Legal

Privacy Policy

How BuilderAudit handles your personal data, what we collect, why we collect it, and your rights under UK GDPR.

Version 1.0 · Last updated: 26 April 2026

The short version. We collect the email address, phone number, business name, business type and region you give us at signup, plus any URLs you submit for auditing and the data we extract from those public websites. We use this to operate BuilderAudit, send you transactional emails, and (only with your separate consent) introduce you to builder and agency partners. We never sell your data. You can export or delete your account at any time.

1. Who we are

BuilderAudit ("we", "our", "us") is the trading name for a service that performs forensic trust analysis on UK construction company websites. We are the data controller for the personal data described in this policy.

You can reach us by emailing [email protected]. If we appoint a Data Protection Officer or formal data controller entity in future, we will update this section and notify registered users.

2. What personal data we collect

From you, when you create an account

Email address — required, used to log you in and send transactional emails.
Mobile or landline phone number — required, used only for support contact and account recovery.
Password — required, stored hashed (bcrypt) and never displayed in plain text.
Business name, type and UK region — required, used to tailor reports and provide regional benchmarking.

When you run audits

Website URLs you submit — used to crawl and analyse the target site.
Publicly available content from those websites — page text, images, metadata, contact details listed on the site, etc. This may include the names and contact details of the business or person who owns the audited site.
Browser session data — a single session cookie (named ba_session) used to keep you logged in.

Automatically

IP address at signup and consent events — kept as part of the consent audit log so we can demonstrate when consents were given (a UK GDPR Article 7 requirement).
Browser user-agent string at signup and consent events — same purpose.
Service logs (request timestamps, error logs) — used to operate and debug the service.

3. Why we collect it

To provide the audit service you signed up for.
To send transactional emails — account confirmations, audit completion notifications, security alerts.
To send weekly check-in emails, only if you ticked that option (you can unsubscribe at any time).
To introduce you to trusted builder and agency partners, only if you ticked that option (you can withdraw consent at any time).
To improve the service — we may use anonymised, aggregated audit data to improve our scoring models and identify trends in construction website quality. We do not use any data that could identify you personally for this.
To comply with our legal obligations — e.g. responding to lawful requests from authorities.

4. Lawful basis for processing

Under UK GDPR we need a lawful basis for every type of processing. Ours are:

Contract — when you sign up, you enter a contract with us to deliver the audit service. Most processing of your account data falls under this.
Consent — for marketing emails (weekly check-ins) and for sharing your details with partners. Consent is opt-in, recorded with timestamp and IP, and can be withdrawn at any time from your dashboard.
Legitimate interests — for service security, fraud prevention, and our own analytics on aggregated, de-identified data. We have weighed our interest against your rights and consider this proportionate.
Legal obligation — where required by UK law to retain records or respond to authorities.

5. Who we share data with

We use the following categories of subprocessor to deliver the service. Each operates under their own data protection terms, which we have reviewed:

Anthropic (USA) — provides the Claude AI used to analyse audited sites. The text and image content of the websites you audit is sent to Anthropic for processing. Your account details are not.
Railway (USA/EU) — hosts our application servers and database.
Resend (USA) — sends transactional and (where you opted in) weekly emails on our behalf.
ScrapFly & SerpAPI (USA) — perform website crawling and reverse-image searches as part of our forensic verification. Image hashes (not your contact details) are sent.

Where data leaves the UK or EEA, we rely on Standard Contractual Clauses or equivalent safeguards.

Builder & agency partners (only with your explicit consent)

If you ticked the option to receive recommendations and introductions at signup or in your dashboard settings, we may share your name, business name, email, phone number, region, and the issues identified in your most recent audit with one or more of our vetted partners. Categories of partners include web design and development agencies, SEO specialists, pay-per-click and Google Ads specialists, CRM consultants, photography and visual content services, and branding and marketing agencies.

We share data only with partners who have signed a Data Processing Agreement with us. You can withdraw this consent at any time from your dashboard, after which we stop sharing immediately. We do not sell your personal data to anyone.

6. How long we keep your data

Account data — for as long as your account is active. If you delete your account, we delete or anonymise your account data within 30 days, except where we are legally required to retain specific records.
Audit reports — retained as long as your account exists. Deleted with the account.
Consent log — retained for 6 years from withdrawal or account deletion, to defend against any GDPR challenge during the limitation period.
Service logs — typically retained for 30–90 days, then deleted.

7. Your rights

Under UK GDPR you have the following rights. To exercise any of them, email us at [email protected]. We will respond within 30 days.

Right of access — get a copy of the personal data we hold about you.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — delete your account and personal data, subject to legal exceptions.
Right to restrict processing — temporarily stop us using your data while a complaint is investigated.
Right to data portability — get your data in a machine-readable format.
Right to object — object to specific kinds of processing, including direct marketing.
Right to withdraw consent — for any processing based on consent, available from your dashboard.
Right to complain — to the UK Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.

8. Cookies

We use one essential cookie: ba_session — a secure HTTP-only cookie containing a JSON Web Token that identifies you to our service. Set when you log in, deleted when you log out or after 30 days of inactivity. We do not use third-party tracking, advertising, or individual-level analytics cookies, so we do not display a consent banner.

9. If your business website was audited (and you didn't sign up)

BuilderAudit allows registered users to audit any public UK construction website. If your business's website was audited by another user, we processed information that was already publicly available on your website. Our lawful basis for this is legitimate interest in analysing public content for trust signals.

If you don't want your website audited or referenced in our system, contact us at [email protected] and we will remove relevant data and exclude your domain from future audits, subject to verification.

10. Security

Passwords are hashed using bcrypt (industry-standard one-way hashing).
All connections to BuilderAudit use HTTPS/TLS.
Database connections require SSL.
Session cookies are HttpOnly, Secure, and SameSite-Lax.
Access to production systems is limited and authenticated.

No system is perfectly secure. If we ever suffer a personal data breach that risks your rights, we will notify the ICO within 72 hours and notify you directly without undue delay if the risk is high.

11. Changes to this policy

We may update this policy from time to time. We'll notify registered users by email of any material changes at least 14 days before they take effect. The "Last updated" date at the top tells you when we last revised it.

12. Contact and complaints

For privacy questions, data subject requests, or anything else covered by this policy, email [email protected].

If you're not satisfied with our response, you can complain to the UK Information Commissioner's Office: online at ico.org.uk/make-a-complaint, by phone on 0303 123 1113, or by post to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.