Privacy Policy
How we collect, use, and protect your information
Effective March 25, 2026 · Version 4.0
1. Introduction
This Privacy Policy describes how Third Axis, LLC, doing business as Foveate (“we,” “us,” or “our”), collects, uses, stores, and discloses personal information when you use the Foveate platform, website, and related services (collectively, the “Service”). Foveate is an AI-powered interactive presentation platform built for architects, designers, and creative professionals.
By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please discontinue use of the Service.
Our Data Protection Officer (DPO) is Ian Petrarca. For any privacy-related inquiries, data subject requests, or concerns, contact: legal@foveate.com.
How to Delete Your Data
You may request deletion of your personal data at any time by emailing legal@foveate.com with the subject line “Data Deletion Request” or by contacting our DPO. Creators can also delete their account and associated data directly from the Account Settings page. We will process deletion requests within 30 days (GDPR) or 45 days (CCPA/CPRA). See Section 8 for full details on your rights.
2. Information We Collect
2.1 Information You Provide
- Account information: Name, email address, company name, and password when you register.
- Payment information: Billing details processed securely through Stripe. We do not store full credit card numbers on our servers.
- Content: 3D models, images, videos, documents, gaussian splats, CAD files, and other media you upload to create presentations.
- Communications: Messages you send to us through support channels, email, or in-app feedback.
- Collaboration data: Comments, annotations, and feedback you provide within shared presentations.
2.2 Information Collected Automatically
- Usage analytics: How you interact with the Service, including pages visited, features used, session duration, and presentation engagement metrics.
- Viewer analytics: When a presentation is shared with analytics enabled, we collect viewer engagement data including: view timestamps, session duration, time spent per section, scroll depth, viewing sequence, device type, browser, approximate location (city-level, derived from IP address), and referral source. This data is provided to the presentation creator. We collect only coarse (city-level) geolocation, not precise geolocation, from viewers.
- Device and browser data: IP address, browser type, operating system, device type, and screen resolution.
- Location data: Approximate geographic location (city-level) derived from IP addresses. We do not collect precise GPS or fine-grained geolocation data.
- Technical identifiers: Device identifiers, session tokens, authentication tokens, browser fingerprint attributes (user agent, screen resolution, language preference), and cookie identifiers used for authentication, security, and analytics.
- Cookies and similar technologies: We use cookies for authentication, preferences, and analytics. See Section 9 and our Cookie Policy for details.
Consent and control: Where the collection of automatically gathered data relies on your consent (such as non-essential cookies, viewer analytics, and preferences tracking), you will be presented with a clear choice to accept or decline before any such data is collected. Data collection requiring consent is never activated by default. You may withdraw your consent at any time through your account privacy settings or by contacting us at legal@foveate.com. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. Essential cookies necessary for the core functioning of the Service (authentication, security) do not require consent and cannot be disabled.
Viewer consent: Viewers of shared presentations are presented with a consent notice before any analytics data is collected. Viewers may decline analytics tracking and still access the presentation content. Presentation creators may also disable analytics on individual share links.
2.3 Information from Third Parties
- Authentication providers (e.g., Google Sign-In) when you choose to log in via a third party.
- Payment processors (Stripe) for transaction verification.
2A. Data Collection by User Type
Foveate interacts with three distinct types of individuals. The data we collect, our purposes, and legal bases differ depending on your relationship with us:
Creators (Account Holders)
Creators are architects, designers, and professionals who register for a Foveate account to build and share interactive presentations.
| Data Collected | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Name, email, organization, role | Account creation and management | Art. 6(1)(b) Contract | Account + 30 days |
| Payment card, billing info | Payment processing via Stripe | Art. 6(1)(b) Contract | 7 years (tax) |
| Content (3D, images, video, CAD) | Hosting and delivering presentations | Art. 6(1)(b) Contract | Account + 30 days |
| Content submitted to AI features | AI-powered content processing | Art. 6(1)(a) Consent | 90 days (AI logs) |
| Usage data, feature interactions | Platform improvement and analytics | Art. 6(1)(f) Legit. interest | 1 year |
| Support messages, feedback | Customer support | Art. 6(1)(b) Contract | Account + 30 days |
| IP address, device info, session tokens | Security and authentication | Art. 6(1)(f) Legit. interest | 1 year |
Viewers (Presentation Recipients)
Viewers are individuals who access shared presentations created by Creators. Viewer analytics are collected only with the Viewer's affirmative consent.
| Data Collected | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Time per slide, interactions (clicks, scrolls, zooms) | Engagement analytics for Creators | Art. 6(1)(a) Consent | Creator account + 30 days |
| Device type, browser, OS | Analytics and compatibility | Art. 6(1)(a) Consent | Creator account + 30 days |
| Approximate location (city-level from IP) | Geographic engagement insights | Art. 6(1)(a) Consent | Creator account + 30 days |
| Referral source | Traffic source analytics | Art. 6(1)(a) Consent | Creator account + 30 days |
| IP address, session token | Security and fraud prevention | Art. 6(1)(f) Legit. interest | 90 days |
Viewers who decline analytics consent can still view the full presentation. Only security-related data (IP address, session token) is processed under legitimate interest for fraud prevention.
Website Visitors
Website visitors are individuals who browse foveate.com without creating an account or viewing a shared presentation.
| Data Collected | Purpose | Legal Basis | Retention |
|---|---|---|---|
| IP address, browser type, OS | Website functionality and security | Art. 6(1)(f) Legit. interest | 90 days |
| Pages visited, session duration | Website analytics and improvement | Art. 6(1)(a) Consent (analytics cookies) | 90 days |
| Cookie identifiers | Authentication, preferences, analytics | Art. 6(1)(a) Consent (non-essential) | Per cookie duration |
| Contact form submissions (name, email, message) | Responding to inquiries | Art. 6(1)(a) Consent | 1 year |
3. How We Use Your Information
We use the information we collect for the following purposes. For users in the European Economic Area (EEA) and United Kingdom, the applicable GDPR Article 6 legal basis is indicated for each processing activity:
| Processing Activity | Legal Basis | Justification |
|---|---|---|
| Account registration & management | (b) Contract performance | Necessary to provide the Service |
| Payment processing | (b) Contract performance | Necessary to process subscriptions |
| Service delivery (hosting, rendering) | (b) Contract performance | Core service functionality |
| Viewer analytics | (f) Legitimate interest | Providing presentation creators with engagement insights; balanced against viewer rights via data minimization |
| AI-powered features | (b) Contract performance / (a) Consent | Contract for requested features; consent for optional AI processing |
| Security & fraud prevention | (f) Legitimate interest | Protecting users and infrastructure |
| Customer support | (b) Contract performance | Responding to inquiries |
| Legal compliance | (c) Legal obligation | Complying with applicable laws |
| Marketing communications | (a) Consent | Only with explicit opt-in |
4. How We Share Your Information
4.1 Service Providers
We share information with trusted third-party providers who assist in operating the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Cloud Platform | Infrastructure and storage | All platform data (encrypted) |
| Firebase | Authentication and database | Account credentials, app data |
| Cloud Firestore | Database storage | User data, presentation metadata |
| Stripe | Payment processing | Billing and transaction data |
| Mux | Video storage | Video data |
| Fal | AI services | Prompt data |
4.2 Presentation Viewers
When you share a presentation, viewers may access the content you have included. If viewer analytics are enabled on a share link, the presentation creator receives engagement data about viewer behavior. Viewers are informed of analytics collection through a consent notice before accessing the presentation.
4.3 Enterprise Self-Hosted Assets
Enterprise customers who use self-hosted asset storage (Amazon S3, Google Cloud, Microsoft Azure) retain full control over their assets. Foveate serves only as the viewer layer; your IT team controls access, permissions, and data residency.
4.4 Legal and Safety Disclosures
We may disclose information if required by law or if we believe in good faith that disclosure is necessary to comply with a legal obligation, protect the rights or safety of Third Axis, LLC, our users, or the public, or to prevent or investigate wrongdoing.
4.5 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our website of any change in ownership.
4A. Data Protection Impact Assessment
We have conducted a Data Protection Impact Assessment (DPIA) in accordance with GDPR Article 35 for our Viewer Analytics feature, which involves systematic monitoring of viewer engagement behavior. The DPIA evaluates the necessity and proportionality of processing, identifies risks to data subjects, and documents our mitigating measures including data minimization, coarse geolocation only, configurable analytics, and 90-day viewer data retention. The DPIA is reviewed annually by our DPO or when material changes are made to the analytics feature.
5. Data Security
We implement commercially reasonable safeguards to protect your data:
- Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Access controls: Strict Identity and Access Management policies ensure only authorized personnel access your data.
- Threat detection: Real-time monitoring, AI-driven threat detection, and DDoS protection via Google Cloud's global infrastructure.
- Secure infrastructure: Hosted in Google Cloud data centers in the USA and EU with advanced physical and digital security.
- Incident response: Documented incident response procedures to address any security breach promptly.
No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and any data transmission is at your own risk.
6. Data Retention
We retain personal information in accordance with the following retention schedule:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 30 days | Contract performance |
| Client content (presentations, media) | Duration of account + 30 days | Contract performance |
| Billing and transaction records | 7 years after transaction | Tax/legal obligation (IRC §6501) |
| Viewer analytics | 90 days from collection | Legitimate interest |
| Audit and access logs | 1 year | Security / legal obligation |
| Backups | 90 days (rolling) | Business continuity |
| Communication records (support) | 2 years | Legitimate interest |
Upon account termination, you may export your data for 30 days. After the applicable retention period, data is securely deleted or anonymized.
7. International Data Transfers
Foveate operates globally. Your information may be transferred to, stored, and processed in the United States, the European Union, or other countries where our service providers maintain facilities. When we transfer personal data from the EEA or UK, we ensure appropriate safeguards including Standard Contractual Clauses approved by the European Commission.
We conduct Transfer Impact Assessments (TIAs) for each US-based subprocessor to evaluate the legal framework of the recipient country and document supplementary technical measures (AES-256 encryption, role-based access controls, comprehensive access logging) that protect transferred data. TIA documentation is available to enterprise customers upon request.
8. Your Rights and Choices
8.1 General Rights
Depending on your location, you may have the right to:
- Access a copy of the personal data we hold about you.
- Correct inaccurate or incomplete personal data.
- Delete your personal data, subject to legal retention requirements.
- Port your data to another service in a structured, machine-readable format.
- Object to or restrict certain processing of your data.
- Withdraw consent at any time where processing is based on consent.
8.2 GDPR Rights (EEA and UK Residents)
If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation:
- Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.
- Right to rectification (Art. 16): You have the right to request correction of inaccurate personal data and completion of incomplete data.
- Right to erasure (Art. 17): You have the right to request deletion of your personal data where there is no compelling reason for continued processing.
- Right to restriction of processing (Art. 18): You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest data accuracy.
- Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to object (Art. 21): You have the right to object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
- Rights related to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
You also have the right to lodge a complaint with your local supervisory authority.
8.3 CCPA/CPRA Rights (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA):
- Right to know (§1798.100): You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting, and the categories of third parties with whom we share it.
- Right to delete (§1798.105): You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, security, completing transactions).
- Right to correct (§1798.106): You have the right to request that we correct inaccurate personal information we maintain about you.
- Right to opt-out of sale/sharing (§1798.120): You have the right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising. Foveate does not sell personal information. We do not share personal information for cross-context behavioral advertising.
- Right to limit use of sensitive personal information (§1798.121): You have the right to limit the use and disclosure of sensitive personal information to purposes necessary to provide the Service. We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.
- Right to non-discrimination (§1798.125): We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive a different level of service or pricing for exercising your rights.
Response timeframe: We will respond to verifiable consumer requests within 45 calendar days of receipt. If we need additional time (up to 45 more days), we will inform you in writing.
Authorized agents: You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization signed by you, and we may require you to verify your identity directly.
Notice at Collection: We collect the categories of personal information described in Section 2 of this Privacy Policy for the business purposes described in Section 3. We retain each category as described in Section 6.
Financial incentives: We do not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.
Personal information sold or shared: In the preceding 12 months, Foveate has not sold or shared (for cross-context behavioral advertising) any personal information.
8.4 US State Privacy Rights (Virginia, Colorado, Connecticut)
If you are a resident of Virginia, Colorado, or Connecticut, you have rights under the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and Connecticut Data Privacy Act (CTDPA), respectively. These rights include:
- Right to access: Confirm whether we are processing your personal data and access that data.
- Right to correct: Correct inaccuracies in your personal data.
- Right to delete: Delete personal data you have provided or that we have obtained about you.
- Right to data portability: Obtain a copy of your personal data in a portable, readily usable format.
- Right to opt out: Opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
Universal Opt-Out Mechanism: We recognize and honor Global Privacy Control (GPC) signals as a valid universal opt-out mechanism under the CPA and CTDPA. If your browser sends a GPC signal, we will treat it as a request to opt out of the sale of personal data and targeted advertising.
Sensitive data: We do not process sensitive data (as defined under VCDPA, CPA, and CTDPA) without your consent. Sensitive data includes precise geolocation, racial or ethnic origin, religious beliefs, biometric data, and health information.
Appeal process: If we decline your privacy request, you have the right to appeal. To submit an appeal, contact us at legal@foveate.com with the subject line “Privacy Rights Appeal.” We will respond within 60 days. If your appeal is denied, you may contact the relevant Attorney General:
- Virginia: Virginia Attorney General
- Colorado: Colorado Attorney General
- Connecticut: Connecticut Attorney General
8.5 How to Exercise Your Rights
Contact us at legal@foveate.com. We will respond within 30 days for GDPR (Art. 12(3)), 45 days for CCPA/CPRA (§1798.130), and 45 days for VCDPA/CPA/CTDPA. We may need to verify your identity before processing your request.
9. Cookies and Tracking Technologies
We use cookies and similar technologies for authentication, analytics, and personalization. You can manage cookie preferences through our cookie consent banner. Disabling certain cookies may limit Service functionality. See our Cookie Notice for more details.
9A. Automated Decision-Making and Profiling
Foveate uses automated processing in the following areas:
- AI content features: Our AI-powered features (presentation generation, content suggestions, rendering) process your content to deliver automated outputs. These features are user-initiated and do not produce legal effects or similarly significantly affect you. You retain full editorial control over all AI-generated content.
- Viewer analytics profiling: We aggregate viewer engagement data (time per section, scroll depth, viewing sequence) into engagement profiles for presentation creators. This profiling is used to provide insights into presentation effectiveness and does not produce legal effects on viewers. Viewers can decline analytics tracking through the consent notice displayed before accessing a presentation.
Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Foveate does not make such decisions. If you have concerns about automated processing, contact our DPO at legal@foveate.com.
9B. EU AI Act Transparency (Article 50)
In accordance with Article 50 of the EU AI Act (Regulation (EU) 2024/1689), we disclose the following: Foveate's AI features (presentation generation, content suggestions, rendering assistance) do not process sensitive data as defined under GDPR Article 9 and are not classified as high-risk AI systems under Annex III of the EU AI Act. Users are clearly informed when interacting with AI systems, and AI-generated content is identified as such. Users retain full editorial control over all AI outputs. For full transparency disclosures, see Section 17 of our Data Processing Agreement.
10. Children's Privacy
The Service is not directed to individuals under the age of 16. Foveate is a business-to-business (B2B) platform designed for professional use by architects, designers, and creative firms. We do not knowingly collect personal information from children under 16.
During account registration, users are required to self-declare that they are at least 16 years of age. If we learn that we have inadvertently collected personal information from a child under 16, we will take steps to delete that information within 72 hours of discovery. If you believe a child under 16 has provided us with personal information, please contact us at legal@foveate.com.
10A. Third-Party Links
The Foveate platform and website may contain links to third-party websites, services, or applications that are not operated or controlled by Foveate. This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices, content, or data collection of any third-party website or service. We encourage you to review the privacy policies of any third-party service before providing personal information to them.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our website at least 30 days before the changes take effect. Continued use of the Service after changes constitutes acceptance.
12. Contact Us
For questions about this Privacy Policy or to exercise your rights:
Third Axis, LLC d/b/a Foveate
Data Protection Officer: Ian Petrarca
legal@foveate.com
foveate.com/security
For GDPR or CCPA/CPRA-specific inquiries, please include “GDPR Request” or “CCPA Request” in your email subject line to help us route your request promptly.