Privacy policy.

IssueLab ("we", "us", "our") operates Foreman, the complete toolkit for Autodesk Forma project administration. Foreman helps BIM Managers and Project Admins manage members, folders, files, access requests, roles, and permissions across their Autodesk Forma project portfolio. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal data when you access or use our services. By using Foreman, you agree to the practices described in this policy.

1. Information We Collect

Account Data

When you register for Foreman, we collect your name and email address. Foreman uses Autodesk identity as the primary authentication method. When you sign in with Autodesk, we store the following profile information from your Autodesk account: your Autodesk user ID, email address, first and last name, profile picture URL, job title, company name, country, and Autodesk profile URL. These fields are automatically refreshed on each sign-in to keep your profile current.

Usage Data

We automatically collect information about how you interact with Foreman, including pages visited, features used, timestamps, browser type, operating system, IP address, and referring URLs.

Project & Autodesk Forma Data

Foreman processes project data from your Autodesk Forma account, including project names, folder structures, member lists, role assignments, and permission configurations. This data is accessed via the Autodesk Platform Services API on your behalf. Files from your Autodesk projects are streamed from the Autodesk API, processed in memory, and discarded — they are not stored on our servers.

AI & MCP Data

If you use Foreman's AI Chat assistant or connect a third-party AI assistant via MCP (Model Context Protocol), your prompts and the resulting tool responses are transmitted to the relevant AI provider for processing. This may include project names, file names, member information, and folder structures. The built-in AI Chat uses Anthropic's Claude API. Conversation history is stored on our EU servers; however, the content of your prompts and responses is also processed by Anthropic and is subject to Anthropic's privacy policy. For third-party MCP clients (e.g. Claude Desktop, ChatGPT, Cursor), data handling is governed by that provider's own policies. Organization administrators can disable AI features entirely.

The Foreman MCP server itself does not access your AI client's memory, full conversation history, conversation summaries, or user files beyond the parameters a given tool call explicitly passes to it. Each tool call is scoped to its declared inputs and the authenticated user's authorized projects; Foreman does not scrape or store chat context on the MCP endpoint.

Data when connecting via the Foreman MCP endpoint

When an external AI client (e.g. Claude, Cursor) connects to Foreman's MCP endpoint, authentication uses OAuth 2.1 with PKCE. The access and refresh tokens we issue are stored in Foreman's EU-hosted database and linked to your user account; they are encrypted at rest using the .NET Data Protection API. Each tool call made through the endpoint is audited to the organization's activity feed (actor, tool name, target, timestamp, outcome) in line with Section 7 retention. Inputs and outputs of tool calls are not persisted verbatim beyond what is necessary to answer the call and write its audit entry; prompts and responses are not harvested for training or shared with third parties outside the AI provider your client connects to.

2. How We Use Your Information

• To provide, maintain, and improve Foreman's features and functionality
• To authenticate your identity and manage your account
• To process role assignments, permissions, and compliance reporting
• To communicate with you about service updates, security alerts, and support
• To analyze usage patterns and improve user experience
• To detect, prevent, and address technical issues and security threats
• To comply with legal obligations

3. Lawful Basis for Processing

Under GDPR Article 6, we process your personal data on the following lawful bases:

• Contract performance: Processing necessary to deliver the Foreman service you have subscribed to
• Legitimate interest: Improving our services, ensuring security, and preventing fraud
• Consent: Where you have given explicit consent, such as for marketing communications
• Legal obligation: Processing required to comply with applicable laws and regulations

4. Data Sharing & Third Parties

We do not sell your personal data. We may share data with the following categories of third parties:

• Autodesk Forma: Foreman integrates with Autodesk Forma to manage your projects, members, and permissions. Data exchanged with Autodesk is governed by their privacy policy and your agreement with them.
• AI providers: When you use AI features, your prompts and tool responses are sent to the relevant AI provider (Anthropic for built-in AI Chat; your chosen provider for MCP integrations). This data is subject to that provider's data handling policies. No data is sent to AI providers unless you actively use AI features, and organization administrators can disable AI entirely.
• Sub-processors: We use carefully selected service providers for hosting, analytics, and email delivery. All sub-processors are bound by data processing agreements.
• Legal requirements: We may disclose data where required by law, court order, or governmental authority.

5. Data Residency & International Transfers

All Foreman infrastructure — including application servers, databases, and file storage — is hosted in the European Union. Your data remains within the EU at all times during storage and processing on our systems. IssueLab is a company registered in England, United Kingdom.

Data may leave the EU in the following circumstances: when transmitted to Autodesk Platform Services APIs (governed by your agreement with Autodesk), and when you use AI features that send data to third-party AI providers (see Section 4). Where international transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or transfers to countries with an adequate level of data protection as determined by adequacy decisions.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include TLS encryption in transit, encryption at rest for credentials and tokens (using the .NET Data Protection API), tenant-isolated access controls, and self-hosted EU-based infrastructure with no third-party cloud storage dependencies. For full details, see our Security page. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. When data is no longer needed, it is securely deleted or anonymised. Account data is retained for the duration of your subscription and for a reasonable period thereafter to allow for account reactivation.

Automatic Retention Policies

Foreman automatically purges certain categories of data based on your subscription tier:

• Exported files (CSV, XLSX) and QA check files — purged after 7 to 365 days depending on plan tier
• Member audit snapshots — purged after 30 to 365 days depending on plan tier (Pro and Enterprise: unlimited)
• OAuth tokens — expired and revoked tokens are automatically pruned by scheduled cleanup

Organization administrators can customise retention periods from Organization > Settings > Data & Privacy. For full details on tier-specific defaults, see our Security page.

Account Deletion

When you submit an account deletion request, your request enters a review workflow where administrators assess any shared data, active projects, or pending operations before approving. Approved deletion requests result in permanent erasure of your personal data and account information. Rejected requests mean your data is retained normally, and you will be notified of the reason.

8. Your Rights Under GDPR

If you are located in the EEA or UK, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data ("right to be forgotten") via the Account Settings page in Foreman. Your request will be reviewed by administrators and you will be notified of the outcome.
• Right to restriction: Request restriction of processing in certain circumstances
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interest or for direct marketing
• Rights related to automated decision-making: Not be subject to decisions based solely on automated processing that produce legal or significant effects

You can download a copy of all your personal data at any time from your Account Settings > Personal Data page. To exercise any other rights listed above, please contact us at tech@issuelab.co. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. Cookies & Tracking Technologies

Foreman uses essential cookies required for authentication and session management. We may also use analytics cookies to understand how our service is used. You can manage your cookie preferences through your browser settings. Essential cookies cannot be disabled as they are necessary for the service to function.

10. Children's Privacy

Foreman is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Your continued use of Foreman after changes are posted constitutes acceptance of the revised policy.

12. Data Protection Officer & Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: