clauses as required by the KVKK Board
- Adequacy decisions where available
- Contractual commitments from our sub-processors regarding data protection
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until you delete your account, plus 30 days for processing |
| Chat messages | Until you delete the chat or your account |
| Uploaded files | Until you remove the file or delete your account |
| Payment/billing records | 10 years (Turkish commercial law requirement) |
| OTP codes | Automatically deleted after 10 minutes |
| Error logs (Sentry) | 90 days (per Sentry's retention policy) |
| Server access logs | 90 days |
| Webhook processing records | 7-30 days (auto-deleted) |
| Billing audit logs | 10 years (Turkish commercial law requirement) |
| Message feedback | Until you delete the chat or your account |
| Document quality metrics | Until you delete your account |
When you delete a chat or your account, data is initially soft-deleted (marked as deleted and excluded from all queries). Permanent deletion from our systems occurs within 30 days, except where longer retention is required by law.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit — all data transmitted via HTTPS/TLS
- Encryption at rest — data stored in Google Cloud is encrypted at rest by default
- Authentication — Firebase Authentication with email OTP verification
- Access control — strict ownership-based access control (users can only access their own data)
- Rate limiting — protection against brute-force attacks on all endpoints
- Sensitive header stripping — authorization headers are removed before sending error reports to Sentry
- OTP security — maximum 5 verification attempts, automatic expiry after 10 minutes
- Webhook signature verification — HMAC-SHA256 verification for payment webhooks
9. Your Rights
9.1 Under GDPR (EU/EEA Users)
You have the right to:
- Access — request a copy of your personal data
- Rectification — request correction of inaccurate data
- Erasure ("Right to be Forgotten") — request deletion of your personal data
- Restriction — request limitation of processing
- Data Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interest
- Withdraw Consent — where processing is based on consent
- Automated Decision-Making — not be subject to decisions based solely on automated processing
To exercise these rights, contact us at info@algomim.com.
We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.
9.2 Under KVKK (Turkish Users)
For your rights under the Turkish Personal Data Protection Law (KVKK), please refer to our separate KVKK Aydinlatma Metni (Illumination Text), available at https://algomim.com/legal/kvkk.
10. Children's Privacy
The Service is not directed to individuals under the age of 16 (or 18 in jurisdictions where a higher age of consent applies). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at info@algomim.com, and we will promptly delete such data.
11. Automated Decision-Making
The Service uses AI models to generate responses, code, and design suggestions based on your inputs. These AI outputs are:
- Assistive in nature — they are suggestions and tools, not automated decisions with legal or significant effects
- Subject to your review — all outputs require your validation before use
- Not used for profiling — we do not use AI to profile users or make decisions about service access
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top
- Notify you via email or in-app notification for significant changes
- Provide a reasonable period before new terms take effect
Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.
13. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data:
Dijital Inovasyon ve Yapi Teknolojileri A.S. Address: Mustafa Kemal Mah. Dumlupinar Blv. ODTU TEKNOKENT Bilisim Inovasyon Merkezi CoZone 280/G No: 1260 Cankaya / Ankara 06520 Email: info@algomim.com MERSIS No: 0295103853200001
For GDPR-related inquiries from the EU/EEA, or KVKK-related inquiries from Turkey, please email info@algomim.com with the subject line "Data Protection Request."