Privacy Policy
Last updated: 7 July 2026
This Privacy Policy explains how Buildlogg ("we", "us", "our") collects, uses, shares, and protects your personal data when you use our mobile app and website at buildlogg.com (the "Service"). It also explains your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
Buildlogg is a job management tool for solo business owners and service providers. We're built on a simple principle: your business data is yours. We collect the minimum needed to run the Service and nothing more.
1. Who we are and how to contact us
Buildlogg is the data controller for the personal data we collect directly from you (your account information and usage data), as described in this Privacy Policy. We are responsible for looking after that data in accordance with UK GDPR and the DPA 2018.
We are not required to appoint a Data Protection Officer under Article 37 of the UK GDPR, as we are a small organisation that does not carry out large-scale processing of special category data or monitoring of data subjects. However, you can contact us about any data protection matter using the details below.
Data controller: Buildlogg
Contact for data protection enquiries: hello@buildlogg.com
Postal address: Available on request — email us and we'll provide it.
If you have a concern about how we handle your data and you're not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO), the UK's independent data protection regulator:
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
- Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
You do not need to complain to us first before contacting the ICO, though we'd appreciate the chance to resolve any concern directly.
2. Personal data we collect
We collect personal data in two ways: data you give us directly, and data collected automatically when you use the Service.
2.1 Data you provide to us
- Account information — your email address (used for login, account recovery, and service notifications), business name, profession category, phone number, and optional profile photo. You provide these during sign-up and onboarding.
- Business data you create — customer names, phone numbers, addresses, and email addresses; job titles, descriptions, line items, pricing, dates, notes, and photos you upload; payment method and status records; and message templates you create for sending quotes and follow-ups.
- Payment configuration — if you enable card payments via Stripe, we store your Stripe Connect account ID. We do not store your or your customers' card numbers.
- Booking page configuration — if you enable online booking, we store your chosen booking page URL slug and any public service listings you configure.
2.2 Data collected automatically
- Usage analytics — we use PostHog (EU-hosted) to understand which features are used and how the app performs. This includes event data (e.g. "quote created", "message sent"), session duration, and device type. This is aggregate, pseudonymous data — we do not use it to identify you personally.
- Device and technical data — device type, operating system, browser, app version, and IP address. This is collected automatically when you use the Service.
- Local device storage — Buildlogg is an offline-first app. Your jobs, customers, quotes, and payment records are stored locally on your device in an encrypted database. This data remains on your device and syncs to our servers when you have an internet connection.
2.3 Cookies and Analytics
We use cookies and similar tracking technologies to improve our Service and understand how it is used.
- Essential Cookies: We use strictly necessary cookies to keep you logged in and ensure the app functions securely. These do not require consent.
- Analytics (PostHog): We use PostHog to collect anonymised product analytics (such as which features are used most often). This helps us improve Buildlogg. Because these are non-essential, we will only deploy analytics cookies if you explicitly opt-in via our cookie banner.
- Opting Out: You can manage your cookie preferences at any time by clearing your browser cookies or adjusting your device settings. If you opt-out of analytics, your use of the app will not be tracked, but all core functionality will continue to work normally.
2.4 Data about your customers
When you enter a customer's personal data (name, phone number, address, email) into Buildlogg, you are the data controller for that information and Buildlogg acts as your data processor. This means:
- You are responsible for having a lawful basis to collect and store your customers' personal data (e.g. they've given you their details for a quote or job — this is typically "legitimate interest" or "contract" under Article 6 of the UK GDPR).
- You are responsible for informing your customers that you're using a third-party tool (Buildlogg) to store their data, and for providing them with a privacy notice that covers this.
- Buildlogg processes this data on your behalf solely to provide the Service to you. We do not use your customers' data for our own purposes, we do not sell it, and we do not share it with third parties except as necessary to provide the Service (e.g. sending a WhatsApp message you've composed).
- If a customer asks you to delete their data, you can remove them from Buildlogg at any time by deleting the customer record in the app. This removes the data from your device and our servers.
3. Purposes of processing and lawful basis
Under Article 6 of the UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out each purpose, the lawful basis we rely on, and whether the processing is optional.
3.1 Processing your account data
- Purpose: Creating and managing your account, authenticating you, and providing the core Service.
- Lawful basis: Contract (Article 6(1)(b)) — processing is necessary to perform the contract between you and us (i.e. providing the Service you signed up for).
- Is it optional? No — you cannot use the Service without providing an email address and basic account information.
3.2 Processing your business data (jobs, customers, quotes)
- Purpose: Storing, organising, and syncing the business data you create in Buildlogg.
- Lawful basis: Contract (Article 6(1)(b)) — processing is necessary to provide the Service you requested.
- Is it optional? The Service cannot function without storing this data, but what you choose to enter is entirely up to you.
3.3 Sending quotes and messages on your behalf
- Purpose: When you choose to send a quote or message via WhatsApp or SMS, we transmit the content you've composed through the relevant platform.
- Lawful basis: Contract (Article 6(1)(b)) — this is a core feature of the Service you requested.
- Is it optional? Yes — you choose when and whether to send messages. We do not send messages automatically unless you've explicitly configured a reminder or follow-up.
3.4 Notifications about missed calls and job reminders
- Purpose: Sending you push notifications about missed calls, job reminders, and payment follow-ups that you've configured in the app.
- Lawful basis: Contract (Article 6(1)(b)) — these are features of the Service you've enabled.
- Is it optional? Yes — you can turn off notifications at any time in Settings or via your device's notification settings.
3.5 Card payment processing via Stripe
- Purpose: Enabling you to send card payment links to your customers and track payment status.
- Lawful basis: Contract (Article 6(1)(b)) — this is an optional feature of the Service.
- Is it optional? Yes — you must explicitly enable Stripe in Settings. Stripe processes all card data under their own PCI-DSS compliance. We never see or store card numbers.
3.6 Product analytics
- Purpose: Understanding how the Service is used so we can improve features, fix bugs, and prioritise development.
- Lawful basis: Legitimate interests (Article 6(1)(f)) — we have a legitimate interest in improving our product. We have balanced this against your rights and freedoms by using pseudonymous, aggregate data and an EU-hosted provider.
- Is it optional? You cannot opt out of analytics within the app at present, but the data is pseudonymous and aggregate. We do not use it to build profiles of individual users. If you'd like your analytics data deleted, email us and we'll action it.
3.7 Service communications
- Purpose: Contacting you about important account or service changes (e.g. security alerts, pricing changes, terms updates).
- Lawful basis: Legitimate interests (Article 6(1)(f)) — we have a legitimate interest in keeping you informed about the Service you use.
- Is it optional? No — but we will only contact you for important operational reasons, not marketing.
4. Recipients of your data
We do not sell your personal data. We do not share your customer list, job details, or pricing with anyone. We use the following third-party processors to operate the Service. Each is bound by a contract that requires them to protect your data to a standard equivalent to UK GDPR:
- Supabase — database hosting, authentication, and real-time sync. Supabase data is hosted in the EU (Frankfurt region). Supabase acts as a data processor on our behalf. Supabase Privacy Policy.
- Stripe — card payment processing. Stripe handles all card data directly under their own PCI-DSS compliance. We only store the Stripe transaction ID, payment status, and amount. Stripe Privacy Policy.
- PostHog — product analytics, EU-hosted (self-hosted instance). PostHog processes pseudonymous event data on our behalf. PostHog Privacy Policy.
- WhatsApp / SMS gateways — when you choose to send a quote or message via WhatsApp or SMS, the content you've composed is transmitted through the relevant platform (WhatsApp via wa.me links, SMS via the device's native SMS handler). We do not read or store the content of messages after they've been sent. The relevant platform's privacy policy applies to the message content once transmitted.
- Cloudflare — content delivery, DDoS protection, and edge hosting. Cloudflare processes IP addresses and request metadata to serve the website and app. Cloudflare Privacy Policy.
We will only disclose your personal data to law enforcement or government agencies if legally compelled to do so by a valid court order or statutory obligation, and only the minimum data required.
5. International transfers
Your cloud-synced data is stored with Supabase in the EU (Frankfurt, Germany) and with PostHog in the EU. Stripe processes payments in accordance with its own privacy policy and applicable financial regulations. Cloudflare operates globally but processes UK/EU user data in accordance with UK GDPR transfer requirements.
Because our processors are EU-based or have adequate safeguards in place (Standard Contractual Clauses or UK International Data Transfer Agreements), your personal data is protected to a standard equivalent to UK GDPR even when processed outside the UK. We do not transfer your personal data to the United States for processing.
If you would like more information about the specific safeguards we have in place for international transfers, email us at hello@buildlogg.com.
6. Data retention
We keep your personal data only for as long as necessary for the purposes set out in this policy:
- Active accounts: We retain your data for as long as your account is active. If you use the Service regularly, your data is kept indefinitely until you delete it or your account.
- Account deletion: If you delete your account from Settings, we remove your personal data from our servers within 30 days. Your local device data is deleted immediately when you uninstall the app.
- Inactive accounts: If you stop using the Service but don't delete your account, we'll retain your data for 12 months in case you return, then automatically delete it from our servers. You'll receive an email before deletion.
- Analytics data: PostHog analytics data is retained for up to 12 months, after which it is automatically purged.
- Payment records: Transaction records (Stripe ID, amount, status, date) are retained for 7 years to comply with HMRC record-keeping requirements for businesses. Card numbers are never stored.
- Backups: Cloud backups may contain deleted data for up to 30 days after deletion, after which backups are overwritten and the data is permanently gone.
7. Your rights under UK GDPR
Under the UK GDPR and DPA 2018, you have the following rights regarding your personal data:
- The right to be informed (Article 13–14) — you have the right to be told how we use your data, which is what this Privacy Policy provides.
- The right of access (Article 15) — you can request a copy of all the personal data we hold about you. We'll provide it within 30 days, free of charge.
- The right to rectification (Article 16) — you can ask us to correct any inaccurate or incomplete personal data. You can also correct most data yourself directly in the app.
- The right to erasure (Article 17) — you can ask us to delete your account and all associated personal data. You can also do this yourself by deleting your account in Settings.
- The right to restrict processing (Article 18) — you can ask us to limit how we use your data in certain circumstances (e.g. while a rectification request is being processed).
- The right to data portability (Article 20) — you can receive your personal data in a structured, machine-readable format (JSON or CSV) and transmit it to another service.
- The right to object (Article 21) — you can object to processing based on legitimate interests (e.g. analytics). We'll stop the processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Rights related to automated decision-making (Article 22) — Buildlogg does not carry out solely automated decision-making or profiling that produces legal or significant effects. All payment, scheduling, and reminder features require your explicit action.
7.1 Right to withdraw consent
Where we rely on consent as our lawful basis (we currently rely on contract and legitimate interests, not consent, for the processing described in this policy), you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing before the withdrawal.
7.2 How to exercise your rights
To exercise any of these rights, email us at hello@buildlogg.com. We'll respond within one month of receiving your request. If a request is complex or you've made several requests, we may extend the response period by two further months, but we'll let you know within one month and explain why.
We will not charge you for exercising your rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.
8. Security measures
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures:
- Encryption in transit: All data sent between your device and our servers is encrypted using TLS (Transport Layer Security).
- Encryption at rest: Your local device database is encrypted. Cloud data stored in Supabase is encrypted at rest.
- Authentication: Authentication is handled by Supabase Auth with secure session management. Passwords are hashed, never stored in plaintext.
- Access controls: Access to our backend systems and databases is restricted to authorised personnel only, using principle of least privilege. All access is logged.
- Payment security: We do not store card numbers. All card data is handled by Stripe under their PCI-DSS Level 1 compliance.
- Regular updates: We keep our dependencies and infrastructure updated to protect against known vulnerabilities.
No system is 100% secure. If we suffer a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware of the breach, as required by Article 33 and 34 of the UK GDPR.
9. Cookies and tracking technologies
Under the Privacy and Electronic Communications Regulations (PECR), we must tell you about cookies and similar technologies we use and obtain your consent for non-essential cookies.
9.1 Buildlogg website (buildlogg.com)
- Essential cookies: We use minimal cookies required for the website to function (e.g. serving pages, remembering your cookie preferences). These do not require consent.
- Analytics cookies: We use PostHog (EU-hosted) for aggregate analytics. PostHog uses cookies to understand how visitors use the site. This data is pseudonymous.
- What we don't use: We do not use advertising cookies, third-party ad networks, tracking pixels for retargeting, or social media tracking pixels.
9.2 Buildlogg PWA app
The PWA app (accessed at /app/) does not use cookies. It uses local storage and an IndexedDB database on your device to store your business data. This storage is essential for the app to function and is not used for tracking.
10. Children's data
Buildlogg is a business tool designed for adults who run a profession or service business. We do not knowingly collect personal data from anyone under 16 years old.
If you believe a child has provided us with personal data, please contact us at hello@buildlogg.com and we will take steps to delete the data and terminate the account.
11. Direct marketing and electronic messaging (PECR)
Under the Privacy and Electronic Communications Regulations 2003 (PECR), there are rules about sending marketing messages by electronic means. Buildlogg enables you to send quotes, appointment confirmations, and follow-up messages to your customers via WhatsApp and SMS. Here's how the rules apply:
- Service messages (quotes, booking confirmations, appointment reminders, payment follow-ups) are not direct marketing. They can be sent under the contract or legitimate interest basis, provided the recipient was told and can object.
- Marketing messages (promotional offers, seasonal reminders that include marketing content) require the recipient's consent under PECR Regulation 22. You are responsible for obtaining that consent before sending marketing messages through the Service.
- You are the sender, not Buildlogg. We transmit the content you've composed; we do not send messages on our own behalf.
- Opt-out: Recipients of marketing messages must be able to opt out. Include opt-out instructions in any marketing message you send.
If a recipient complains to us about receiving unsolicited marketing from a Buildlogg user, we may investigate and, if necessary, suspend the account.
12. Automated decision-making and profiling
Buildlogg does not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. All decisions in the app — creating quotes, sending messages, recording payments, setting reminders — are initiated by you explicitly. We do not use AI to make decisions about you or your customers.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features of the Service. When we make changes:
- We'll update the "Last updated" date at the top of this page.
- If the changes are material (i.e. they affect how we use your data or your rights), we'll notify you by email and/or in-app notification before the changes take effect.
- We won't make changes that reduce your rights under UK GDPR without your explicit consent.
We recommend reviewing this page periodically to stay informed about how we handle your data.
14. Your data and our processors — summary
For a quick overview, here's where your data goes and why:
- Your device — all business data (jobs, customers, quotes) stored locally, encrypted, works offline.
- Supabase (EU — Frankfurt) — cloud sync, authentication, data backup. Data processor acting on our behalf.
- Stripe — card payment processing only when you enable it. PCI-DSS compliant. No card numbers stored by us.
- PostHog (EU) — pseudonymous product analytics. No personal data used for profiling.
- Cloudflare — content delivery and security. Processes IP addresses and request metadata.
- WhatsApp / SMS — message delivery only when you choose to send. We don't store message content after sending.
Questions about your data?
Email us at hello@buildlogg.com — we're a small team and a real person will read your message.
If you're not satisfied with our response, you can complain to the ICO at ico.org.uk/make-a-complaint or call 0303 123 1113.