Privacy Policy

Privacy Policy

Last updated: April 5, 2026

1. Data Controller

Sharp Tech B.V.
Domineeslaan 91L
1161 BW Zwanenburg
The Netherlands
KVK: 98004743 | BTW: NL868321291B01
Email: info@normbim.com

2. What data we collect

  • Technical drawings — uploaded files (DXF, PDF, images) are processed in server memory and deleted immediately after analysis. Files are never stored permanently.
  • IP address — stored in server memory for rate limiting and trial tracking. Cleared on server restart. Not persisted to disk.
  • Payment data — processed exclusively by Stripe (PCI-DSS Level 1 compliant). We never see, store, or process your card details.
  • Email address — only if you create an account. Used for login and transactional emails only. Stored by Supabase (see section 5).
  • Cookies — one essential cookie (NEXT_LOCALE) for language preference. No tracking, analytics, or advertising cookies. Supabase authentication sets session cookies (strictly necessary, no consent required).

3. Legal basis (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) — processing drawings to provide the analysis service; processing payments.
  • Legitimate interest (Art. 6(1)(f)) — rate limiting and abuse prevention. Our legitimate interest is protecting service availability. We have assessed that this does not override your rights, as we only store IP addresses temporarily in memory.

4. Data retention

  • Uploaded files: deleted immediately after analysis (never written to disk for DXF/PDF; temporary files for DWG conversion are deleted within seconds)
  • Analysis results: stored for 30 days for authenticated users, then automatically deleted
  • Payment records: 7 years (Dutch fiscal retention obligation, Art. 52 AWR)
  • IP-based trial data: stored in server memory only, cleared on server restart
  • Account data: until you request deletion

5. Third-party processors

We share data with the following processors, with whom appropriate Data Processing Agreements (Art. 28 GDPR) are in place:

  • Stripe, Inc. (USA) — payment processing. Privacy policy. Transfer basis: EU-US Data Privacy Framework.
  • Anthropic, Inc. (USA) — AI-powered image/PDF analysis. When you upload a photo or scanned PDF, the image is sent to Anthropic for analysis. Privacy policy. Transfer basis: Standard Contractual Clauses (SCCs). Note: DXF files are analyzed locally on our EU servers and are NOT sent to Anthropic.
  • Supabase, Inc. (USA, EU hosting available) — user authentication and data storage. Privacy policy.
  • Hetzner Online GmbH (Germany) — server hosting. All processing occurs on servers in Nuremberg, Germany (EU). Privacy policy.

We do not sell your data. We do not use your drawings for AI training. Anthropic does not use API inputs for model training per their data policy.

6. International data transfers

Your data is primarily processed on our servers in Germany (EU). However, the following transfers outside the EEA may occur:

  • Anthropic (USA) — only when you upload images or scanned PDFs for AI analysis. Legal basis: Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. You may request a copy of the SCCs by contacting us.
  • Stripe (USA) — payment processing. Legal basis: EU-US Data Privacy Framework adequacy decision.

7. Your rights (GDPR Art. 15-22)

You have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Delete your data (Art. 17 — "right to be forgotten")
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)

Contact info@normbim.com to exercise any of these rights. We will respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authority. In the Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

8. Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR) and notify affected individuals without undue delay (Art. 34 GDPR).

9. Security

All data is transmitted via HTTPS (TLS 1.3). Our servers are hosted in Germany (Hetzner, Nuremberg) within the EU. We implement Content Security Policy, rate limiting, HSTS, and access controls. Uploaded files are processed in memory and never stored on disk.

10. Changes

We may update this policy. Material changes will be communicated via the website. Continued use after changes constitutes acceptance.