Your drawings, your data.

Plain-English summary of what we collect, why, and how to control it. Effective from 1 June 2026.

In one line: We only collect what's needed to run the tool. Your drawings stay yours — we don't sell them, share them, or use them to compete with you. You can opt out of model-improvement data anytime in Settings → Help improve detection.

1. Who we are

CadNexa is operated by an independent founder based in India. Contact: support@cadnexa.com. This policy applies to cadnexa.com and the auto-balloon tool. We are the "data fiduciary" under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the "controller" under the GDPR for users in the European Economic Area.

2. What we collect

When you visit (everyone)

Standard log data: page URL, time, anonymised IP, browser type. Used to keep the site up and detect abuse.
Anonymous usage events via our own analytics (page views, tool opens, exports). No third-party trackers are loaded on the tool itself.
Anonymous Supabase session ID issued automatically so the AI engine accepts your calls during the free trial. No personal info attached.

When you sign in

Email address (from Google sign-in) and the standard Google profile fields (name, picture).
Account preferences and plan tier.

When you process a drawing

The drawing file is uploaded to the AI engine for detection and returned as balloon coordinates. The original file is not stored on our servers after processing.
Anonymised page renders (a downscaled JPEG of the canvas) and the corresponding balloon labels may be retained to improve the detection model — only when you have not opted out (see §5). This is optional, off any time.

3. Why we collect it (lawful basis)

To deliver the service you asked for — running auto-detection, returning the ballooned PDF, generating the FAI report. (Contract.)
To keep the service safe — rate limits, abuse detection. (Legitimate interest.)
To improve detection accuracy over time, when you've consented. (Consent — withdrawable.)
To comply with law — tax invoicing, fraud prevention. (Legal obligation.)

4. Who we share it with

We use a small number of trusted processors to run the service. We do not sell data or share it for advertising.

Anthropic PBC (United States) — runs the AI inference that detects dimensions. Drawings are sent over TLS, processed in-flight, not used by Anthropic to train their public models (per their commercial terms).
Supabase (United States / EU) — database, authentication, storage of training-data snapshots.
Google Cloud (Cloud Run, India region) — runs our OCR service.
Razorpay (India) — payments. Receives only the data required to process the transaction.
Google Analytics (anonymised, on the marketing site only — not inside the tool).

International transfers are covered by standard contractual clauses and the providers' own GDPR / DPDP-aligned commitments.

5. Model-improvement data (the part everyone asks about)

To make the detector smarter over time without locking you into the AI providers' pricing forever, we may retain an anonymised JPEG render of the page you ballooned plus the label JSON (the balloon coordinates and the text our AI read, including any corrections you made). We use this only to train our own detection model.

What we don't do with it

We never share or sell drawings to anyone — no Anthropic, no Google, no third party — for any training purpose.
We never train models for other customers on your data.
We never publish drawing images or their labels.
We strip identifying metadata (title-block company names where detected before storage).

Your control

Opt out anytime via the auto-balloon tool: Sidebar → Settings → "Help improve detection" (uncheck). All future drawings stop being retained for training.
Delete past snapshots by emailing support@cadnexa.com with the drawing hash or the rough date — we honour deletion requests within 30 days.
Paid Enterprise customers are opted out by default. Contact us for a written data-handling addendum.

6. How long we keep things

Account + billing data: while your account is active, plus 7 years for tax law.
Usage / analytics events: 24 months.
Drawing files in transit to the AI engine: deleted after each request.
Training snapshots: until you opt out or request deletion. Aggregated model weights derived from the data have no reverse path to your drawing.
Server logs: 90 days.

7. Security

All data in transit is encrypted with TLS 1.2+. Database and storage are encrypted at rest by Supabase. Access to production data is limited to the founder. We will notify affected users within 72 hours of becoming aware of a breach involving personal data, as required by both DPDP and GDPR.

8. Your rights

Wherever you are, you can ask us to:

Access the data we hold about you.
Correct anything that's wrong.
Delete your account and associated data.
Export your data in a machine-readable format.
Object to processing — including withdrawing consent for model improvement.

To exercise any of these, email support@cadnexa.com from the email on your account. We respond within 7 working days.

If you're in India and unhappy with our response, you can complain to the Data Protection Board of India. If you're in the EEA / UK, you can complain to your national supervisory authority.

9. Children

CadNexa is a tool for working professionals. We don't knowingly process data of anyone under 18 and do not target children.

10. Changes to this policy

We'll update this page when something material changes and refresh the "Effective from" date. If the change is significant (new data type, new partner), we'll also email account holders.

Contact

Grievance Officer: CadNexa founder · support@cadnexa.com

For any privacy-related request, write to the email above. We aim to respond within 7 working days as required under DPDP §13.

Last updated: 1 June 2026.