Privacy Policy

CADLens (“we”, “us”, “our”) is a CAD file parsing API service. Our service converts DWG, DXF, and DWF files into structured vector JSON and PNG previews via a REST API.

If you have questions about this policy, contact us at [email protected].

We collect only what is necessary to provide the service:

• Account data — email address and password hash (bcrypt) when you register. If you sign in via OAuth (Google, GitHub), we receive your email and profile name from that provider.
• API keys — stored as SHA-256 hashes. We cannot recover the raw key after creation.
• Uploaded CAD files — stored temporarily in AWS S3 for processing. Files are deleted after the job result is fetched or after 7 days, whichever comes first.
• Parse job metadata — file name, size, status, timestamps, and error messages (not the file content itself).
• Usage records — request counts per billing period used for quota enforcement and billing.
• Contact form submissions — name, email, and message text you submit via our contact form. These are stored in our database and used only to respond to your enquiry.
• Request logs — IP address, HTTP method, path, status code, and response time for security, debugging, and rate-limiting purposes. Logs are retained for 30 days.

CADLens uses the following third-party processors:

• AWS S3 — file storage for uploaded CAD files and generated PNG previews. AWS is SOC 2 / ISO 27001 certified.
• Stripe — payment processing and subscription management. CADLens never stores raw card data; all payment data is handled by Stripe under their Privacy Policy.
• Cloudflare Turnstile — bot and spam protection on our contact form. We use Turnstile in invisible mode. Cloudflare may process your IP address and browser characteristics to determine whether a request is human. By using our contact form you agree to Cloudflare's data processing as described in the Cloudflare Turnstile Privacy Addendum.

We use a minimal set of cookies:

• Session cookie — a signed JWT stored in an HTTP-only cookie to keep you logged in. Expires after 2 hours of inactivity or 7 days if “remember me” is active.
• Analytics — we use Google Analytics 4 (GA4) with IP anonymisation enabled. No advertising or cross-site tracking cookies are set.

We do not use third-party advertising cookies or sell your data to any third party.

Depending on your jurisdiction you may have the right to access, correct, export, or delete your personal data. To exercise any of these rights email [email protected] with the subject line “Data request”. We will respond within 30 days.

• Account deletion — you can delete your account from the dashboard. All associated data is removed within 7 days.
• Data export — request a copy of your personal data at any time.
• Opt-out of analytics — install the Google Analytics opt-out browser add-on.

We may update this policy as the service evolves. Material changes will be communicated via email to registered users. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the service after changes constitute acceptance of the updated policy.