Privacy Policy

This Privacy Policy (“Policy”) describes how BuildWorkPro LLC, a Florida limited liability company (“BuildWorkPro,” “we,” “us,” or “our”), collects, uses, discloses, retains, and safeguards personal information and business data in connection with the BuildWorkPro cloud-based construction management platform, including the web application located at app.buildworkpro.com, the marketing website at buildworkpro.com, related mobile applications, and all associated services (collectively, the “Platform”).

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree with any provision herein, you must discontinue use of the Platform immediately.

1. Data Controller and Data Protection Contact

BuildWorkPro LLC is the data controller responsible for processing personal data collected through the Platform. For all inquiries regarding data protection, privacy rights, or this Policy, you may contact our Data Protection Officer at:

Email: privacy@buildworkpro.com
Postal Address: BuildWorkPro LLC, Attn: Data Protection Officer, Fort Lauderdale, FL, United States

Where BuildWorkPro processes personal data on behalf of your organization (i.e., your employer or the entity that holds the BuildWorkPro subscription), your organization acts as the data controller and BuildWorkPro acts as the data processor. In such cases, your organization’s privacy policies may also apply. A Data Processing Agreement (“DPA”) is available upon request by contacting privacy@buildworkpro.com.

2. Categories of Personal Information Collected

We collect the following categories of personal information, depending on your interaction with the Platform:

2.1 Information You Provide Directly

Account Registration Data: Full name, email address, username, password (stored in bcrypt-hashed form), company name, phone number, and job title provided during account creation or profile configuration.
Organization Data: Company name, business address, industry classification, company size, tax identification number, and business licensing information entered by organization administrators.
Business Operational Data: Contacts (customers, general contractors, vendors, subcontractors), leads and pipeline data, bids and estimates, project records, pay applications, change orders, daily site logs, time entries, documents, and all other content you create, upload, or input within the Platform in the course of managing construction operations.
Financial and Billing Data: Subscription billing information is processed by our third-party payment processor, Stripe, Inc. BuildWorkPro does not store credit card numbers, bank account details, or other payment instrument data on its servers. We retain only a tokenized reference and billing metadata (plan type, subscription status, transaction history) necessary to manage your account.
Communications: Messages sent through the Platform, support tickets, feedback submissions, and any correspondence directed to BuildWorkPro personnel.
Authentication Credentials: Two-factor authentication (TOTP) enrollment data, backup recovery codes, and OAuth tokens for third-party sign-in providers (e.g., Google, Apple).

2.2 Information Collected Automatically

Usage Data: Pages accessed, features utilized, actions performed, timestamps, session duration, and interaction patterns within the Platform.
Device and Browser Data: Browser type and version, operating system, device type, screen resolution, and preferred language settings.
Network and Log Data: Internet Protocol (IP) address, access timestamps, referring and exit URLs, HTTP request headers, and server log entries.
Authentication Events: Login timestamps, failed authentication attempts, session creation and expiration events, and account lockout records.
Cookies and Similar Technologies: Session identifiers, CSRF tokens, tenant context identifiers, and preference storage. BuildWorkPro does not deploy third-party advertising, analytics, or cross-site tracking cookies. For a detailed explanation, see our Cookie Policy.

2.3 Information Received from Third Parties

OAuth Providers: If you authenticate via Google or Apple, we receive your name, email address, and a unique identifier from the provider. We do not receive your password from any OAuth provider.
Payment Processor: Stripe provides us with transaction confirmation, payment status, and subscription lifecycle events. We do not receive full payment instrument details.

3. Legal Bases for Processing

We process personal data under the following lawful bases as defined by the General Data Protection Regulation (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and other applicable data protection legislation:

Performance of Contract (GDPR Art. 6(1)(b)): Processing that is necessary to create and maintain your account, deliver the Platform’s functionality, process subscription transactions, and fulfill our contractual obligations under the Terms of Service.
Legitimate Interests (GDPR Art. 6(1)(f)): Processing for purposes of Platform security, fraud detection and prevention, system monitoring, product improvement, aggregate analytics (non-identifying), and enforcement of our Terms of Service, where such interests are not overridden by your fundamental rights and freedoms. You may object to processing conducted on this basis at any time; see Section 7 below.
Consent (GDPR Art. 6(1)(a)): Processing for optional marketing communications, promotional content, and non-essential features. Consent may be withdrawn at any time without affecting the lawfulness of processing conducted prior to withdrawal.
Legal Obligation (GDPR Art. 6(1)(c)): Processing required to comply with applicable tax, accounting, anti-money laundering, and other regulatory requirements under United States federal and state law and, where applicable, European Union or member state law.

4. Purposes of Processing

We use the personal information we collect for the following specific purposes:

Service Delivery: To operate, maintain, and provide the full functionality of the Platform, including project management, CRM, bidding, pay application processing, change order tracking, field operations, time tracking, and document management.
Account Administration: To create and manage user accounts, authenticate users, manage organizational team membership, enforce role-based access controls, and process tenant selection.
Billing and Subscription Management: To process subscription payments, manage trial periods, issue invoices, handle refund requests, and communicate billing-related notifications through our payment processor.
Transactional Notifications: To send service-related communications such as bid status updates, pay application approvals, change order notifications, project assignments, and other operational alerts generated by Platform activity.
Customer Support: To respond to support tickets, troubleshoot technical issues, and provide onboarding assistance.
Security and Integrity: To detect, investigate, and prevent unauthorized access, fraud, abuse, and security incidents; to enforce account lockout policies; and to maintain audit logs of significant system events.
Legal Compliance: To comply with applicable laws, respond to lawful requests from public authorities, and establish, exercise, or defend legal claims.
Product Improvement: To analyze aggregate, de-identified usage patterns to improve Platform performance, reliability, and user experience. We do not use personal data for automated profiling or algorithmic decision-making that produces legal or similarly significant effects on individuals.

5. Data Sharing and Disclosure

BuildWorkPro does not sell, rent, lease, or trade your personal information to third parties for their marketing or commercial purposes.

We may disclose personal information in the following limited circumstances:

Within Your Organization: Personal data and business data are shared with other members of your BuildWorkPro organization in accordance with the role-based permission settings configured by your organization’s administrator. BuildWorkPro enforces five distinct permission tiers (Administrator, Manager, Member, Field Crew, and Viewer), each with granular, resource-level access controls.
Service Providers and Sub-Processors: We engage a limited number of third-party service providers who process data on our behalf and are bound by written data processing agreements that impose confidentiality obligations, data security requirements, and restrictions on the use of personal data. Current sub-processors include:
- Stripe, Inc. — Payment processing and subscription management
- Railway — Cloud application hosting, managed database infrastructure, and Redis for session management and background job queuing
- Cloudflare, Inc. — Content delivery, DDoS mitigation, DNS, and object storage (R2)
- Google LLC — Google Fonts (loaded on the marketing site) and, where integrated, Google Workspace APIs
Legal and Regulatory Compliance: When required by law, regulation, subpoena, court order, or other compulsory legal process, or when we reasonably believe disclosure is necessary to protect the rights, property, or safety of BuildWorkPro, our users, or the public.
Business Transactions: In connection with a proposed or consummated merger, acquisition, reorganization, asset sale, or similar corporate transaction. In such event, we will provide affected users with notice and, where required by law, the opportunity to consent or object before personal data is transferred to a successor entity.
With Your Consent: We may share personal information for purposes not described in this Policy with your express prior consent.

6. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. Key security measures include:

Encryption: All data in transit is encrypted using Transport Layer Security (TLS 1.3). Data at rest is encrypted using AES-256 encryption. Database backups are encrypted and stored with geographic redundancy.
Authentication Controls: Passwords are hashed using bcrypt with appropriate cost factors. Two-factor authentication (TOTP) is available for all user accounts. Accounts are subject to lockout after repeated failed authentication attempts.
Access Controls: Role-based access control (“RBAC”) with over thirty granular permissions across ten resource areas. Administrative access to production infrastructure is restricted to authorized personnel with multi-factor authentication.
Tenant Data Isolation: The Platform employs row-level tenant isolation, ensuring that each organization’s data is logically separated at the database level. Every query against business data is scoped to the authenticated tenant. File storage is partitioned by organization. These architectural controls are enforced at the middleware layer and are not bypassable by application-level code.
Application Security: CSRF protection on all state-changing endpoints, parameterized queries to prevent SQL injection, output encoding and Content Security Policy headers to prevent cross-site scripting (XSS), and automated dependency vulnerability scanning.
Infrastructure: Hosted on enterprise-grade cloud infrastructure with automated daily backups, point-in-time recovery, DDoS protection, rate limiting, network isolation, and regular patching.
Audit Logging: All significant user actions (create, update, delete, and workflow transitions) are logged with timestamps, user identity, and affected resources to maintain a complete audit trail.

For additional detail on our security practices, see our Security page. No method of electronic transmission or storage is 100% secure. While we strive to use commercially reasonable means to protect your personal data, we cannot guarantee absolute security.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

7.1 Rights Under the GDPR and UK GDPR

If you are located in the European Economic Area (“EEA”), the United Kingdom, or Switzerland, you have the following rights:

Right of Access (Art. 15): To obtain confirmation as to whether your personal data is being processed and, if so, to receive a copy of such data together with supplementary information about the processing.
Right to Rectification (Art. 16): To request correction of inaccurate personal data or completion of incomplete data without undue delay.
Right to Erasure (Art. 17): To request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where the data has been unlawfully processed, subject to applicable legal retention obligations.
Right to Restriction of Processing (Art. 18): To request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where you have objected to processing pending verification of legitimate grounds.
Right to Data Portability (Art. 20): To receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (e.g., CSV), and to transmit that data to another controller without hindrance.
Right to Object (Art. 21): To object at any time to processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Rights Relating to Automated Decision-Making (Art. 22): BuildWorkPro does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.
Right to Lodge a Complaint: You have the right to file a complaint with a data protection supervisory authority in your country of habitual residence, place of work, or place of the alleged infringement.

7.2 Rights Under the California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”):

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share it.
Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions provided by law.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt Out of Sale/Sharing: BuildWorkPro does not sell personal information and does not share personal information for cross-context behavioral advertising purposes. No opt-out is necessary.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

7.3 Exercising Your Rights

To exercise any of the rights described above, submit a verifiable request to privacy@buildworkpro.com. We will acknowledge your request within ten (10) business days and provide a substantive response within thirty (30) days of receipt. If we require additional time (up to an additional sixty days), we will notify you of the extension and the reason for the delay. We may request reasonable verification of your identity before fulfilling your request.

8. International Data Transfers

BuildWorkPro stores and processes personal data primarily in the United States. If you are located outside the United States, including in the EEA, the United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.

We protect international data transfers using the following safeguards:

Standard Contractual Clauses (SCCs): We execute Standard Contractual Clauses approved by the European Commission (implementing decision 2021/914) with sub-processors located outside the EEA to ensure an adequate level of data protection.
UK International Data Transfer Agreement: For transfers from the United Kingdom, we rely on the UK Addendum to the EU SCCs as approved by the UK Information Commissioner’s Office.
Supplementary Measures: We implement technical and organizational measures (including encryption in transit and at rest, access controls, and pseudonymization where feasible) to supplement transfer mechanisms and protect data from unauthorized access by public authorities.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods are as follows:

Account Data: Retained for the duration of your active account. Upon account deletion or organization termination, personal data is retained for thirty (30) days to allow recovery, after which it is permanently and irreversibly deleted from primary storage.
Business Operational Data: Contacts, projects, bids, pay applications, change orders, site logs, time entries, documents, and other organizational content are retained according to the data retention settings configured by your organization’s administrator, or until account termination (plus the 30-day recovery period).
Usage and Log Data: Retained for ninety (90) days from the date of collection, then automatically purged.
Audit Trail Records: Retained for the longer of the applicable organization’s configured retention period or two (2) years, to support compliance and dispute resolution.
Billing and Financial Records: Retained for seven (7) years as required by applicable United States federal and state tax, accounting, and financial reporting regulations.
Encrypted Backups: Backup copies of data may persist in encrypted, access-restricted backup storage for up to ninety (90) days following deletion from primary storage.

10. Third-Party Services and Integrations

The Platform may integrate with or contain links to third-party services, each of which operates under its own privacy policy. BuildWorkPro is not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party service before sharing your personal information. We share only the minimum data necessary for each integration to function.

Current third-party integrations and their roles are described in Section 5 above.

11. Children’s Privacy

The Platform is not directed to individuals under the age of eighteen (18). We do not knowingly collect, solicit, or maintain personal information from anyone under 18 years of age. If we learn that we have collected personal information from a child under 18, we will promptly delete that information. If you believe that a child under 18 has provided personal information to us, please contact privacy@buildworkpro.com.

12. Do Not Track Signals

The Platform does not respond to “Do Not Track” browser signals. However, as described in this Policy and in our Cookie Policy, we do not engage in cross-site tracking, third-party advertising tracking, or behavioral profiling, regardless of your browser’s Do Not Track setting.

13. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will provide notice of material changes by email to the address associated with your account, by a prominent notice within the Platform, or by updating the “Last Updated” date at the top of this page. Your continued use of the Platform following the posting of a revised Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically.

14. Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy or our data processing practices, please contact us:

Privacy Inquiries: privacy@buildworkpro.com
General Legal: legal@buildworkpro.com
Postal Address: BuildWorkPro LLC, Attn: Privacy, Fort Lauderdale, FL, United States
Web: buildworkpro.com/contact