← Back to RoundTrips.io

Privacy Policy

Effective Date: February 2026 · Last Updated: February 2026

RoundTrips.io ("the Platform", "we", "our") is a file processing and management platform that integrates with Autodesk Construction Cloud (ACC) via Autodesk Platform Services (APS) APIs. This privacy policy describes what data we collect, how we use it, how we store it, and your rights regarding that data.

1. Data We Collect

1.1 Account Information

When your administrator creates your account or you are invited to the platform, we collect:

Data	Purpose
Email address	Account identification, login, and invite delivery
User ID	Internal account reference (generated by Supabase Auth)
Password (hashed)	Authentication — stored by Supabase Auth, never accessible in plaintext
Company assignment	Multi-tenant access control
Role (member/admin)	Authorization and access level

1.2 Autodesk Account Information

When you connect your Autodesk account via OAuth, we collect:

Data	Purpose
Autodesk User ID	Link your Autodesk identity to your platform account
Autodesk email	Display your connected Autodesk identity
Autodesk display name	Display your connected Autodesk identity
OAuth access token	Access ACC files on your behalf (encrypted at rest)
OAuth refresh token	Maintain your connection without re-authenticating (encrypted at rest)

We use the standard 3-legged OAuth 2.0 flow with PKCE (Proof Key for Code Exchange). We never see or store your Autodesk password.

1.3 File and Project Data

Data	Purpose
ACC hub, project, and folder names	Navigation and file selection UI
File names and metadata	Display file lists, track processing status
File contents (temporarily)	Processing files through Navisworks conversion pipeline
Processed output files	Stored locally until uploaded back to ACC or manually cleared

1.4 Usage and Operational Data

Data	Purpose
Task/job records	Track file processing requests, status, and history
Admin audit log	Record administrative actions
Server logs	Debugging, error tracking, and operational monitoring

1.5 Data We Do NOT Collect

• We do not use third-party analytics (Google Analytics, Mixpanel, etc.)
• We do not track user behavior for advertising purposes
• We do not sell or share data with third parties
• We do not collect browser fingerprints or device identifiers
• We do not use cookies for tracking (only session cookies for authentication)

2. How We Use Your Data

We use collected data exclusively for:

1. Authentication and authorization — verifying your identity and access rights
2. Platform functionality — browsing ACC projects, downloading files, processing files, uploading results
3. Multi-tenant isolation — ensuring you only see your company's data
4. Administration — managing users, companies, and platform settings
5. Operational maintenance — debugging issues, monitoring system health

3. Data Storage and Security

3.1 Where Data Is Stored

Data Type	Storage Location	Security
Account data	Supabase (cloud PostgreSQL)	Row-Level Security, encrypted in transit
Autodesk OAuth tokens	Supabase database	Fernet encryption at rest, RLS
APS app credentials	Supabase database	Fernet encryption at rest
File cache	Local server filesystem	Company-scoped directories
Passwords	Supabase Auth	Bcrypt hashed

3.2 Security Measures

• Encryption in transit: All API traffic uses HTTPS (TLS)
• Encryption at rest: OAuth tokens encrypted with Fernet (AES-128-CBC)
• OAuth with PKCE: Industry-standard secure authentication
• Row-Level Security: Database policies enforce tenant isolation
• Audit trail: All admin actions logged with timestamps

3.3 Data Retention

Data Type	Retention Period
Account data	Until account is deleted by admin
Autodesk OAuth tokens	Until user disconnects or account deleted
Cached files	Until manually cleared or cache eviction
Task/job records	Indefinite (for history/audit)

4. Data Sharing

We do not sell, rent, or share your personal data with third parties. Data is shared only with:

Recipient	Data Shared	Purpose
Autodesk (via APS APIs)	OAuth tokens, API requests	Access your ACC files on your behalf
Supabase	Account data, application data	Database hosting and authentication

Both services have their own privacy policies: Autodesk Privacy · Supabase Privacy

5. Your Rights

• Access your data: View your account info and Autodesk connection in the platform settings.
• Disconnect Autodesk: Revoke OAuth tokens at any time through the platform UI.
• Request data deletion: Contact your admin to remove your account and all associated data.
• Data portability: Contact your administrator to request a data export.

6. Children's Privacy

This platform is not intended for use by individuals under the age of 16. We do not knowingly collect data from minors.

7. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via the platform or email. Continued use of the platform after changes constitutes acceptance of the updated policy.

8. Contact

For privacy-related questions or data requests:

• Platform Administrator: Contact your company's designated admin
• Email: admin@roundtrips.io
• Support: Submit a support request