4D-360-AI

Privacy Policy

Effective 13 May 2026

This Privacy Policy describes how 4D-360 Inc. ("4D-360", "we", "us") collects, uses, and shares information when you use the 4D-360-AI service, our websites at 4d-360.com and its subdomains, and any related software ("Service").

4D-360 is a software-as-a-service ("SaaS") platform for utility-network mapping. It has four components: Capture (drive-past Lidar + 360° imagery), Feature Extraction (turning that imagery into point clouds, meshes, and asset inventories), GIS Integration (pushing detected assets into your existing enterprise GIS), and Conflation (constrained least-squares network adjustment for landbase migrations).

By using the Service you agree to this Policy. If you don't, please don't use the Service.

1. Information we collect

1.1 Information you give us

  • Account & contact details — your name, email address, and (for subscribed customers) billing address.
  • Wait-list submissions — email, name, and an optional use-case description.
  • Support communications — anything you send us via support tickets, email, or the help-bot.

1.2 Customer Data (uploaded by you to be processed)

  • Capture data — 360° video footage from the Capture rig, GPS / IMU traces, and vehicle trajectory.
  • Network data — source network geometry, control-point measurements and shift vectors, and any constraints you specify for the Conflation component.
  • GIS metadata — asset-type mappings, schema definitions, and any other configuration you supply for the GIS Integration component.

Customer Data is processed on your behalf. You remain the controller of your Customer Data; 4D-360 is the processor.

1.3 Information collected automatically

  • Authentication claims — when you sign in via Cloudflare Access, your email address (and, where applicable, name) from your identity provider.
  • Usage & service logs — IP address, request timestamps, user agent, the URLs you request, error events. Used to operate, secure, and improve the Service.
  • Help-bot queries — the text of your questions to the help-bot, used at request-time to produce an answer. Not currently persisted beyond the request lifecycle.

1.4 Information we do not collect

  • Payment card data. All payments are processed by Stripe directly; we never receive or store your card number.
  • Biometric identifiers from captured imagery. Faces and licence plates visible in Capture footage should be blurred before storage. The blur pipeline is not yet wired in 4D-360-AI; until it is, please ensure you have lawful basis to capture footage in your jurisdiction.
  • Special-category personal data (health, religion, etc.) — not relevant to this Service.

2. How we use information

  • To provide and operate the Service (run the pipeline, return results, gate access).
  • To bill you (Stripe).
  • To support you (tickets, the help-bot).
  • To secure the Service (rate-limiting, fraud detection, abuse investigation).
  • To improve the Service (aggregated metrics, A/B tests on UI).
  • To communicate with you about service changes, releases, and (with your consent) marketing.
  • To comply with law and respond to lawful requests.

We do not sell your personal information. We do not train third-party AI models on your Customer Data.

3. Legal bases (EU / UK residents)

  • Performance of a contract — operating the Service, billing, support.
  • Legitimate interests — security, fraud prevention, service improvement, product analytics.
  • Consent — marketing emails, optional cookies. You can withdraw consent at any time.
  • Legal obligation — tax, accounting, lawful disclosure requirements.

4. External service providers

To operate the Service we engage a small number of trusted external providers for infrastructure hosting, payment processing, transactional email, GPU compute, identity, and similar operational functions. Each provider receives only the data necessary to perform its role and is contractually required to protect it and to process it on our instructions.

A current list of these providers is available to subscribed customers on request. We will provide reasonable advance notice of material changes to that list where practical.

5. International transfers

Where we transfer personal data out of the EEA, UK, or Switzerland we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss instruments. Production data residency is the EU (Hetzner Falkenstein) by default; transfers to US-based sub-processors are limited to operational metadata and the contents you choose to send them (e.g., a help-bot question routed to Anthropic).

6. Data retention

  • Account data — kept for as long as you have an account, plus 12 months after closure for legal and billing reconciliation.
  • Customer Data uploaded for processing — kept until you delete it or terminate the subscription. We delete or return Customer Data within 30 days of subscription termination, subject to backup-rotation timelines.
  • Wait-list submissions — kept until the relevant component launches plus 6 months, or until you ask us to delete them.
  • Service logs — 90 days for operational logs, up to 12 months for security / audit logs.
  • Billing records — retained as required by tax law (typically 7 years).

7. Security

  • TLS in transit (Cloudflare edge + origin Let's Encrypt certs).
  • Authenticated access via Cloudflare Access (email + Azure AD or one-time email PIN).
  • Server hardening: dedicated Hetzner hosts, restricted SSH, container isolation, periodic OS updates.
  • Secrets stored in platform secret stores (Cloudflare Pages secrets, restricted-permission environment files on origin).
  • Principle of least-privilege on internal service accounts and API keys.
  • No production access without 2FA on the relevant identity provider.

No system is perfectly secure. We will notify affected users and (where applicable) supervisory authorities of a personal-data breach in accordance with applicable law.

8. Your rights — US residents

If you are a US resident, depending on your state of residence (e.g., California, Colorado, Connecticut, Virginia, Utah, and others with comprehensive privacy laws) you may have rights to:

  • Know what personal information we have collected about you.
  • Access a copy of that information.
  • Delete personal information we hold about you, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Opt out of "sales" or "sharing" of personal information for cross-context behavioural advertising. We do not sell or share personal information for advertising.
  • Limit the use of sensitive personal information. We do not use sensitive personal information beyond what is necessary to provide the Service.
  • Non-discrimination for exercising any of the above rights.

To exercise a right, email [email protected]. We will respond within 45 days, or notify you of an extension where the law permits.

California Shine the Light: California residents may request information about disclosures of personal information to third parties for direct-marketing purposes. We do not currently share personal information for that purpose.

9. Your rights — EU / UK / Swiss residents (GDPR)

If you are in the EEA, UK, or Switzerland, you have the following rights under the GDPR (and equivalent UK / Swiss law):

  • Access (Art. 15) — request a copy of your personal data.
  • Rectification (Art. 16) — correct inaccurate data.
  • Erasure / "right to be forgotten" (Art. 17).
  • Restriction of processing (Art. 18).
  • Data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Object (Art. 21) to processing based on legitimate interests or direct marketing.
  • Withdraw consent at any time for processing based on consent.
  • Lodge a complaint with your local supervisory authority. You may also contact us first at [email protected]; we'd rather resolve issues directly.

10. Cookies and similar technologies

We use the minimum cookies necessary to operate the Service:

  • Cloudflare Access session cookie — required to maintain your authenticated session on gated subdomains.
  • Discourse session cookies — issued by help.4d-360.com when you log into the community.
  • Stripe Checkout cookies — set by Stripe during the checkout flow.

We do not currently use third-party analytics or advertising cookies. If we add them, we will update this Policy and (in the EU / UK) request consent first.

11. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact [email protected].

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes we will notify subscribed customers by email and post a notice on the Service. Continued use of the Service after a change constitutes acceptance.

13. Contact us

4D-360 Inc.
Privacy: [email protected]
General contact: [email protected]

For EU / UK / Swiss residents, you may contact our Data Protection lead at the privacy address above.

← Back to 4D-360-AI