Last updated 20 May 2026

Privacy Policy

How BuildPilot collects, stores, and uses your data. We try to make this readable in plain English — UK GDPR rights and obligations remain the same whether we wrap them in legal language or not.

Contents

Who we are
What data we collect
Why we collect it
Lawful basis
Retention
Who else sees your data
International transfers
Your rights
Security
Cookies
Changes to this policy
Contact

1. Who we are

BuildPilot is operated by O&K Property Works Ltd trading as BuildPilot ("we", "us", "BuildPilot"), based in London, United Kingdom. We are the data controller for the personal data described in this policy.

If you'd like to contact us about anything privacy-related, email [email protected].

2. What data we collect

We collect three types of data:

Account & contact data

Your email address
Your name (if you give it to us)
Your company name and role (optional, used to personalise estimates)

Project data

Project briefs you type into BuildPilot
Drawings, specifications, schedules of work, and other files you upload
Project value, postcode, and any contextual notes you add
Generated cost plans we produce for you

Payment & service data

We do not store full card details. Payments are handled by Stripe, who hold those details under their PCI-DSS compliant systems.
We do store: order amount, Stripe payment reference, invoice number, and your billing email.
Usage logs (which features you used, when) so we can debug problems and improve the product.

3. Why we collect it

To deliver the service — generate the cost plan you ordered.
To take payment — process your order via Stripe.
To communicate with you — send the cost plan, send order confirmations, answer support questions, and notify you of major service changes.
To improve the product — aggregated usage patterns help us decide what to build next. We do not sell your data or use it for advertising.
To meet legal obligations — keep accounting records and respond to lawful requests from authorities.

4. Lawful basis

Under UK GDPR we process your data on the following bases:

Performance of a contract — when you buy a cost plan, we need to process your data to deliver it.
Legitimate interests — to improve the service, prevent fraud, and keep our systems secure.
Legal obligation — for accounting and tax records (HMRC requires we keep transaction records for at least six years).
Consent — for any marketing communications. You can withdraw consent at any time.

5. Retention

Account data — kept while your account is active, deleted within 30 days of account closure.
Project data & cost plans — kept for 12 months after your last order so you can re-download. Deleted on request or after 12 months of inactivity.
Transaction records — kept for 6 years to comply with UK accounting requirements.
Usage logs — kept for 90 days then deleted.

6. Who else sees your data

We use the following sub-processors to run BuildPilot. We have data-processing agreements with each:

Anthropic (United States) — runs the AI models that generate your cost plans. Project briefs and file extracts are sent through Anthropic's API for processing. Anthropic does not train on customer data sent through the API.
Stripe (Ireland / USA) — handles payment processing.
Supabase (Germany / EU) — hosts our database. Your project data is stored here.
Cloudflare (United Kingdom edge) — serves our website and order page, runs the backend functions.
Resend (USA / EU) — sends transactional emails (order confirmations, cost plan deliveries).

7. International transfers

Some of our sub-processors are based outside the UK / EEA. When your data is transferred internationally, we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses to ensure equivalent protection. Anthropic and Stripe both maintain UK GDPR-compliant data transfer mechanisms.

8. Your rights

Under UK GDPR you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — correct any inaccurate data.
Erasure — ask us to delete your data ("right to be forgotten"), subject to our legal retention obligations.
Restriction — limit how we use your data while a query is resolved.
Portability — receive your data in a structured, machine-readable format.
Object — to processing based on legitimate interests.
Withdraw consent — for any consent-based processing.
Complain to the ICO — at any time, without going through us first. ico.org.uk.

To exercise any of these rights, email [email protected]. We'll respond within 30 days.

9. Security

We use industry-standard measures to protect your data:

TLS encryption in transit (HTTPS everywhere)
Encryption at rest on our database
Access controls — only BuildPilot personnel with a business need can see customer data
Sub-processors with their own SOC 2 / ISO 27001 certifications

If we ever experience a data breach affecting your data, we will notify both you and the ICO within 72 hours, in line with UK GDPR Article 33–34.

10. Cookies

BuildPilot uses a minimal set of cookies:

Essential cookies — required for the site to function (e.g. keeping you signed in). No consent required.
Analytics — we use first-party analytics that respect Do Not Track. No third-party advertising cookies.

We do not use third-party tracking or advertising cookies.

11. Changes to this policy

If we change this policy materially, we'll email everyone with an active account at least 30 days before the change takes effect. Minor wording changes (typos, link fixes) are made without notice.

12. Contact

Privacy queries: [email protected]
General support: [email protected]
Postal: O&K Property Works Ltd, London, UK

You always have the right to lodge a complaint directly with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.