Where is my IFC file processed?

Entirely in your browser. ClashControl uses web-ifc, a WebAssembly IFC parser, that runs locally on your device. Your IFC, GLB, or BCF file is never uploaded to any server.

What data does ClashControl send to its servers?

Only what you explicitly enable: optional anonymous usage metrics (counts only, no filenames or coordinates) and optional shared-project issue metadata (status, priority, assignee — never geometry). Both are opt-out. The default behaviour is: nothing leaves your browser.

Is ClashControl open-source?

Yes. The entire source — every line of code that touches your IFC — is published under the MIT license at github.com/clashcontrol-io/ClashControl. You can read it, audit it, fork it, or self-host it.

Can my company self-host ClashControl?

Yes. ClashControl is a single static HTML file. Drop it on any web server, an internal IIS, or a corporate intranet share. No build step, no backend required for the viewer + clash detection.

Your IFC stays in your browser.

ClashControl processes your IFC, GLB, and BCF files entirely on your device. Nothing is uploaded. Nothing is stored on our servers. There is no “upload your model” step because there is no server-side viewer.

How the architecture actually works

The single page you load at clashcontrol.io is a self-contained web app. When you drag an IFC file onto the viewer, the file goes into your browser’s memory and is parsed there by web-ifc, an open-source WebAssembly IFC parser. The same is true for clash detection: the broad-phase AABB + narrow-phase BVH triangle–triangle intersection runs in JavaScript inside your tab. Your file never enters a network request.

What stays on your device

The IFC file itself
Every element name, GUID, coordinate, property
Clash results & detected geometry
Issue annotations & viewpoints (until you export)
Model thumbnails & screenshots
BCF export bundles (saved to your downloads)

What never reaches our servers

Your IFC, GLB, or BCF files
Model names, file names, or project paths
Element names, GlobalIds, or coordinates
The actual clash geometry
Personally identifying information

What we do send — and how to disable it

Three optional features touch our servers. Each is described below; each can be turned off.

1. Anonymous usage analytics (opt-out)

We run a lightweight cookie-less counter (GoatCounter) for page-visit numbers. Optionally, with your consent, we collect aggregated counts of IFC types in your models, geometric metrics of clashes (size ratios, gap distances — numbers only), and the natural-language commands you type into the AI assistant. No filenames, no GUIDs, no coordinates, no IP addresses logged. You can disable this in Settings → Privacy, or by setting localStorage.cc_data_consent = 'denied' in your browser console.

2. Shared projects (opt-in)

If you create a shared project (for team coordination), only the issue metadata (status, priority, assignee, title) syncs through our backend — never the IFC geometry. Each teammate loads their own local copy of the IFC file. No accounts, no logins; a short project key is your only identifier.

3. AI assistant (opt-out)

The natural-language command bar sends your typed command (e.g. “show structural vs MEP clashes”) to our serverless function, which routes it to a Groq LLM for parsing. Model names and project names are stripped before transmission. You can disable AI entirely or bring your own LLM via the Smart Bridge connector (the chat then talks to localhost only).

Audit trail for AI decisions

Every clash title, severity score, and triage suggestion produced by AI carries a provenance record — which model, which endpoint, which timestamp. Hover the “AI” chip on any issue to see who decided what. The trail round-trips through BCF as custom labels (cc:aiModel, cc:aiSource, cc:aiAt) so it survives export to Revit, Navisworks, or any other BCF-aware tool. We built this in response to the AEC industry’s 2026 conversation around agentic-BIM governance — auditability is the differentiator the incumbents don’t ship.

Open source, MIT-licensed, auditable

Every line of code that touches your IFC is published at github.com/clashcontrol-io/ClashControl under the MIT license. The app is a single HTML file with no build step and no bundler — you can read it top to bottom. Network requests are auditable in browser DevTools; the absence of an upload request for your IFC is verifiable in seconds.

Self-host on your corporate network

Because the viewer is one static HTML file, your IT department can drop it on an internal IIS share, S3 bucket, or air-gapped intranet host. ClashControl works completely offline once loaded — PWA service-worker caching is enabled. The only optional server-side features (shared projects, AI assistant) can be turned off or pointed at your own infrastructure.

Smart Bridge security

The optional desktop Smart Bridge binary (for connecting your own LLM or live-syncing with Revit) listens on 127.0.0.1 only — not reachable from the network. Origin allow-list enforced. Host header allow-list blocks DNS-rebinding. Body size capped at 1 MB. LLM API keys written with 0600 permissions. Hardened in response to the 2026 MCP CVE roundup.

Transport & encryption

The app is served over HTTPS with HSTS. Connections to Vercel serverless functions (analytics, AI proxy, shared projects) use TLS 1.3 with modern cipher suites. The Smart Bridge runs on loopback (no transport encryption is needed; the data never leaves your machine).

License & contact

ClashControl is released under the MIT license. For specific compliance questions or to report a security issue privately, open a GitHub issue or contact info@clashcontrol.io.

Open the app →