Privacy Policy — CabiCAD

1. Introduction

This Privacy Policy explains how CabiCAD ("we", "us", "our"), operated as a sole proprietorship, collects, uses, stores, and shares your personal data when you use the CabiCAD platform, website, and related services (collectively, the "Service").

We are committed to protecting your privacy and handling your data transparently and responsibly. This policy applies to all users of the Service worldwide, including users in the European Union (subject to the General Data Protection Regulation — GDPR), the United States, Israel (subject to the Israeli Privacy Protection Law, 5741-1981 and its regulations), and all other jurisdictions.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

Contact: CabiCAD, Atlit, Israel — info@cabicad.com

2. Who This Policy Applies To

This policy applies to:

Consumers (Free tier) — individuals who use CabiCAD to design furniture or cabinetry and request price quotes
Designers — interior designers, architects, and design professionals using CabiCAD professionally
Manufacturers — woodworking manufacturers using CabiCAD for production, quoting, and machine management
Clients — individuals who receive design share links from Designers and interact with the platform as guests
Waitlist registrants — individuals who have submitted their details to join a CabiCAD waitlist prior to launch
Visitors — anyone who visits cabicad.com without creating an account

3. Data We Collect

3.1 Data You Provide Directly

Data	Who	Purpose
Email address	All users	Account creation, authentication, communications
Password (hashed)	All registered users	Authentication
First and last name	All registered users	Account personalization
Company name	Designers, Manufacturers	Account profile
Country	Manufacturers, Waitlist	Service delivery, compliance
Primary product category	Manufacturers	Platform configuration
Machine count and brand	Manufacturers	Machine setup, post-processor matching
Logo / branding assets	Designers	Branded PDF export feature
Project designs and 3D models	All registered users	Core service delivery
Messages and comments	All registered users	Collaboration and Q&A features
Price quotes	Manufacturers	RFQ workflow
Payment information	Paid tier subscribers (at GA)	Billing — processed by Stripe, not stored by us
VAT number	EU business subscribers	Tax compliance
Waitlist form responses	Waitlist registrants	Pre-launch qualification

3.2 Data We Collect Automatically

When you use the Service, we automatically collect:

Log data — IP address, browser type, operating system, pages visited, timestamps, referring URLs
Device data — device type, screen resolution, language settings
Usage data — features used, projects created, exports generated, actions taken within the platform
Cookies and similar technologies — see Section 8

3.3 Data We Receive from Third Parties

Stripe — payment status and billing events (we do not receive or store full card numbers)
Railway — infrastructure logs and error reporting necessary for service operation

4. How We Use Your Data

We use your data for the following purposes, each grounded in a legal basis:

Purpose	Legal Basis
Creating and managing your account	Performance of contract
Delivering the core platform features	Performance of contract
Processing RFQs and connecting designers with manufacturers	Performance of contract
Sending transactional emails (verification, notifications, billing)	Performance of contract
Processing payments via Stripe	Performance of contract
Enforcing feature flag entitlements per subscription tier	Performance of contract
Sending product updates and feature announcements	Legitimate interests (you may opt out)
Improving the platform through usage analytics	Legitimate interests
Detecting fraud and preventing abuse	Legitimate interests / legal obligation
Maintaining audit logs for GDPR compliance	Legal obligation
Responding to legal requests	Legal obligation
Sending marketing communications (with consent)	Consent

We do not sell your personal data to third parties. We do not use your data for automated decision-making that produces legal or similarly significant effects.

5. Data Sharing

5.1 Within the Platform (by design)

CabiCAD's three-party collaboration model requires controlled sharing of data between parties:

Designer → Manufacturer: When a Designer sends an RFQ, the Manufacturer receives the full project model, cut list, BOM, and design specifications. The Designer's name and company are visible to the Manufacturer. The Designer controls what is shared and when.
Designer → Client: Designers share renders and design views with Clients via time-limited signed links. Clients do not receive pricing, cut lists, or manufacturing details.
Manufacturer → Designer: Manufacturers submit price quotes and technical modifications visible only to the originating Designer. Other Manufacturers cannot see each other's quotes, identities, or modifications.

5.2 Service Providers (Data Processors)

We share data with trusted third-party processors who act on our instructions:

Provider	Purpose	Location
Railway	Cloud infrastructure, hosting, database	USA (data center location varies by Railway configuration)
Stripe	Payment processing	USA / Global
Email provider (TBD)	Transactional and notification emails	TBD

All processors are bound by data processing agreements and are required to handle data in accordance with applicable law.

5.3 Legal Requirements

We may disclose your data if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 Business Transfers

If CabiCAD is acquired, merged, or its assets are transferred, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website prior to your data becoming subject to a different privacy policy.

6. Data Roles — Manufacturers

For data relating to manufacturers' own customers, employees, and internal production processes that manufacturers upload or process through CabiCAD:

The Manufacturer is the data controller — they determine the purpose and means of processing their business data
CabiCAD acts as a data processor — we process this data only on the Manufacturer's instructions and for the purpose of delivering the Service
Manufacturers are responsible for ensuring they have the appropriate legal basis to upload any personal data of third parties into the platform
Upon request, we will enter into a Data Processing Agreement (DPA) with Manufacturers who require one for GDPR compliance

To request a DPA: info@cabicad.com

7. Your Rights

7.1 Rights Available to All Users

Access — request a copy of the personal data we hold about you
Correction — request correction of inaccurate or incomplete data
Deletion — request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
Portability — receive your data in a structured, machine-readable format
Objection — object to processing based on legitimate interests
Restriction — request that we restrict processing of your data in certain circumstances

7.2 Additional Rights for EU/EEA Users (GDPR)

All rights listed in 7.1 apply. Additionally:

You have the right to lodge a complaint with your local data protection authority (DPA)
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing

7.3 Additional Rights for Israeli Users

Under the Israeli Privacy Protection Law:

You have the right to review personal data held about you in a database
You have the right to request correction of inaccurate data

7.4 Additional Rights for California Users (CCPA)

California residents have the right to:

Know what personal information is collected, used, shared, or sold
Delete personal information (subject to exceptions)
Opt out of the sale of personal information (we do not sell personal information)
Non-discrimination for exercising your rights

7.5 How to Exercise Your Rights

Submit requests to: info@cabicad.com

We will respond within:

30 days for standard requests (extendable by 60 days for complex requests with notice)
45 days for CCPA requests (extendable by 45 days with notice)

We may need to verify your identity before processing your request.

8. Cookies and Tracking

8.1 What We Use

Cookie Type	Purpose	Can be declined?
Strictly necessary	Authentication session, security (CSRF), language preference	No — required for the Service to function
Analytics	Understanding how users interact with the platform (aggregate, anonymized)	Yes
Preference	Remembering your UI settings	Yes

We do not use advertising or tracking cookies. We do not share cookie data with advertising networks.

8.2 Managing Cookies

You can manage cookie preferences through:

The cookie consent banner shown on your first visit
Your browser settings
Emailing us at info@cabicad.com

Declining non-essential cookies does not affect your ability to use the core Service.

9. Data Retention

Data Type	Retention Period
Account data	Duration of account + 90 days after deletion request
Project designs and files	Duration of account + 90 days after deletion request
Audit logs	3 years (legal/compliance obligation)
Billing records	7 years (tax and accounting obligation)
Waitlist data	Until 12 months after general availability launch, then deleted
Server logs	90 days
Deleted account data	Purged within 90 days of deletion (except audit logs and billing records)

When you delete your account, your personal data is anonymized or deleted within 90 days. Project data shared with manufacturers during active RFQs may be retained by those manufacturers independently — CabiCAD cannot control data stored outside our platform.

10. Data Security

We implement industry-standard technical and organizational measures to protect your data:

All data transmitted over TLS (HTTPS)
Passwords stored using bcrypt/argon2 hashing — never in plain text
JWT authentication with short expiry and refresh token rotation
Database access restricted to application layer — no direct public access
Regular dependency updates and security patching
Role-based access control enforced at the API level

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to info@cabicad.com.

11. International Data Transfers

CabiCAD is operated from Israel. Your data may be processed in countries outside your country of residence, including the United States (via Railway and Stripe infrastructure).

For EU/EEA users: These transfers are made on the basis of:

Standard Contractual Clauses (SCCs) with our processors where applicable
The adequacy decision covering transfers to Israel (Israel is recognized by the European Commission as providing adequate protection)

12. Children's Privacy

The Service is not directed at children under the age of 16 (or 13 in jurisdictions where that is the applicable minimum). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at info@cabicad.com and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify registered users by email at least 14 days before the changes take effect
For significant changes, request renewed consent where required by law

Continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact & Complaints

CabiCAD
Atlit, Israel
Email: info@cabicad.com

If you are an EU/EEA resident and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. A list of EU DPAs is available at: edpb.europa.eu

If you are an Israeli resident, you may contact the Israeli Privacy Protection Authority: gov.il/en/departments/the_privacy_protection_authority

This Privacy Policy was last reviewed on April 5, 2026. CabiCAD is operated from Atlit, Israel. Governing law: State of Israel.