Privacy policy

Effective Date: June 10th, 2026  —  Version 2.0

Introduction

This Privacy Policy explains how Naia ApS ("Naia", "we", "us", "our") collects, uses, stores, and protects Personal Data when you use the Naia platform and associated services ("Service"). It also sets out Naia's obligations as a Data Processor when processing Personal Data on behalf of Users and their organisations.

This Privacy Policy forms part of our Terms and Conditions and should be read together with them. By using the Service, you accept the practices described in this policy. We update this policy from time to time as our integrations and data practices evolve — the current version is always available at www.naialab.com/privacy-policy

1. Key Definitions

"Personal Data": Any information relating to an identified or identifiable natural person, as defined under the GDPR.

"GDPR": Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data.

"Data Controller": The organisation that determines the purposes and means of processing Personal Data. When you use the Service on behalf of your organisation, your organisation is the Data Controller.

"Data Processor": An entity that processes Personal Data on behalf of the Data Controller. Naia acts as Data Processor in respect of Customer Data processed within the Service.

"Sub-processor": A third party engaged by Naia to process Personal Data on behalf of Users.

"Customer Data": All data, files, and content uploaded or generated by Users within the Service, which may include project information, 3D models, cost data, and other business information.

2. Data We Collect

2.1  Data you provide directly

  • Account information: name, email address, job title, and company name provided at registration.

  • Customer Data: all content, files, and data you upload or create within the Service, including project data, Bills of Materials, cost scenarios, 3D building models, and attachments.

  • Communications: messages and requests sent to Naia via email or support channels.

2.2  Data collected automatically

  • Authentication and access data: login timestamps, session identifiers, IP addresses, device type, and browser information.

  • Usage data: actions performed within the Service, feature usage, workflow interactions, and technical logs. Usage data is aggregated and anonymised for service improvement purposes.

  • Cookie data: see Section 8.

2.3  Data from 3D model uploads (Speckle integration)

When you upload 3D models or BIM files via the Speckle integration, those files may contain embedded metadata including author names, company names, and project identifiers, which may constitute Personal Data. See Section 6 for details of this integration.

3. How We Use Your Data

Naia uses your data for the following purposes:

  • Providing, operating, and maintaining the Service.

  • User authentication, account management, and access control.

  • Technical support and incident resolution.

  • Generating AI-driven analyses, cost estimates, and Bills of Quantities from your project data.

  • Service improvement through anonymised and aggregated analytics.

  • Sending account management and administrative communications.

  • Sending marketing communications, where you have given consent.

  • Compliance with legal obligations

4. Legal Basis for Processing

  • Contractual necessity: processing required to provide the Service under our Terms and Conditions.

  • Legitimate interests: processing to improve, secure, and develop the Service, where this does not override your rights.

  • Consent: marketing communications, which you may withdraw at any time by clicking "Unsubscribe" in any email or contacting info@naialab.com.

  • Legal obligation: processing required to comply with applicable law.

5. Data Controller and Processor Roles

5.1  When you use the Service on behalf of your organisation, your organisation acts as Data Controller for Personal Data processed within the Service. Naia acts as Data Processor, processing Personal Data solely on your behalf and in accordance with your instructions as set out in this Privacy Policy.

5.2  By accepting our Terms and Conditions, you simultaneously accept Naia's data processing terms as set out in this Privacy Policy. No separate data processing agreement is required. Naia will process Personal Data solely in accordance with this policy and any supplementary written instructions.

5.3  For Personal Data collected by Naia for its own purposes (such as account registration and marketing), Naia acts as Data Controller.

6. Sub-processors and Third-Party Integrations

6.1  Sub-processors

Naia engages the following sub-processors to assist in delivering the Service. All sub-processors are bound by contractual data protection obligations no less protective than those set out in this Privacy Policy. We will provide reasonable advance notice of material changes to this list.

Microsoft Azure: Cloud hosting, databases, storage, AI Foundry, security services - EU (Sweden Central) Standard Contractual Clauses.

OpenAI - via Azure AI Foundry: Large language model inference for AI features - EU-hosted via Azure — Standard Contractual Clauses.

Frontegg: User authentication and access management - EU Standard Contractual Clauses.

Twilio Segment: Customer data platform and analytics pipeline - EU Standard Contractual Clauses.

HubSpot: CRM and customer lifecycle communication - EU Standard Contractual Clauses.

PostHog: Frontend error tracking and product analytics - EU Standard Contractual Clauses.

Mixpanel: Advanced product usage analytics - EU Standard Contractual Clauses.

Twilio SendGrid: Transactional email delivery - EU Standard Contractual Clauses.

Speckle Systems: 3D model file storage, visualisation, and BIM data processing for BOQ and BOM generation - UK (DigitalOcean UK) — EU Adequacy Decision.

Naia's proprietary Product LLM is trained exclusively on synthetic data. No Customer Data is used to train Naia's AI models. AI inference takes place within Microsoft Azure's EU infrastructure. - NB!!!

6.2  Third-party data sources (non-sub-processors)

The Service integrates third-party data sources to provide pricing and building component information, including Molio's Prisdata (PrisKalk API). When querying these sources, Naia transmits project and component specifications — not Personal Data. Molio and similar data providers are not sub-processors and do not receive Personal Data.

6.3  3D Model uploads and Speckle integration

The Service integrates with Speckle Systems (speckle.systems) to enable upload, storage, and visualisation of 3D building models and BIM files, which Naia uses to generate Bills of Quantities and Bill of Materials and cost analyses. BIM files may contain embedded Personal Data such as author names and company identifiers. Speckle is listed as a sub-processor in Section 6.1 and is SOC 2 Type II certified and GDPR compliant. No AI training is performed by Speckle on uploaded data.

Users are responsible for ensuring that 3D files uploaded via the Service do not contain Personal Data beyond what is necessary, and that upload of such files is authorised under their organisation's data governance policies.

8. Cookies and Tracking Technologies

The Service uses cookies and similar technologies. The following types may be used:

  • Strictly necessary cookies: required for authentication, session management, and core platform functionality.

  • Analytics and performance cookies: used by PostHog and Mixpanel to collect anonymised information about Service usage.

  • Marketing and communication cookies: used by HubSpot and Twilio Segment to support customer communication.

You may manage cookie preferences through your browser settings. Disabling certain cookies may affect Service functionality. For more information, visit www.allaboutcookies.org.

9. Data Retention and Deletion

  • Account information is retained for the duration of the active account and for up to 12 months following account termination, unless a shorter or longer period is required by law.

  • Customer Data is retained for the duration of the active subscription or pilot period. Following termination, Customer Data is accessible for export for 30 days, after which it is deleted from active systems within 45 days.

  • Usage and analytics data (anonymised and aggregated) may be retained indefinitely for service improvement purposes.

  • Marketing contact data is retained until you withdraw consent or request deletion.

You may request deletion of your Personal Data at any time by contacting info@naialab.com. We will respond within 30 days. Certain data may be retained for longer periods where required by applicable law.

10. Your Data Protection Rights

Under applicable data protection law, you have the following rights:

  • Right of access: to obtain a copy of Personal Data we hold about you.

  • Right to rectification: to request correction of inaccurate or incomplete Personal Data.

  • Right to erasure: to request deletion of Personal Data under certain conditions.

  • Right to restrict processing: to request that we limit processing under certain conditions.

  • Right to data portability: to receive Personal Data in a structured, machine-readable format.

  • Right to object: to object to processing based on legitimate interests.

  • Right to withdraw consent: for processing based on consent, including marketing communications.

To exercise any of these rights, contact us at info@naialab.com. We will respond within one month. If you believe your rights have not been adequately addressed, you may lodge a complaint with the Danish Data Protection Authority (Datatilsynet, www.datatilsynet.dk) or the authority in your country of residence.

11. Security Incidents

In the event of a confirmed security incident affecting Personal Data, Naia will notify the affected Data Controller without undue delay and no later than 72 hours after becoming aware of the incident. The notification will include the nature of the incident, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed.

12. International Data Transfers

Naia's primary infrastructure is hosted in Microsoft Azure's EU region (Sweden Central). Where Personal Data is transferred to sub-processors outside the European Economic Area, such transfers are subject to appropriate safeguards including Standard Contractual Clauses approved by the European Commission, or in the case of UK-based processors, the EU-UK Adequacy Decision. A full list of sub-processors and their locations is set out in Section 6.1.

11. Automated Decision-Making and AI

11.1  The Service uses artificial intelligence, including large language models and Naia's proprietary Product LLM, to generate cost estimates, Bills of Quantities, material recommendations, and other analyses ('AI Output'). This processing involves automated analysis of project data, building specifications, and pricing information submitted by Users.

11.2  Naia does not use AI Output to make decisions that produce legal effects or similarly significant effects on individuals without human involvement. All AI Output is advisory and intended to support, not replace, the professional judgement of architects, engineers, and other building industry professionals. Users are responsible for reviewing and validating all AI Output before relying on it in any professional context.

11.3  In accordance with Article 22 of the GDPR, Users have the right not to be subject to decisions based solely on automated processing that produce significant legal effects. If you believe an automated process has produced an outcome with such effects on you, you may contact us at info@naialab.com to request human review.

11.4  Naia's proprietary Product LLM is trained exclusively on synthetic data. No Customer Data or Personal Data is used to train Naia's AI models. AI inference — the processing of your inputs to generate outputs — takes place within Microsoft Azure's EU infrastructure.

12. Data Minimisation and Purpose Limitation

12.1  Naia collects and processes only the Personal Data that is necessary for the specific purposes described in this Privacy Policy. We do not collect Personal Data speculatively or beyond what is required to deliver the Service and fulfil our legal obligations.

12.2  Personal Data collected for one purpose is not reused for incompatible purposes without your consent or a valid legal basis. In particular:

  • Customer Data uploaded to the Service is used solely to deliver the Service and is not repurposed for marketing or sold to third parties.

  • Usage data collected for analytics purposes is anonymised and aggregated before use.

  • Personal Data embedded in 3D model files or BIM data is not extracted, stored separately, or used beyond what is necessary for the Service.

12.3  Where Naia acts as Data Processor, we process Personal Data exclusively in accordance with your documented instructions as Data Controller, as set out in this Privacy Policy and any supplementary written instructions. If we believe an instruction infringes applicable data protection law, we will notify you promptly.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time as our integrations and data practices evolve. We will provide at least 30 days' notice of material changes via email or through a notice within the Service. Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

Contact

For questions about this Privacy Policy, to exercise your data protection rights, or to report a data protection concern, please contact:

Naia ApS

Mejlgade 55B, 2. floor, DK-8000 Aarhus C, Denmark
Email: info@naialab.com  |  Web: www.naialab.com