Back to main

Privacy Policy (QTOpro)

Effective Date: Sept. 2 2025

Last Updated: Sept. 2 2025

1. Who We Are

This Privacy Policy describes how LTplus AG ("we", "us", or "our") collects, uses, and discloses personal data in connection with the QTOpro service (the "Service"). LTplus AG is a company based in Switzerland (see Impressum above for details). For the personal data we collect and determine the purposes for (such as account information and website analytics), we act as the "data controller." In cases where we process personal data on behalf of our customers (for example, personal data contained in an uploaded IFC model), we act as a "data processor."

Contact Information: If you have any questions or requests regarding your personal data, you can contact us at support@lt.plus or via mail at LTplus AG, Max-Höggerstrasse 6, 8048 Zürich, Switzerland.

Representative (EU/UK): We do not have an EU or UK establishment. However, because we process data of EU/EEA and UK users only occasionally and in a manner unlikely to result in risks to individuals, we currently believe we are exempt from appointing a local representative under Article 27 of the EU GDPR and UK GDPR. We continuously monitor our obligations and will appoint a representative if our data processing activities expand to require one.

2. Personal Data We Collect

We only collect data that is necessary to provide and improve our Service. This includes:

  • Account Information: When you sign up, we collect your name, email address, organization (if provided), and login credentials. Authentication is handled through our provider (Clerk), so we may also receive identifiers from that system.
  • Profile and Subscription Data: If you create a profile or select subscription preferences, we record your plan, preferences, and settings. For paid accounts, we collect billing details such as your payment method and billing address (which are processed via Stripe, we do not see full credit card numbers).
  • IFC Files and Project Data: If you process Building Information Model files (e.g. IFC) or related project data with QTOpro, all processing occurs locally in your browser using WebAssembly technology. The files may contain information about the building project, and possibly personal data embedded in models (e.g. names of project members). We do not receive or store your original IFC files or processing results - everything remains entirely on your device. We do not manually access or use your original files except as needed to provide the service (see Data Protection section).
  • Usage Data: We collect information about how you use our Service. This includes:
    • Log data: When you access QTOpro, our servers automatically record information ("logs"), including IP address, browser type, operating system, referring URL, pages visited, and date/time of access.
    • Analytics data: We use analytics tools (like Vercel Web Analytics and PostHog) to gather usage statistics. These tools may capture events such as button clicks, page views, and flow through our app. Wherever possible, we use these in a privacy-friendly way (e.g. Vercel's analytics do not use cookies and only store aggregated data for 24 hours; PostHog is configured to avoid collecting personally identifiable information such as full IP addresses).
    • Device and technical data: Information about the device or app version you use (e.g. operating system, screen size, app version) to ensure compatibility and optimize our Service.
  • Customer Support Information: If you contact us for support (via email or in-app chat), we will receive the content of your communications and any contact info you provide (like email address or phone number). We may also ask for additional information to help resolve your issue (such as trouble files or screenshots).
  • Cookies and Similar Tech: We use a minimal number of cookies and similar tracking technologies on our site. For details, see our Cookie & Tracking Policy. Generally, we only use essential cookies for login sessions and optional cookies or local storage for user preferences and analytics if you consent.

We do not intentionally collect any sensitive personal data (such as government IDs, health information, biometric data, etc.) through QTOpro. We ask that you refrain from storing or uploading such data in our Service. If you must include personal data in an IFC file (e.g. names of architects in metadata), ensure you have the right to do so and inform us if needed via the DPA.

3. How We Use Personal Data (Purposes and Legal Bases)

We use the collected data for the following purposes, relying on the legal bases noted (under GDPR and similar laws):

  • Providing the Service: We process your account data, IFC files, and usage data to operate QTOpro's core functionality – e.g., authenticating you, processing your BIM files to generate QTO results, saving your settings, and displaying results. Legal basis: Contractual necessity (Art. 6(1)(b) GDPR) – this processing is needed to deliver the service you signed up for.
  • Service Administration: This includes maintaining your subscription, sending service notifications (like confirmations, invoices, technical alerts), and handling customer support. Legal basis: Contractual necessity for service communications; legitimate interests (Art. 6(1)(f) GDPR) for improving customer service and ensuring you receive important information.
  • Analytics and Improvements: We analyze usage data to understand how our Service is used, diagnose performance issues, and improve features. For example, we might look at aggregate statistics on the size of IFC files processed or features most used. Wherever possible, we use aggregated or de-identified data for analytics. Legal basis: Legitimate interests – to continuously improve our product; if required by law (in some jurisdictions for analytics cookies), we will seek consent for optional analytics.
  • Security and Fraud Prevention: We monitor login activity, IP addresses, and certain usage patterns to detect and prevent fraudulent or malicious use of QTOpro. This includes automated measures (like rate-limiting or alerting) and manual review in rare cases. Legal basis: Legitimate interests – to protect our Service and user accounts from unauthorized access or attacks, and compliance with legal obligations to ensure data security (Art. 6(1)(c) GDPR, Art. 32 GDPR).
  • Billing and Accounting: If you have a paid subscription, we use your provided payment information to process charges via Stripe and to keep accounting records (invoices, payment history). Legal basis: Contractual necessity (to collect payment owed) and legal obligation (for financial record-keeping and tax compliance).
  • Marketing Communications: (Currently Not Used) – We do not presently send any marketing or newsletter emails unrelated to the service. If this changes, we will only do so in accordance with applicable laws (e.g., with consent or opt-out options as required).

Where we rely on legitimate interests as a legal basis, we take into account your rights and expectations and will not use personal data for activities where our interests are outweighed by the potential impact on you (for example, we do not use invasive tracking or sell personal data). You have the right to object to processing based on legitimate interests (see Section 9 on your rights).

If we ever need to process personal data for a new purpose not described here, we will update this Policy and, if required, request your consent or provide an opt-out.

4. Cookies and Tracking Technologies

For details on the cookies and tracking technologies we use on the QTOpro website or app, please see our Cookie & Tracking Policy. In summary:

  • Essential Cookies: We use essential cookies or similar mechanisms for core functionality, such as maintaining your login session (so you don't have to log in repeatedly). These do not require consent, as they are necessary for our Service.
  • Analytics: We use two main analytics solutions:
    • Vercel Analytics: This is a privacy-friendly, cookie-free analytics solution that gives us basic usage stats (page views, referrers) with no personal data. Data from Vercel Analytics is retained only briefly (e.g. 24 hours of data for traffic analysis) and is aggregated.
    • PostHog: We use PostHog to track feature usage and user flows in order to improve the product. We have configured PostHog to respect "Do Not Track" signals and to avoid storing identifiable info wherever possible (for instance, we may anonymize IP addresses or use hashing). Depending on deployment, PostHog may operate on EU-based infrastructure.
  • Consent Banner: For users in jurisdictions where consent is required for analytics or marketing cookies (e.g. EU/EEA, UK), we display a cookie consent banner on first visit. This banner clearly offers a "Accept" and "Reject" option, with no pre-ticked boxes. By default, we do not load non-essential cookies or trackers unless you opt in. You can manage your preferences at any time via the banner or an equivalent settings page (for example, an "Analytics Opt-Out" toggle in your account settings). Rejecting optional cookies will not affect the core functionality of QTOpro.
  • Other Tracking: We do not use third-party advertising cookies or social media trackers. If in the future we integrate any plugin that could collect data (like a YouTube video or similar), we will do so in compliance with cookie consent requirements.

5. How We Share Personal Data (Recipients)

We do not sell your personal data to anyone. We only share data in the following contexts, as necessary to run QTOpro or as required by law:

  • Service Providers (Sub-Processors): We use trusted third-party companies to support our operations. These providers process personal data on our behalf, only for the purposes described in this Policy, and under contractual data protection agreements. Key service providers we use are:
    • Clerk, Inc. – Authentication and user management service. Clerk handles the sign-in process, passwordless logins, and subscription management on our behalf. Personal data shared: account email, and any other profile info you provide at signup. (Clerk is based in the USA and is certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework, ensuring lawful data transfers.)
    • Stripe, Inc. / Stripe Payments Europe Ltd. – Payment processing for subscriptions. Stripe handles your credit card or payment information securely. We (LTplus AG) do not store your full payment details; they are stored by Stripe. Personal data shared: name, email, payment method details, and billing address as needed for payment and invoice processing. (Stripe is a global payments provider; for EU customers, Stripe Payments Europe [Ireland] is the merchant of record, and data may be transferred to Stripe, Inc. in the U.S. under Standard Contractual Clauses and/or the Data Privacy Framework.)
    • Vercel, Inc. – Cloud hosting and deployment platform. QTOpro's web application and backend run on Vercel's infrastructure. Personal data processed: your account info and any QTO template data, technical log data. IFC files are never transmitted to or stored on Vercel's infrastructure as processing occurs locally in the browser. (Vercel is based in the USA; data transfers are covered by Standard Contractual Clauses. Vercel also employs security measures compliant with GDPR requirements.)
    • PostHog, Inc. – Product analytics platform. We use PostHog to collect app usage metrics that help us improve the user experience. Personal data: usage events and technical data (with minimized personal identifiers). (PostHog offers EU hosting options; we strive to keep analytics data within Europe when possible or otherwise protect it via SCCs.)

    These service providers act as our processors (or sub-processors) and are bound by confidentiality and data protection obligations. We have Data Processing Agreements (DPAs) in place with each of them. You can find more details and an up-to-date list of our sub-processors on our Sub-Processor List page, including links to each provider's privacy commitments. We will update that list and notify customers of any significant changes (where required by law or our DPA terms).

  • Within LTplus AG: In our small team, your data may be accessed by personnel who need to service your account or develop the product. All personnel are bound by confidentiality. Access to personal data is limited based on role (principle of least privilege). For example, developers may have access to logs for debugging, but only senior staff can access billing records.
  • Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order, law enforcement inquiry, or regulatory demand). If allowed, we will inform you of such requests. We will only provide the minimum necessary data in such cases.
  • Business Transfers: If LTplus AG is involved in a merger, acquisition, or asset sale, your personal data may be transferred to the successor or acquiring entity. We will ensure the confidentiality of personal data during such a process and give affected users notice before personal data is transferred or becomes subject to a different privacy policy.
  • Enforcing Our Rights: If necessary, we may disclose data to our professional advisors (lawyers, auditors) or to courts and authorities in order to enforce our contracts or protect our operations (for example, to pursue a claim for unpaid fees or address a security incident).

Aside from the above, you will be notified and have the opportunity to consent or object before we share your personal data with any third party for purposes not covered by this Policy.

6. International Data Transfers

We are based in Switzerland, and our Service is accessible globally. Data location: The personal data we collect may be processed in Switzerland, the European Union, the United States, or other countries where our service providers maintain facilities.

Whenever we transfer personal data across borders, we take steps to ensure it remains protected to the standards required by applicable law:

  • "Switzerland & EEA to USA (and other countries):" When transferring personal data from Switzerland or the European Economic Area (EEA) to a country not deemed adequate by Swiss or EU authorities, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and the Swiss FDPIC's equivalent mechanisms. All our major processors (Clerk, Stripe, Vercel, PostHog) have committed to SCCs or are part of a certified framework.
  • "Data Privacy Framework:" As of 15 July 2023 (EU) and 15 September 2024 (Switzerland), the EU-U.S. and Swiss-U.S. Data Privacy Framework (DPF) provide an approved mechanism for personal data transfer to certified U.S. companies. For instance, Clerk, Inc. is certified under the DPF for EU/Swiss data transfers, which means transfers of personal data to Clerk in the U.S. are recognized as adequately protected.
  • "By Region:" Data stored with Stripe for EU customers may reside in the EU (Ireland) by default, with copies in the U.S. under safeguards. Data we host on Vercel may be routed through U.S. servers. PostHog analytics data, if not kept in the EU, will be transferred under SCCs. For Swiss user data, we treat it with equal protection as EU data.
  • "Your Choices:" If you prefer not to have your personal data transferred to another country, please refrain from using our Service or contact us to discuss potential accommodations. (Note: given the nature of a cloud service, it's not feasible for us to operate entirely isolated in one country, but we understand transfer concerns and are open about our practices.)

We continuously monitor legal developments around data transfers (e.g., new SCC versions, Schrems II implications, and new adequacy decisions) and will adapt our practices to remain compliant.

7. Data Security

We take the security of your data seriously and implement appropriate technical and organizational measures ("TOMs") to protect personal data against unauthorized access, loss, or alteration. These include:

  • "Encryption:" All data transfer to and from QTOpro is encrypted using HTTPS/TLS. For sensitive data at rest (such as passwords, which are actually handled by Clerk and stored hashed), encryption is applied. Any IFC files you upload are stored in secure storage and are encrypted at rest when possible.
  • "Access Controls:" Internally, access to databases and systems containing personal data is restricted to authorized personnel with a legitimate need. We employ authentication, role-based permissions, and, where feasible, multi-factor authentication for administrator access.
  • "Monitoring:" Our infrastructure (via Vercel and other tools) is monitored for unusual activity. We maintain logs of access and actions in the system to detect and audit any inappropriate access.
  • "Development Practices:" We follow secure coding guidelines and periodically review our code for security vulnerabilities. We apply patches and updates to our software dependencies and server infrastructure promptly to address security issues.
  • "Sub-processor Safeguards:" We choose reputable sub-processors and review their security certifications and practices (for example, Stripe is certified as a PCI-DSS Level 1 compliant processor for handling payment info, and Vercel has security attestations available). We ensure our data processing agreements with them obligate them to adequate security standards (GDPR Art. 32).

Breach Notification: Despite best efforts, no system is 100% secure. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant authorities (like the Swiss FDPIC, and EU Data Protection Authorities as applicable) without undue delay, in accordance with applicable law. We maintain a breach response plan to handle such situations.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by law. Retention periods vary by data type:

  • "Account Data:" Your account information (name, email, etc.) is kept as long as you have an active account. If you delete your account or request deletion, we will remove or anonymize this data within a reasonable time after fulfillment of all contractual and legal obligations (for example, we might retain a record of your email in a suppression list to avoid sending you emails, or keep invoice records for the legally required duration).
  • "IFC Files and Project Data:" IFC files are never uploaded to or stored on our servers as all processing occurs locally in your browser using WebAssembly technology. We do not store your original IFC files, processing results, or project data - everything remains entirely on your device. Only account data and user-created templates (if you choose to save them) are stored in our secure database.
  • "Subscription and Transaction Data:" We retain billing records, invoices, and payment history for at least the duration required by Swiss accounting and tax laws (generally 10 years). This is to comply with legal obligations. Payment card details are not stored by us, but by Stripe, subject to their retention policies.
  • "Support Communication:" Emails or support tickets are retained as long as needed to resolve your issue and for a short period thereafter in case of follow-up. Older support emails may be periodically deleted if no longer relevant. Important correspondence that has legal or service implications may be kept longer.
  • "Analytics Data:" Analytics logs and events are kept only as long as useful for analysis. Vercel Analytics data is deleted after 24 hours (as per their design). PostHog analytics data retention may be configured (e.g., we might keep detailed event data for 3 months and aggregated data longer). We periodically review and purge old analytics data.
  • "Logs:" System logs (which may include IP addresses and usage info) are generally kept for a short period (a few weeks) for debugging and security, then either deleted or aggregated. Certain security-related logs may be retained longer if needed for incident investigations.

When we no longer need personal data, we either delete it or anonymize it (so it can no longer be linked to an individual). If immediate deletion is not possible (for example, because the data is stored in backups), we will securely store it and isolate it from further use until deletion is feasible.

9. Your Data Protection Rights

Depending on your jurisdiction, you have a number of rights regarding your personal data. We are committed to honoring these rights. In particular, individuals in Switzerland, the European Union, the United Kingdom, and other jurisdictions with similar laws have the following rights (with some limitations under applicable law):

  • "Access:" You have the right to request a copy of the personal data we hold about you, and to obtain information about how we process it.
  • "Rectification:" If any of your personal data is inaccurate or incomplete, you have the right to request correction or completion. You can also update most of your basic account information by logging into your account settings.
  • "Erasure:" You can request that we delete your personal data. This is sometimes called the "right to be forgotten." We will honor deletion requests to the extent we are not legally required to retain the data. Note that deleting your account will remove most of your data, but certain records (e.g. invoices, support emails) might be kept if required by law.
  • "Restriction:" You have the right to ask us to limit processing of your data in certain circumstances (for example, if you contest the accuracy of data, we may restrict processing until the issue is resolved).
  • "Data Portability:" For data you have provided to us and that we process by automated means on the basis of your consent or for performance of a contract, you have the right to request a copy in a structured, commonly used, machine-readable format, or to have it transmitted to another provider where technically feasible. For example, you can export your QTO results or project data that we have, if applicable.
  • "Objection:" When we process data based on legitimate interests, you have the right to object to that processing. If you object, we will consider whether our legitimate grounds for processing override your interests and rights; if not, we will cease the processing in question. You also have an unconditional right to object to use of your data for direct marketing (though we currently do not use it for such purpose).
  • "Withdraw Consent:" If we rely on your consent for any processing (e.g. optional analytics cookies or a newsletter), you can withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing done before the withdrawal.

To exercise any of these rights, please contact us at support@lt.plus. We may need to verify your identity to process certain requests, especially for access, deletion, or portability (we wouldn't want to give your data to an impostor). We will respond to requests within the timeframe required by law (generally within 30 days for Swiss/EU requests, extendable if necessary with notice to you). Some rights may be subject to legal exceptions; if we cannot fulfill a request, we will explain why.

California Residents: At our current scale, we do not meet the thresholds of the California Consumer Privacy Act (CCPA/CPRA) for mandatory compliance. However, should that change or should we voluntarily comply, California users would have similar rights to access and delete personal information, and the right to opt-out of "sale" or "sharing" of personal info. Since we do not sell personal data, this is moot, but we include this note for transparency. We will update our Privacy Policy with a specific CCPA section if our operations expand to require it. California users may contact us with any concerns despite CCPA not formally applying.

10. Children's Privacy

QTOpro is not directed to children under 16, and we do not knowingly collect personal data from children. If you are under 16 (or a higher minimum age in your jurisdiction), please do not use our Service or provide any personal data. If we learn that we have inadvertently collected personal information from a child under the applicable age without proper consent, we will delete that information as quickly as possible. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.

11. Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make material changes, we will notify you by email or by posting a prominent notice on our site (e.g. via a banner or notification in the app) prior to or upon the change becoming effective. The "Last Updated" date at the top will indicate when the latest changes were made.

We encourage you to review this Policy periodically to stay informed about how we protect your data. If you continue to use QTOpro after an update, it signifies your acceptance of the revised Policy, to the extent permitted by law. For significant changes that require your consent, we will seek consent accordingly.

12. Contact and Complaints

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at support@lt.plus. Our team will be happy to assist you.

If you are not satisfied with our response or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the supervisory authority relevant to your location:

  • "Switzerland:" Federal Data Protection and Information Commissioner (FDPIC). Website: https://www.edoeb.admin.ch/edoeb/en/home.html
  • "European Union:" You can contact your local Data Protection Authority (DPA) in the country of your residence or our lead supervisory authority if one is designated. (As we are based in Switzerland, you may also address concerns to the FDPIC which cooperates with EU authorities.)
  • "United Kingdom:" Information Commission'er Office (ICO). Website: https://ico.org.uk/

We would, however, appreciate the chance to address your concerns before you approach a regulator, so please do reach out to us first if possible. Your privacy is important to us, and we will do our best to resolve any issue.

Thank you for reading our Privacy Policy. By using QTOpro, you trust us with your data, and we are committed to honoring that trust by protecting and handling your data responsibly.