Privacy Policy

1. Introduction

BuilderBase ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our construction project management platform ("Service"). This policy complies with the New Zealand Privacy Act 2020 and, where applicable, the General Data Protection Regulation (GDPR).

Data Controller: BuilderBase is the data controller for all personal information collected through the Service.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

• Company name, business details, contact information
• User names, email addresses, phone numbers
• Payment information (processed securely by our payment provider)
• Role and permission settings for users

Business Data (Your Data):

• Project information (names, addresses, details)
• Client information (names, companies, contact details)
• Staff information (names, contact details, roles, leave records, certificates)
• Financial data (invoices, estimates, bills, purchase orders, pricing)
• Documents, photos, and files you upload
• Site diaries, notes, and progress updates
• Process checklists and quality control records
• GPS location data (when using location features)
• Communication records within the platform

2.2 Information Collected Automatically

Usage Data:

• Device information (type, operating system, browser)
• IP address and general location
• Log data (access times, pages viewed, actions taken)
• Feature usage statistics
• Error logs and diagnostic data

Cookies and Similar Technologies:

• Authentication cookies (essential for login)
• Preference cookies (settings and customization)
• Analytics cookies (to understand usage patterns)

3. How We Use Your Information

3.1 To Provide the Service

• Create and manage your account
• Store and process your business data
• Enable collaboration between team members
• Process financial transactions and calculations
• Generate reports, estimates, and invoices
• Facilitate third-party integrations (e.g., Xero)
• Provide customer support

3.2 To Improve the Service

• Analyze usage patterns to improve features
• Identify and fix technical issues
• Develop new features and functionality
• Conduct research and testing

3.3 For Security and Compliance

• Detect and prevent fraud or abuse
• Monitor for security threats
• Comply with legal obligations
• Enforce our Terms of Service

3.4 For Communication

• Send service-related notifications
• Respond to support requests
• Provide product updates and announcements
• Send marketing communications (with your consent - you can opt out anytime)

4. Data Storage and Infrastructure

4.1 Cloud Infrastructure

Google Cloud Platform and Firebase: All data is stored using Google Cloud Platform (GCP) and Firebase services. This includes:

• Firestore Database: Stores structured business data (projects, clients, financials)
• Firebase Storage: Stores uploaded files, photos, and documents
• Firebase Authentication: Manages user authentication and access control
• Google Cloud Functions: Processes background tasks and integrations

4.2 Data Location

Your data is stored on Google Cloud servers located in:

• Primary region: Australia (for New Zealand customers)
• Backup/redundancy: Google's global infrastructure as per their service architecture

Google Cloud Platform maintains certifications for ISO 27001, SOC 2/3, and other security standards. For complete details on Google's security practices, please see Google Cloud's security documentation.

4.3 Data Backups

Automated Backups: Firebase and Google Cloud Platform provide automated backup and redundancy features. However, we strongly recommend that you:

• Regularly export your company data using our free export feature
• Maintain independent backups of critical business information
• Consider our paid automatic local backup service for additional protection

4.4 Data Retention

Active Accounts: Data is retained for the duration of your subscription plus 90 days after cancellation to allow for possible reactivation. After 90 days, data may be permanently deleted.

Deleted Data: When you delete specific records (projects, clients, etc.), they are soft-deleted and retained for 30 days before permanent deletion, allowing for recovery if needed.

5. Data Security

5.1 Security Measures

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All data transmission uses TLS/SSL encryption
• Encryption at Rest: Data stored in Firebase is encrypted at rest by Google
• Authentication: Firebase Authentication with secure password hashing
• Access Control: Role-based permissions and security rules
• Firewall Protection: Google Cloud Platform security infrastructure
• Regular Security Updates: Ongoing patches and security improvements
• Monitoring: Automated security monitoring and threat detection

5.2 Infrastructure Security

Google Cloud Platform maintains physical security, network security, and operational security controls. Google's infrastructure is certified under multiple compliance frameworks including ISO 27001, SOC 2 Type II, and PCI DSS.

5.3 Your Responsibility

While we implement strong security measures, you are responsible for:

• Maintaining strong, unique passwords
• Keeping login credentials confidential
• Properly managing user access and permissions
• Promptly reporting suspected security breaches
• Ensuring your devices and networks are secure

5.4 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by the Privacy Act 2020 and other applicable laws, typically within 72 hours of becoming aware of the breach.

6. Data Sharing and Third Parties

6.1 Service Providers

We share data with trusted service providers who help us operate the Service:

• Google Cloud Platform / Firebase: Infrastructure, database, storage, authentication
• Google Gemini AI: AI-powered features (chatbot, analysis) - we do not use your proprietary data to train AI models
• Payment Processors: Secure payment processing (they do not store full card details)
• Email Service Providers: Transactional and notification emails

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

6.2 Integrations You Enable

Xero Integration: If you connect your Xero account, we will sync data (bills, invoices) between BuilderBase and Xero as you configure. This data sharing is authorized by you and governed by Xero's privacy policy as well as ours.

6.3 We Do NOT Sell Your Data

We never sell, rent, or trade your personal information or business data to third parties for marketing purposes.

6.4 Legal Requirements

We may disclose your information if required by law or in response to:

• Legal processes (court orders, subpoenas)
• Government or regulatory requests
• Protection of our legal rights
• Investigation of fraud or security issues
• Protection of user safety

7. Your Rights Under Privacy Act 2020

7.1 Access Rights

You have the right to request access to all personal information we hold about you. You can access most of your data directly through your account dashboard. For a complete copy, contact us at privacy@BuilderBase.com.

7.2 Correction Rights

You can update most information directly through your account settings. If you cannot update information yourself or believe we hold incorrect information, contact us to request corrections.

7.3 Export and Portability

Data Export: You can export your complete company data in JSON format through Company Settings → Export Data for a small fee. This allows you to:

• Create backups of your data on your local computer or network storage
• Transfer data to another system
• Analyze your data externally
• Retain records for compliance purposes
• Establish regular backup schedules under your control

7.4 Deletion Rights

You have the right to request deletion of your personal information, subject to:

• Legal retention requirements (tax records, etc.)
• Ongoing contractual obligations
• Legitimate business needs

To delete your account and data: Cancel your subscription → Export your data → Contact support to request immediate deletion (instead of the standard 90-day retention period).

7.5 Restriction and Objection Rights

You have the right to:

• Object to processing of your personal information for direct marketing (opt-out anytime)
• Request restriction of processing in certain circumstances
• Withdraw consent where we rely on consent as the legal basis for processing

7.6 Complaint Rights

If you believe we have violated your privacy rights, you can:

• Contact us directly at privacy@BuilderBase.com
• Lodge a complaint with the New Zealand Privacy Commissioner: privacy.org.nz

8. Cookies and Tracking

8.1 Essential Cookies

Required for the Service to function properly:

• Authentication tokens (to keep you logged in)
• Session management
• Security features

8.2 Functional Cookies

Remember your preferences and settings:

• Interface preferences (theme, layout)
• Selected company/project context
• Language and regional settings

8.3 Analytics Cookies

Help us understand how the Service is used to improve functionality. We may use Google Analytics or similar tools. You can opt out of analytics tracking through your browser settings or privacy tools.

8.4 Managing Cookies

You can control cookies through your browser settings. Note that blocking essential cookies may prevent the Service from functioning properly.

9. Client Portal and Third-Party Access

9.1 Client Portal Access

When you grant your clients access to a project through the Client Portal, you are responsible for:

• Obtaining appropriate consent from your clients to share their information
• Configuring what information is visible to clients
• Ensuring you have the right to share project files and documents
• Complying with privacy obligations to your clients

9.2 Home Portal (QR Code Access)

The Home Portal feature allows public or PIN-protected access to project information. You are responsible for:

• Choosing what information to make accessible
• Managing PIN security
• Ensuring you have permission to publicly display any information or images

9.3 Staff and Subcontractor Access

When you add staff members or subcontractors to your account, you are responsible for obtaining their consent to process their personal information and for complying with employment and privacy laws.

10. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. International Data Transfers

While our primary data storage is in Australia, Google Cloud Platform's architecture may involve data processing or redundancy in other regions. Google Cloud complies with:

• EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (where applicable)
• Standard Contractual Clauses for data transfers
• GDPR requirements for international transfers

By using the Service, you consent to your data being processed in accordance with Google Cloud Platform's global infrastructure and data protection standards.

12. AI and Automated Processing

12.1 AI Features

We use Google's Gemini AI for:

• In-app chatbot support
• Process checklist analysis
• Data insights and suggestions

12.2 AI Data Processing

When you use AI features, relevant data may be sent to Google's Gemini API for processing. We do not use your proprietary business data to train AI models. Google processes AI requests according to their data processing terms.

12.3 Automated Decision Making

We do not use automated processing for decisions that significantly affect you without human oversight. AI features are assistive tools only; you maintain control over all business decisions.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

For questions, concerns, or requests related to your privacy or this Privacy Policy, please contact:

We will respond to privacy requests within 20 working days as required by the Privacy Act 2020.