Privacy Policy

[Company Name] (“we”, “us”, “our”) operates SiteProof. Our registered address is [Registered Address]. We are registered with the Information Commissioner's Office (ICO), registration number [ICO Registration Number].

Our role under data protection law depends on the type of data being processed.

For account and billing data — the name, email address, and payment information of the person who registers an account — we act as the data controller. We determine how and why this data is processed, and this Privacy Policy explains our obligations to you.

For operational data uploaded through the Service — including records relating to your employees, workers, subcontractors, site visitors, incidents, and documents — your organisation acts as the data controller, and we act as the data processor. You determine the purposes for which that data is collected; we process it only to provide the Service to you, under the data processing terms in our Terms of Service.

If you are a worker or subcontractor whose personal data has been entered into SiteProof by a construction company using our platform, that company is the data controller for your data. You should direct any data rights requests to them in the first instance; they may then contact us for assistance in fulfilling your request.

For any questions about this policy, contact us at hello@siteproof.co.uk.

Account and organisation data (we are controller)

When you register, we collect your full name, email address, password (stored as a salted hash — we cannot read it), and company name.

Site and operational data (your organisation is controller)

Data entered while using the Service, including: construction site details, daily log entries, CDM checklist responses, incident reports (including details of any injuries where provided), toolbox talk records, visitor logs, and document names and expiry dates.

Photos and media (your organisation is controller)

Photos uploaded to the Service, which may include GPS coordinates and timestamps embedded in image metadata (EXIF data).

Worker and subcontractor data (your organisation is controller)

Names, contact details, and certification records for workers and subcontractors added to the Service. Where workers use the self-service portal, we also collect any data they provide directly — however the construction company that invited them remains the data controller for that data.

Payment data (we are controller)

Payment card details are processed and stored by Stripe, Inc. We do not store card numbers on our own systems. We retain billing history (transaction amounts, dates, and invoice IDs) for accounting and VAT compliance purposes.

Usage and technical data (we are controller)

Server log data including IP addresses, browser type and version, pages accessed, and timestamps. Used to maintain the security and performance of the Service.

• Directly from you when you register, set up your account, or use the Service
• From workers and subcontractors when they interact with the worker self-service portal using an invitation link issued by your organisation
• Automatically through session cookies and server logs when you use the Service

Where we act as data controller (account and billing data):

• Contract performance (Article 6(1)(b)): Processing necessary to create and manage your account and provide the Service.
• Legal obligation (Article 6(1)(c)): Retaining financial records for HMRC.
• Legitimate interests (Article 6(1)(f)): Security monitoring, fraud prevention, and sending transactional service communications.

Where we act as data processor (operational data uploaded by your organisation), we process data on your instructions and under your lawful basis as data controller. If you are a construction company using the Service, you are responsible for ensuring you have an appropriate lawful basis for uploading personal data relating to your employees, workers, and subcontractors.

Where incident reports contain details of injuries (special category data), we rely on Article 9(2)(b) — processing necessary for obligations in the field of employment and health and safety law — as the lawful basis, on behalf of the data controller.

The Service uses rule-based automation to perform certain functions. No artificial intelligence or machine learning is used, and no automated processing produces legally significant or similarly significant effects on any individual.

Automated functions include:

• Expiry reminders: Scheduled email alerts sent at 30, 14, and 7 days before a document or certification expiry date, triggered by pre-set dates you enter.
• Audit score calculation: A rule-based algorithm that calculates a 0–100 compliance score based on log completion rates, checklist responses, and document status. It reflects data you have entered and is not an assessment of actual regulatory compliance.
• RIDDOR decision wizard: A rule-based decision tree that applies fixed criteria derived from HSE guidance to help identify whether an incident may be RIDDOR-reportable. This produces guidance for the user to review — it does not make any reportability determination autonomously.

• To create and manage your account and organisation
• To provide and maintain the Service and all its features
• To process payments and issue VAT invoices
• To send transactional emails — document and certification expiry alerts, incident notifications, invitation emails, and account-related communications
• To generate audit packs and compliance reports at your instruction
• To detect, investigate, and prevent fraud and security incidents
• To comply with legal and regulatory obligations

We do not sell your data to third parties. We do not use your data for advertising or marketing to anyone other than you.

We share data only with the sub-processors necessary to operate SiteProof. Each is engaged under a Data Processing Agreement and is bound to process data only for the purposes we specify.

Supabase, Inc.

All application data is stored in Supabase's managed PostgreSQL database and file storage, hosted within the European Union. Supabase handles all data storage and retrieval.

Resend, Inc.

Transactional emails — including document expiry alerts, invitation emails, and account notifications — are delivered via Resend. Their privacy policy is at resend.com/legal/privacy-policy.

Stripe, Inc.

Payment data is processed by Stripe. Stripe is certified to PCI DSS Level 1. Their privacy policy is at stripe.com/gb/privacy.

Vercel, Inc.

The application is hosted on Vercel's infrastructure. Server request logs may be retained by Vercel for a short period. Their privacy policy is at vercel.com/legal/privacy-policy.

Render, Inc.

Compute services are provided by Render. Their privacy policy is at render.com/privacy.

Legal and regulatory authorities

We may disclose data to law enforcement or regulatory authorities where required or permitted by law. We will notify you where legally permitted to do so.

Supabase stores data within the EU. Vercel and Stripe are US-based; Resend and Render may also process data outside the UK/EEA. Where personal data is transferred internationally, we ensure appropriate safeguards are in place — including Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) where applicable — before any transfer takes place.

• Active account data: Retained for the duration of your subscription, plus 30 days after termination to allow data export.
• Financial records: Retained for 7 years in accordance with HMRC requirements.
• Deleted data: Removed from live systems within 30 days. Encrypted backups may retain deleted data for up to 90 days before permanent purge.
• Server logs: Retained for up to 90 days for security monitoring.

Where we act as data controller (account and billing data), you have the following rights. Email hello@siteproof.co.uk to exercise any of them. We will respond within one calendar month.

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data where it is no longer needed for the purpose it was collected.
• Right to data portability: Request your data in a structured, machine-readable format.
• Right to restriction: Request that we restrict processing in certain circumstances.
• Right to object: Object to processing based on legitimate interests.

If you are a worker or subcontractor whose data has been entered by a construction company, your rights requests should be directed to that company (the data controller). They may contact us for assistance.

If you are unsatisfied with how we handle your request, you may lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.

We use one type of cookie:

• Session cookie (essential): Maintains your authenticated session. Strictly necessary to provide the Service. Expires when you close your browser or after 7 days of inactivity.

We do not use advertising, tracking, or analytics cookies.

We implement appropriate technical and organisational measures to protect personal data, including: encryption in transit (TLS 1.2+), encryption at rest, role-based access controls, and regular security reviews.

In the event of a personal data breach affecting Customer Personal Data, we will notify you and the ICO within 72 hours of becoming aware, as required by UK GDPR.

We may update this policy from time to time. Where changes are material, we will notify you by email before they take effect. The “last updated” date at the top of this page indicates when the policy was last revised.

Data controller: [Company Name]
Registered address: [Registered Address]
Email: hello@siteproof.co.uk
ICO registration: [ICO Registration Number]