Privacy Policy

1. Who we are

DraftX is made by OpusAg Ltd, registered in England and Wales (company no. 15790886), registered office: 6 George House, 40 Huntingdon Street, St. Neots, Cambridgeshire, PE19 1BB. OpusAg Ltd is the data controller for the personal data described below. Contact: sales@opusag.co.uk. ICO registration: pending (this page will be updated with the registration number once issued).

2. What we collect and why

Data	Where it lives	Why (lawful basis)
Contact name, business email, company name	OpusAg licence server	Issuing and administering licences and trials (performance of contract)
Licence key, type, expiry	OpusAg licence server	Licence administration (performance of contract)
Machine fingerprint (hashed hardware ID) and machine name	OpusAg licence server	Enforcing per-machine limits, preventing misuse (legitimate interest)
Validation logs (key, machine, timestamp, IP)	OpusAg licence server	Security and support troubleshooting (legitimate interest)
Operator usernames in job records	Locally only — your machines and network	So your team can see who processed which drawings. Not transmitted to OpusAg; your organisation controls this data

DraftX does not transmit to OpusAg: drawings, CAD models, PDFs, job data, customer lists, pricing, or any file contents.

3. Optional AI drawing sorting

DraftX includes an optional AI classification feature for sorting drawings. It is off until you configure it with your own credentials:

• When enabled, DraftX sends a rendered image of each drawing, plus its filename, OCR text and basic part metadata, to the AI provider you configure: either Anthropic (direct API) or AWS Bedrock, using your own API key / AWS account.
• The data flows directly from your machines to your provider account. It never passes through, and is never visible to, OpusAg.
• Engineering drawings can contain personal data in title blocks (e.g. "drawn by" names). For that data, your organisation is the controller and your chosen AI provider is your processor under your agreement with them.
• Data residency: the AWS Bedrock option defaults to the London region (eu-west-2) with an EU inference profile, keeping processing inside UK/EU AWS regions. The direct Anthropic API processes data in the United States. Choose the option that matches your requirements.
• Both providers' commercial terms state that API inputs are not used to train models. The feature can be disabled at any time, and DraftX falls back to non-AI sorting methods.

4. Where it's stored

The licence server is hosted on Railway's cloud platform. Installer downloads are served via GitHub Releases, which may log standard web-request data (such as IP addresses) under GitHub's own privacy policy.

5. How long we keep it

• Licence and contact records: life of the licence plus 6 years.
• Validation logs: 12 months, then deleted or anonymised.
• Expired trial records: 12 months after expiry unless converted to a paid licence.

6. Sharing

We never sell or rent personal data. We share it only with hosting providers acting as processors under contract, professional advisers where necessary, and authorities where required by law.

7. International transfers

Where our hosting providers (Railway, GitHub) process data outside the UK/EEA (for example in the United States), transfers rely on the UK International Data Transfer Agreement, the UK–US Data Bridge, or equivalent safeguards in those providers' terms.

8. Your rights

Under UK GDPR you can ask us to access, correct, delete, restrict, object to, or port your data. Email sales@opusag.co.uk and we'll respond within one month. You can also complain to the Information Commissioner's Office.

9. Security

Licence server access is restricted and authenticated, data in transit is encrypted (HTTPS/TLS), and machine fingerprints are one-way hashes that cannot be reversed into hardware details.

10. Changes

Changes to this policy will be posted here with a new effective date. Material changes will be notified to licence contacts by email.