Privacy Policy

Account Information

• Name, email address, and profile details provided during registration
• Company name and business registration details
• Login credentials and authentication data (via Firebase Auth)
• Subscription and billing information

Business Data

• Project details, Bill of Quantities (BOQ) data, and cost information
• Supplier and customer contact information you enter into the platform
• Purchase orders and procurement records
• Documents and files you upload

Technical & Usage Data

• IP address and approximate location (for login history and security)
• Browser type, device information, and operating system
• Pages visited, features used, and session duration
• Login/logout timestamps and session information

T&C Acceptance Audit Data

• Date, time, and IP address of terms acceptance
• Browser/device (user agent) at time of acceptance
• Document version and SHA-256 hash of accepted document
• Sign-up method used (email/password, Google, Microsoft)

• To provide and maintain the Constructions Pilot platform and its features
• To manage your account, subscription, and billing
• To synchronise your business data with connected accounting software (one-way push only)
• To send you important service updates, security alerts, and subscription notifications
• To improve our platform, fix issues, and develop new features
• To protect against fraud, abuse, and unauthorised access
• To maintain legally required T&C acceptance audit records
• To comply with legal obligations under Australian Privacy Principles, GDPR, and CCPA

Accounting Software (Xero, MYOB)

When you connect your accounting software, we perform one-way synchronisation only — we push your suppliers, customers, projects, and issued purchase orders from Constructions Pilot into your accounting system. We do not:

• Read, extract, or store financial data from your accounting software
• Access bank accounts, payroll, or tax information
• Modify or delete existing records in your accounting software
• Share your accounting credentials with any third party

OAuth tokens are stored securely and encrypted. You can disconnect your accounting software at any time, which immediately revokes stored tokens.

Payment Processing (Stripe)

Subscription payments are processed by Stripe. We do not store your full credit card number. Stripe's privacy policy applies to payment data they handle.

Authentication (Firebase / Google)

We use Firebase Authentication (Google) for secure sign-in via email/password, Google sign-in, and Microsoft sign-in. Passwords are hashed using industry-standard algorithms and are never stored in plain text.

• All data is stored in encrypted PostgreSQL databases hosted on secure cloud infrastructure
• All data transmission occurs over HTTPS/TLS encryption
• OAuth tokens for third-party integrations are short-lived and automatically refreshed
• File uploads pass through a comprehensive security pipeline including malware scanning and content validation
• We implement role-based access control to ensure users only access data they are authorised to view
• Regular security reviews and updates are performed on our infrastructure

We may share data only in these limited circumstances:

• With your consent — When you explicitly connect third-party services (e.g., Xero, MYOB)
• Service providers — Trusted partners who help us operate the platform (e.g., hosting, payment processing), bound by confidentiality agreements
• Legal requirements — When required by law, regulation, or legal process
• Safety — To protect the rights, safety, and security of our users and platform

• Account data is retained for as long as your account is active
• If you delete your account, your personal data will be removed within 30 days
• Business data (projects, BOQ items) associated with your account is deleted when your account is deleted
• Sync logs and audit records may be retained for up to 12 months for troubleshooting and compliance
• Backup copies may persist in encrypted backups for up to 90 days before being automatically purged
• T&C acceptance audit records are retained for a minimum of 7 years as required by applicable law

EU / UK Users (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have additional rights under GDPR (EU) 2016/679 and UK GDPR, including the right to restrict processing, object to processing, and lodge a complaint with a supervisory authority. Enterprise and B2B customers may request a formal Data Processing Addendum (DPA) by contacting admin@constructionspilot.com.

California Residents (CCPA / CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know, delete, and opt-out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, please contact us at admin@constructionspilot.com.

Our Website and Services may use cookies, web beacons, pixels, local storage, session storage, analytics tools, and similar tracking technologies to operate, improve, and analyse the Services.

• We use essential cookies to maintain your login session and remember your preferences
• We do not use third-party tracking cookies for advertising purposes
• Analytics data is collected in aggregate form to improve the platform
• We may use third-party analytics services (such as Google Analytics) subject to their own privacy policies

You may manage or disable cookies through your browser settings, but doing so may affect the functionality of the Services. Where required by applicable law (including EU/UK cookie consent requirements), we will obtain your consent before placing non-essential cookies.

By using the Services, you acknowledge that personal information may be processed in Australia and in other countries where we or our service providers operate, subject to applicable law.

Where we transfer personal data outside the EEA or UK, we will ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission or UK Information Commissioner's Office, or other lawful transfer mechanisms.

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through the platform or via email. Your continued use of Constructions Pilot after changes are posted constitutes acceptance of the updated policy.

If you do not agree to any changes, you must stop using the Services and contact us to request deletion of your account and data.

If you have any questions about this Privacy Policy, how we handle your data, or wish to exercise any of your rights, please contact us: