Our Commitment
BIMWorkplace Lda., headquartered in Portugal (EU), processes personal data in line with the GDPR. When the Services are provided to organizations, the customer organization is the Data Controller and BIMWorkplace acts as the Data Processor, as defined in our Data Processing Agreement.
Lawful Basis for Processing
- Contractual necessity — provisioning the Services, billing and support.
- Legitimate interests — service security, fraud prevention, and product improvement, balanced against data subject rights.
- Consent — marketing communications and non-essential cookies.
- Legal obligation — accounting, tax, regulatory and lawful authority requests.
Data Subject Rights
Under the GDPR you have the following rights regarding your personal data:
- Right of access — obtain confirmation and a copy of your personal data.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”).
- Right to restriction of processing in certain circumstances.
- Right to data portability — receive your data in a structured, commonly used, machine-readable format.
- Right to object to processing based on legitimate interests and to direct marketing at any time.
- Right to withdraw consent at any time, where processing relies on consent.
- Right to lodge a complaint with a supervisory authority — in Portugal, the Comissão Nacional de Proteção de Dados (CNPD).
To exercise any of these rights, contact dpo@bimworkplace.com. We respond within one month in line with Article 12 GDPR.
Data Processing Agreement (DPA)
A GDPR-compliant Data Processing Agreement is available on request and forms an integral part of our Subscription Agreement. The DPA includes the European Commission's Standard Contractual Clauses (SCCs) for any international transfers and the current list of approved sub-processors.
Sub-processors
BIMWorkplace uses a limited set of vetted sub-processors (e.g., cloud hosting, payment processing, transactional email). All sub-processors are bound by written agreements requiring confidentiality and equivalent data protection obligations. The current list is available to customers on request, and we provide reasonable notice of any additions or replacements.
International Data Transfers
Customer data is hosted within the European Economic Area (EEA) by default. Where transfers outside the EEA are necessary (for example to certain sub-processors), they are governed by the European Commission's Standard Contractual Clauses (SCCs) and supplementary technical and organizational measures.
Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected, for the duration of the Subscription, and thereafter as required by applicable law (e.g., billing records for 10 years). Backups are securely deleted within defined retention windows.
Security
We apply industry-standard technical and organizational measures, including encryption in transit and at rest, role-based access control, MFA for administrative access, monitoring, and regular vulnerability management. See our Security page for details.
Personal Data Breach Notification
In line with Articles 33–34 GDPR, BIMWorkplace notifies the relevant supervisory authority and affected customers without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach.
Data Protection Officer
For all GDPR-related enquiries, including DPAs, sub-processor lists, and data subject requests, contact our Data Protection Officer at dpo@bimworkplace.com.