Privacy Policy

1. Introduction

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Building Control Evidence Platform (the "Service"). We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this Privacy Policy carefully. By using the Service, you consent to the collection and use of your information as described in this Privacy Policy.

2. Data Controller

For the purposes of UK data protection legislation, the data controller is:

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Email address (required, unique identifier)
• Password (stored as encrypted hash using bcryptjs)
• First name and last name
• Company name
• Company logo (optional)
• Company address
• Phone number
• Email notification preferences

3.2 Development and Project Data

When you create and manage construction projects, we collect:

• Development name, address, and description
• Project type, details, and status
• Application type and reference numbers
• Council and Building Control information
• Planning reference numbers
• Project timelines (start date, completion date, target dates)
• Fee amounts and payment dates
• Unit information (addresses, types, bed counts, floor numbers)
• Archived status and retention dates

3.3 Team and Collaboration Data

When you invite team members and manage collaboration, we collect:

• Team member email addresses and roles (Viewer, Contributor, Competent Person, Duty Holder, Admin)
• Invitation tokens and acceptance status
• Competency verification information
• Qualifications and supporting documentation
• Permission settings for each team member
• Last active timestamps
• User activity records (who performed what action and when)

3.4 Evidence and Media Data

When you upload photos and documents as compliance evidence, we collect:

• Photo and document files
• File names, sizes, types, and formats
• GPS coordinates (latitude and longitude with accuracy) - automatically captured from photo EXIF data when available
• Device ID - identifier of the device used to capture or upload the file
• Timestamps (when captured and when uploaded)
• EXIF metadata from photos (camera model, settings, etc.)
• File integrity hashes for verification
• Custom metadata, tags, and descriptions
• Stage, category, and work package associations

3.5 Inspection and Compliance Data

When you manage inspections and compliance, we collect:

• Inspection requests and scheduled dates
• Inspection results (pass/fail, notes, observations)
• Digital signatures from inspectors and duty holders
• Building Control correspondence and communications
• Inspection checklists and item approvals
• Duty holder information and responsibilities
• Certificate tracking (Building Regulations Parts A-P)
• Document expiry dates and renewal notifications

3.6 Activity and Audit Logs

To maintain security and regulatory compliance, we automatically log:

• IP addresses - stored in activity logs, audit logs, and photo audit logs
• User agent information - browser type, version, and operating system
• Action types and descriptions (created, updated, deleted, viewed, etc.)
• Entity types and unique identifiers
• Timestamps of all actions
• Previous and new data values for changes (audit trail)
• Verification status and history
• Login history and session information

3.7 Subscription and Payment Data

When you subscribe to a paid plan, we collect and process:

• Stripe customer ID (unique identifier with our payment processor)
• Stripe subscription ID and status
• Current billing period start and end dates
• Trial start and end dates (if applicable)
• Cancellation information and dates
• Payment history including:
  • Stripe payment intent ID, invoice ID, and charge ID
  • Amount paid (in pence) and currency
  • Payment method type (card brand, last 4 digits)
  • Invoice numbers and PDF URLs
  • Billing reason and description
  • Payment status and error messages (if payment failed)

Note: We do not store full credit card numbers. All payment processing is handled securely by Stripe, our PCI-DSS compliant payment processor. Stripe may collect additional payment information as described in their privacy policy.

3.8 Usage and Analytics Data

To monitor service usage and improve the platform, we collect:

• Session IDs (generated and stored in browser sessionStorage)
• Page views and navigation patterns
• Event types and event data
• Document referrer (which website referred you to us)
• UTM parameters (utm_source, utm_medium, utm_campaign) for marketing attribution
• Landing page conversions and early access signups
• Usage metrics:
  • Number of active developments
  • Total units count
  • Storage used (in GB)
  • Number of team members
  • API calls per month
  • Emails sent per month
  • Last usage calculation timestamp

3.9 Building Control Portal Data (Separate Portal for Inspectors)

For Building Control inspectors using our separate portal, we collect:

• Email address (unique) and password hash
• First name, last name, and job title
• Phone number and license number
• Qualifications (stored as JSON)
• Specializations and areas of expertise
• Role (inspector, admin, etc.) and active/verified status
• Assigned geographical areas
• Bio and profile photo
• Last login information (IP address, timestamp, user agent)

4. Legal Basis for Processing

Under UK GDPR, we process your personal data based on the following legal bases:

4.1 Performance of Contract

Processing is necessary to provide the Service you have contracted for, including:

• Creating and managing your account
• Processing your project and evidence data
• Enabling team collaboration features
• Processing payments and managing subscriptions
• Providing customer support

4.2 Legal Obligation

Processing is necessary to comply with legal obligations, including:

• Maintaining audit logs for Building Regulations compliance
• Retaining payment and tax records (UK law requires 6+ years retention)
• Preserving evidence records for statutory warranty periods
• Responding to lawful requests from authorities

4.3 Legitimate Interest

Processing is necessary for our legitimate interests, including:

• Preventing fraud and ensuring platform security
• Improving and developing the Service
• Analyzing usage patterns (using anonymized data where possible)
• Marketing our services (you can opt out at any time)
• Network and information security

4.4 Consent

Where required by law, we obtain your explicit consent for:

• GPS location data collection from uploaded photos
• Non-essential cookies and tracking
• Marketing communications (you can withdraw consent at any time)

5. How We Use Your Information

We use the collected information for the following purposes:

5.1 Service Delivery

• Creating and managing your account and user profile
• Providing access to the Service and its features
• Processing and storing your project data and evidence
• Facilitating team collaboration and communication
• Managing inspections and Building Control integration
• Generating reports, certificates, and handover packs
• Providing customer support and responding to inquiries

5.2 Billing and Account Management

• Processing payments and managing subscriptions
• Sending invoices and payment receipts
• Notifying you of failed payments
• Managing trial periods and cancellations
• Enforcing usage limits based on subscription tier

5.3 Security and Compliance

• Maintaining comprehensive audit trails for regulatory compliance
• Detecting and preventing fraud, abuse, and unauthorized access
• Verifying file integrity and authenticity
• Monitoring for security threats and vulnerabilities
• Investigating and resolving disputes
• Complying with Building Safety Act 2022 requirements

5.4 Service Improvement

• Analyzing usage patterns to improve features and user experience
• Developing new features and functionality
• Conducting research and analytics (using anonymized data)
• Testing and troubleshooting technical issues

5.5 Communications

• Sending transactional emails (account confirmations, password resets, inspection notices)
• Notifying you of important Service updates and changes
• Sending team invitations and collaboration notifications
• Delivering certificate expiry reminders
• Sending marketing communications (with your consent; you can opt out)

6. Data Sharing and Third-Party Services

We share your information with third-party service providers who assist us in operating the Service. All third parties are required to protect your data in accordance with UK GDPR and our Data Processing Agreements.

6.1 Infrastructure and Hosting

Vercel Inc.
Purpose: Cloud hosting, database (Vercel Postgres), and file storage (Vercel Blob)
Data Shared: All user data, project data, uploaded files, and databases
Location: Primarily US-based infrastructure with EU options available
Privacy Policy: https://vercel.com/legal/privacy-policy

6.2 Payment Processing

Stripe, Inc.
Purpose: Payment processing, subscription management, invoicing
Data Shared: Name, email, payment method details, billing address, transaction amounts
Location: Global infrastructure with data centers in US and EU
Privacy Policy: https://stripe.com/privacy
Note: Stripe is PCI-DSS Level 1 certified and handles all credit card information securely.

6.3 Email Delivery

Resend
Purpose: Transactional email delivery (confirmations, invitations, notifications, receipts)
Data Shared: Email addresses, names, email content
Privacy Policy: https://resend.com/legal/privacy-policy

6.4 Error Tracking (If Enabled)

Sentry (if error tracking is enabled)
Purpose: Error monitoring and debugging
Data Shared: Error logs, stack traces, user actions leading to errors, IP addresses
Privacy Policy: https://sentry.io/privacy/

6.5 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We only share data with service providers as necessary to operate the Service.

6.6 Legal Disclosures

We may disclose your information if required by law or in response to:

• Legal process (court orders, subpoenas, warrants)
• Regulatory or government requests
• Investigations of fraud or illegal activity
• Protection of our rights, property, or safety
• Emergency situations involving danger to health or safety

7. Data Retention

We retain your data for different periods depending on the type of information and legal requirements:

7.1 Active Account Data

• Account and profile information: Retained while your account is active
• Project and evidence data: Retained while your account is active or until you delete specific projects
• Team collaboration data: Retained while your account is active

7.2 Audit and Compliance Logs

• Activity and audit logs: Minimum 7 years (to meet Building Regulations warranty period requirements)
• Photo audit logs with GPS data: Minimum 7 years (regulatory compliance)
• Building Control inspection records: Minimum 12 years (statutory requirement)

7.3 Financial and Payment Records

• Payment history, invoices, and transaction records: Minimum 6 years (UK tax and accounting law)
• Subscription history: 6 years

7.4 After Account Termination

• User-generated content (projects, photos, documents): 30 days (to allow for account recovery)
• After 30 days: All user content is permanently deleted, except records required by law
• Audit logs, payment records, and compliance documentation are retained as specified above

7.5 Marketing Data

• Early access signups and marketing preferences: Retained until you opt out or request deletion
• UTM and analytics data: Anonymized and aggregated after 26 months

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

8.1 Right of Access

You can request a copy of all personal data we hold about you. We will provide this information in a commonly used format within 30 days of your request.

8.2 Right to Rectification

You can update or correct your personal information at any time through your account settings or by contacting us.

8.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. We will comply unless we have a legal obligation to retain certain data (e.g., payment records, audit logs for compliance).

8.4 Right to Data Portability

You can export your data in a structured, commonly used, machine-readable format (JSON, CSV, or PDF) through the Service's export features.

8.5 Right to Restriction of Processing

You can request that we limit how we use your data in certain circumstances.

8.6 Right to Object

You can object to processing based on legitimate interests or for marketing purposes. We will stop processing unless we have compelling legitimate grounds.

8.7 Right to Withdraw Consent

Where we rely on consent (e.g., GPS tracking, marketing emails), you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

8.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@buildingcontrolevidence.com. We will respond within 30 days and verify your identity before processing your request.

9. Data Security

We implement industry-standard security measures to protect your data:

9.1 Technical Measures

• Encryption in transit (HTTPS/TLS) for all data transmission
• Encryption at rest for sensitive data in databases and file storage
• Password hashing using bcryptjs (industry-standard one-way encryption)
• File integrity verification using cryptographic hashing
• Secure authentication and session management
• Regular security updates and patching

9.2 Organizational Measures

• Role-based access controls limiting who can access data
• Comprehensive audit logging of all data access and modifications
• Regular backups to prevent data loss
• Data Processing Agreements with all third-party processors
• Employee training on data protection
• Incident response procedures for security breaches

9.3 Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the ICO within 72 hours of becoming aware of the breach
• Notify affected users without undue delay if the breach poses a high risk
• Provide clear information about the breach and steps you should take
• Take immediate action to contain and remediate the breach

9.4 Your Security Responsibilities

You are responsible for:

• Maintaining the confidentiality of your password
• Using a strong, unique password
• Notifying us immediately of any unauthorized account access
• Ensuring your devices and networks are secure

10. Cookies and Tracking Technologies

10.1 Essential Cookies

We use essential cookies and session storage to:

• Authenticate your login session
• Remember your preferences and settings
• Enable core Service functionality
• Ensure security and prevent fraud

These cookies are necessary for the Service to function and cannot be disabled.

10.2 Analytics and Performance

We use sessionStorage to track:

• Session IDs (generated client-side, not personally identifiable)
• Page views and navigation
• Event tracking for feature usage

10.3 Marketing and Attribution

We track UTM parameters (utm_source, utm_medium, utm_campaign) to understand which marketing channels bring users to our Service. This helps us improve our marketing effectiveness.

10.4 Third-Party Cookies

Third-party services we use may set their own cookies:

• Stripe: Payment processing and fraud detection
• Vercel: Infrastructure and performance monitoring

For more details, please see our Cookie Policy.

11. International Data Transfers

Your data may be transferred to and processed in countries outside the United Kingdom, including the United States (where Vercel and Stripe are headquartered).

When we transfer your data internationally, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the UK ICO
• Data Processing Agreements with third-party processors
• Choosing processors that comply with UK GDPR standards
• Regular review of data transfer mechanisms

12. Children's Privacy

The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete that information promptly.

If you believe we have collected information from a child, please contact us immediately at privacy@buildingcontrolevidence.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes:

• We will update the "Last Updated" date at the top of this page
• We will notify you by email at least 30 days before changes take effect
• We may display a prominent notice on the Service
• For significant changes, we may require you to accept the new policy to continue using the Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within 30 days.