Privacy Policy
1. Introduction
Welcome to BuildScribe ("we," "our," or "us"). We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our web application (the "Service").
This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Privacy Policy should be read together with our Terms of Service.
Data Controller: [BUILDSCRIBE]
Contact: buildscribe.app@outlook.com
2. Information We Collect
2.1 Information You Provide
- Account Information: Email address, name, and authentication credentials
- Voice Recordings: Audio files you record using the Service
- Project Data: Project names, descriptions, addresses, client information, notes, and any text you enter or edit within the Service
- Photos and Documents: Images, floorplans, and other files you upload to projects or notes
- Transcripts and Summaries: Text generated from your voice recordings by AI processing
Your voice recordings may contain the personal data of other individuals (for example, if you record a conversation on site). You are the data controller for any third-party personal data captured in your recordings, and you are responsible for ensuring you have a lawful basis (such as the individual's consent) to record and store that data using the Service.
2.2 Information Collected Automatically
- Usage Data: How you interact with the Service, features used, and frequency of use
- Device Information: Browser type, operating system, device model, and screen resolution
- Technical Data: IP address, timestamps, error logs, and performance metrics
- Cookies and Similar Technologies: Authentication tokens and analytics cookies (see Section 10)
3. How We Use Your Information
3.1 Processing Activities and Legal Bases
Under UK GDPR, we must have a lawful basis for each processing activity. The table below sets out how and why we process your data:
| Processing Activity | Data Processed | Legal Basis |
|---|---|---|
| Provide transcription and summaries | Voice recordings, transcripts | Contract performance (Art. 6(1)(b)) |
| Store and organise project data | Project details, photos, notes | Contract performance (Art. 6(1)(b)) |
| User authentication and account management | Email, name, credentials | Contract performance (Art. 6(1)(b)) |
| Product analytics (aggregated usage patterns) | Usage data, device info | Consent (Art. 6(1)(a)) |
| A/B testing and feature experimentation | Usage data | Consent (Art. 6(1)(a)) |
| Security monitoring and fraud prevention | IP address, logs, technical data | Legitimate interests (Art. 6(1)(f)) |
| Bug fixing and error resolution | Error logs, technical data | Legitimate interests (Art. 6(1)(f)) |
| Service communications (updates, alerts) | Email address | Contract performance (Art. 6(1)(b)) |
| Marketing communications | Email address | Consent (Art. 6(1)(a)) |
| Improving the Service using aggregated and anonymised data | Anonymised usage data | Legitimate interests (Art. 6(1)(f)) |
| Training or fine-tuning AI models using aggregated and anonymised data | Anonymised data only | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have considered the balance between our interests and your rights and freedoms.
3.2 What "Improving the Service" Means
When we refer to improving the Service, this includes: analysing aggregated and anonymised usage patterns to identify which features are most useful; conducting A/B tests to compare different versions of features; using aggregated and anonymised data to train or fine-tune AI models that power the Service; and identifying and fixing bugs, errors, and performance issues. We do not use your identifiable User Content (such as your voice recordings, transcripts, or project data) to train AI models.
4. How We Share Your Information
We do not sell your personal data. We share your information only in the following circumstances:
4.1 Third-Party Service Providers
We use the following third-party service providers to operate the Service. Appropriate data protection agreements are in place with each provider (see notes below for details).
| Provider | Data Processed | Processing Location | Transfer Mechanism |
|---|---|---|---|
| Google LLC | Voice recordings, AI-generated transcripts and summaries, API usage data, technical metadata | United States | Google's Data Processing Addendum and Controller-Controller Data Protection Terms; includes Standard Contractual Clauses and UK Extension to EU-US Data Privacy Framework |
| Supabase Inc. | Account data, project data, files, authentication credentials | Ireland (EU-West-1) | UK adequacy decision for EEA transfers; DPA available at supabase.com/legal/dpa |
| PostHog Inc. | Usage analytics, device information | EU (Frankfurt) | UK adequacy decision for EEA transfers; DPA available at posthog.com/dpa |
| Vercel Inc. | IP addresses, request metadata, application logs | United States (with global edge network) | Vercel's Data Processing Addendum, including Standard Contractual Clauses |
Important notes on data processing:
- Google LLC: Under the Gemini API Additional Terms of Service, because we serve users in the United Kingdom, the Paid Services data handling terms apply to all our use of the API (including any free-tier usage). This has two important consequences:
- AI Processing Data (Google as Processor): Your voice recordings, the prompts we send to Google, and the AI-generated transcripts and summaries are governed by Google's Data Processing Addendum for Products Where Google is a Data Processor. Under these terms, Google acts as a data processor on our behalf, does not use this data to train or improve its own products or services, and processes it only to provide the transcription and summarisation service. Google may retain prompts and responses for a limited period solely for the purpose of detecting abuse and complying with legal obligations. This data may be processed in any country where Google or its agents maintain facilities.
- Operational Data (Google as Controller): Certain other data generated through our use of the API — such as account identifiers, API usage metadata, token counts, and technical data — is subject to the Google Controller-Controller Data Protection Terms. For this data, Google and we each act as independent data controllers. Google's processing of this data is described in Google's privacy policy.
- Vercel Inc.: Vercel hosts the application and processes IP addresses and request metadata. Some data may transit through US-based infrastructure for security and DDoS protection purposes, even where edge functions are configured to run in European regions.
- Supabase Inc.: Supabase's Data Processing Agreement (available at supabase.com/legal/dpa) governs the processing of your data stored in Supabase infrastructure. Supabase acts as a data processor and stores your data in the EU (Ireland, eu-west-1 region on AWS). The DPA includes Standard Contractual Clauses with a UK addendum.
4.2 Internal Access
Our team may access your data on a need-to-know basis for the purposes of providing customer support, resolving technical issues, and improving the Service. All personnel with access to personal data are bound by confidentiality obligations.
4.3 Legal Requirements
We may disclose your information if required by law, court order, or government request, or if necessary to:
- Comply with legal obligations
- Protect our rights, property, or safety
- Prevent fraud or illegal activity
- Protect the safety of our users or the public
5. International Data Transfers
Your data may be transferred to and processed in countries outside the United Kingdom:
- European Economic Area (EEA): Your primary data is stored in Ireland (EU-West-1) via Supabase, and analytics data is processed in the EU (Frankfurt) via PostHog. The EEA benefits from an adequacy decision under UK GDPR, meaning these transfers do not require additional safeguards.
- United States: Voice recordings and related AI processing data are transmitted to Google LLC in the United States for transcription and summarisation. Certain operational data is also processed by Google as an independent controller (see Section 4.1). Application hosting data (IP addresses, request metadata) is processed by Vercel Inc., which operates a global network including US-based infrastructure. For these transfers, we rely on the following safeguards:
- Google LLC (AI processing data): Google's Data Processing Addendum, which includes Standard Contractual Clauses (Controller-to-Processor) and the UK Extension to the EU-US Data Privacy Framework
- Google LLC (operational data): Google Controller-Controller Data Protection Terms, which include Standard Contractual Clauses (Controller-to-Controller) and the UK Extension to the EU-US Data Privacy Framework
- Vercel Inc.: Vercel's Data Processing Addendum, which includes Standard Contractual Clauses
We ensure that all international transfers comply with UK GDPR requirements and that adequate protections are in place for your data.
6. Data Retention
We retain your data for as long as necessary to provide the Service and fulfil the purposes described in this policy:
- Account Data: Retained until you delete your account
- Voice Recordings, Transcripts, and Summaries: Retained until you delete the associated recording or close your account
- Project Data: Retained until you delete projects or close your account
- Usage and Analytics Data: Retained for up to 2 years for product improvement purposes
- Deleted Account Grace Period: After account deletion, data is retained for 30 days before permanent deletion (to allow recovery if requested)
We may retain certain information for longer periods if required by law or for legitimate business purposes (e.g., resolving disputes, enforcing terms).
7. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Data Portability: Receive your data in a machine-readable format (JSON/CSV)
- Right to Object: Object to processing based on legitimate interests
- Right to Restrict Processing: Request temporary restriction of data processing
- Right to Withdraw Consent: Withdraw consent for processing based on consent (e.g., analytics, marketing) at any time, without affecting the lawfulness of processing carried out before withdrawal
- Right to Object to Direct Marketing: You have the absolute right to object to the processing of your personal data for direct marketing purposes at any time. If you object, we will stop processing your data for direct marketing without delay. This right is separate from and in addition to any consent you may have given, and applies regardless of the legal basis on which we process your data for marketing
To exercise any of these rights, contact us at buildscribe.app@outlook.com. We will respond within one calendar month. For complex or numerous requests, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons within the first month.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
8. Data Subject Access Requests (DSAR)
To request access to your personal data or exercise any of your rights under Section 7, please email buildscribe.app@outlook.com with "DSAR Request" in the subject line. Include:
- Your full name and email address associated with your account
- Specific rights you wish to exercise
- Any additional details to help us process your request
We will respond within one calendar month. For complex or numerous requests, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons within the first month. We will provide your data in a machine-readable format (JSON or CSV) where applicable.
9. Data Security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction:
- Encryption in transit (HTTPS/TLS) and at rest
- Row-level security policies to isolate user data
- Access controls and authentication requirements
- Secure password hashing and storage
However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
10. Cookies and Tracking Technologies
We use cookies and similar technologies to provide and improve the Service.
10.1 Essential Cookies
Required for the Service to function properly. These cannot be disabled:
- Authentication Cookies: Keep you logged in and secure your session
- Service Worker Cache: Enable offline functionality
10.2 Analytics Cookies
We use an analytics provider to understand how the Service is used and to improve it. Analytics cookies are only set after you provide consent through our cookie consent banner, which is displayed when you first visit the Service. You can review and change your cookie preferences at any time through the cookie settings accessible from our Privacy Policy page.
We do not use analytics data for marketing purposes without your separate, explicit consent.
10.3 Managing Cookies
You can control non-essential cookies through the cookie settings on our Privacy Policy page or through your browser settings. Disabling essential cookies may affect Service functionality.
Analytics Cookies
Help us improve BuildScribe by tracking feature usage and app performance
11. Automated Processing
The Service uses artificial intelligence to transcribe voice recordings and generate summaries. This processing is used solely to assist you and does not produce decisions with legal or similarly significant effects. You retain full control over how you use any AI-generated content. You may edit AI-generated summaries and may delete recordings (which will also delete the associated transcript and summary) at any time.
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay by email. We will also notify the UK Information Commissioner's Office within 72 hours of becoming aware of the breach, as required under UK GDPR.
13. Children's Privacy
The Service is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on this page with a new effective date
- Sending an email notification (for significant changes)
Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
Email: buildscribe.app@outlook.com