Privacy Policy

Effective 24 March 2026

1. Who We Are

BankBuild Ltd is the data controller for personal data processed through the BankBuild platform. If you have questions about how we handle your data, contact us at [email protected].

2. Data We Collect

Account data

Name, email address, company name, position, and RICS credentials provided during registration.

Company data

Companies House number, registered address, and surveying disciplines — used to verify firm identity and configure compliance tools.

Usage data

AI decisions, training records, compliance scores, system registers, and risk registers generated through normal use of the platform.

AI interaction data

Prompts, responses, confidence scores, and reviewer decisions for every AI call. These are stored in the ai_extractions table and form part of your RICS audit trail.

Property addresses

Site addresses entered via Google Places autocomplete for project setup.

Payment data

Billing is processed by Stripe. We do not store card numbers, CVVs, or full payment credentials on our servers. We retain Stripe customer and subscription identifiers only.

Communication data

Transactional emails (invitations, notifications, reports) are sent via Resend. We store email addresses and delivery metadata.

3. How We Use Your Data

• Provide and operate the BankBuild platform
• Generate RICS compliance records including system registers, risk registers, and audit trails
• Process AI requests and log outputs for professional record-keeping
• Send transactional emails (invitations, alerts, exported reports)
• Generate compliance and monitoring reports

4. AI-Specific Processing

All AI calls are routed through a single secure proxy within BankBuild. We use the Anthropic Claude API with a zero-retention data policy — Anthropic does not store your inputs or outputs.

Despite the zero-retention policy at the API level, BankBuild logs all AI inputs and outputs locally to maintain the RICS-mandated audit trail. This includes prompts sent, responses received, confidence scores, and the named surveyor's review decision.

• Per-project consent is required before any AI processing begins
• Opt-out is available — projects can operate without AI features

5. Third-Party Processors

• Supabase — database and authentication (London region, eu-west-2)
• Anthropic — AI processing via Claude API (zero-retention)
• Stripe — payment processing
• Resend — transactional email delivery
• Vercel — platform hosting
• Google — Places API for address lookup
• PropertyData — market intelligence (property data only)
• Companies House — public company data verification

6. Data Retention

Your data remains active while your account is active. AI interaction logs are retained for a minimum of 6 years in line with professional record-keeping obligations.

On account closure, data is deleted following a 30-day grace period during which you can export or request reinstatement.

7. Data Isolation

BankBuild enforces row-level security at the database layer. Firms cannot access other firms' data. There is no cross-firm data access. All administrative access is logged.

8. Your Rights

Under UK data protection law, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your data (subject to retention obligations)
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request restricted processing in certain circumstances

To exercise any of these rights, email [email protected]. If you are unsatisfied with our response, you may contact the Information Commissioner's Office (ICO) as the supervisory authority.

9. Cookies

BankBuild uses session cookies for authentication only. We do not use tracking cookies, analytics cookies, or advertising cookies.

10. Changes to This Policy

We will notify you of material changes via email. Continued use of the platform after notification constitutes acceptance of the updated policy.

Subject to periodic review.