Privacy Policy
Last updated: 27 May 2026
This Privacy Policy explains how 1AV Ltd ("we", "us") handles personal information when you use EOModeller. We're committed to keeping your data private and to telling you plainly what we collect, why we collect it, and who we share it with.
1Who we are
EOModeller is operated by 1AV Ltd, a company registered in New Zealand with its head office in Auckland. Where this policy refers to a "controller", "data controller", or "responsible party" under any applicable privacy law, 1AV Ltd fills that role for personal information collected through EOModeller.
Contact for privacy matters: privacy@eomodeller.com.
2Information we collect
2.1 Account information
- Email address
- Display name
- Password (stored as a hash; we never see the plaintext)
- If you sign in with Google, GitHub, or Microsoft: your unique identifier from that provider
- Email verification status, last-login timestamp
2.2 Content you create
- Models, diagrams, packages, elements, and any descriptions or notes you write inside them
- Profiles, stereotypes, enumerations, and other modelling metadata you author
- Workspace name and configuration
2.3 Billing information
If you upgrade to Pro, payment is processed by Stripe. Stripe stores your card details on their PCI-compliant infrastructure; we never see or store card numbers. From Stripe we receive:
- A Stripe customer ID and subscription ID
- Subscription status (active, trialling, past-due, cancelled)
- Period end dates
- The billing address you enter at checkout (used by Stripe Tax)
2.4 Technical information
- IP address (from network requests; used for security and abuse prevention)
- Browser user-agent string and timestamps of significant events (login, logout, password change, etc.)
- Server logs covering the requests you make to the service
We do not use third-party analytics, advertising cookies, or fingerprinting libraries. We do not track you across other sites.
3How we use your information
- To run the service. Authenticating you, storing your models, rendering the editor, syncing across devices.
- To bill you. Managing trials, subscriptions, and dunning when payment fails.
- To support you. Replying to support requests at support@eomodeller.com.
- To keep the platform safe. Detecting abuse, preventing unauthorised access, debugging errors, complying with legal obligations.
- To improve EOModeller. Understanding aggregate, anonymous patterns of use. We do not look at the contents of your individual models for product development.
- To communicate. Sending essential transactional emails (verification, password reset, trial reminders, billing notices). We do not send marketing email unless you explicitly opt in.
4Legal bases (GDPR)
For users in the European Economic Area, United Kingdom, or jurisdictions with GDPR-equivalent rules, the legal bases under which we process your data are:
- Contract. Operating the service you signed up for.
- Legitimate interest. Security, fraud prevention, debugging, aggregate product analytics.
- Legal obligation. Tax, financial reporting, lawful information requests.
- Consent. Anything we ask you to opt into explicitly (e.g. future marketing email).
5Sub-processors
We use a small set of well-regarded service providers to run EOModeller. They process personal information on our behalf, under contracts that bind them to confidentiality and security standards no less protective than our own.
| Provider | Purpose | Region |
|---|---|---|
| Microsoft Azure | Hosting, storage, network | Australia East (Sydney) |
| Stripe | Payment processing, subscriptions, tax | Global (Ireland for EU customers) |
| Resend | Transactional email delivery | United States |
| Anthropic | AI features (only when you actively use them) | United States |
We'll update this list if we add or change a sub-processor. Material changes are announced at least 30 days in advance via in-app notice or email.
6International transfers
Your account data is primarily stored in Microsoft Azure's Australia East region. Some sub-processors (Stripe, Resend, Anthropic) are based in the United States or have global operations. Where we transfer personal data across borders we rely on:
- The provider's adherence to the EU Standard Contractual Clauses (SCCs) or equivalent.
- The provider's data-processing agreement with us.
- Encryption in transit (HTTPS) and at rest where the provider supports it.
7Data retention
- Active accounts: we retain account and content data while the account is active.
- Deleted models: moved to Trash on delete; permanently removed after 90 days, recoverable until then.
- Closed accounts: deleted within 30 days of the closure request, except where we have a legal obligation to retain specific records (e.g. billing records for tax purposes — typically 7 years).
- Server logs: retained for up to 90 days for security and debugging, then deleted.
- Backups: overwritten on a rolling 30-day cycle.
8Your rights
Depending on where you live, you have some or all of the following rights over your personal information:
- Access. Ask us what we hold about you.
- Correction. Ask us to correct inaccurate or incomplete data.
- Deletion ("right to be forgotten"). Ask us to delete your data (subject to legal retention obligations).
- Portability. Ask us to give you a machine-readable copy of your account and model data.
- Restriction. Ask us to limit how we process your data.
- Objection. Object to processing based on legitimate interest.
- Withdrawal of consent. Withdraw any consent you've given (e.g. for marketing emails).
- Complaint. Complain to a supervisory authority — for example, the Office of the Privacy Commissioner of New Zealand, the Information Commissioner's Office in the UK, or your local data-protection authority.
To exercise any of these rights, email privacy@eomodeller.com. We'll respond within 30 days. We may ask you to verify your identity before acting on a request that involves disclosure or deletion.
9Security
We protect your data with industry-standard measures:
- HTTPS for all network traffic.
- Passwords stored as bcrypt hashes.
- API authentication via short-lived JWT access tokens and rotating refresh tokens.
- Sensitive configuration (API keys, signing secrets) stored as Azure Container App secrets, not in source control.
- Access to production infrastructure restricted to a small number of authorised individuals.
No service can guarantee absolute security. If we ever experience a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware of it (or sooner where required by law).
10Cookies and similar technologies
We use the bare minimum needed to make the service work:
- localStorage / sessionStorage in your browser to keep you signed in and to remember UI preferences (theme, tree-state expand/collapse, "keep me signed in" choice). No third-party reads this data.
- HTTP-only auth tokens when you're signed in.
We do not use third-party analytics cookies, advertising cookies, or cross-site tracking. We do not sell or share personal information with advertisers.
11Children
EOModeller is not directed at children under 16, and we do not knowingly collect personal information from children. If we learn that we've collected personal information from a child under 16, we'll delete it.
12Changes to this Policy
We may update this Policy from time to time. Material changes will be announced at least 30 days in advance via in-app banner or email. The "Last updated" date at the top of the page tells you when this version took effect.
13Contact
1AV Ltd
Auckland, Aotearoa New Zealand
Email: privacy@eomodeller.com
(privacy matters) or
support@eomodeller.com
(general support)