Privacy Policy

Last updated: 25 June 2026

Who we are

Construct-it is operated by Construct-it Technologies Pty Ltd (ABN: to be confirmed), based in Brisbane, Queensland, Australia. We are the controller for your account and billing information, and act as a processor of the project data you enter on behalf of your business.

Contact us at info@construct-it.au for any privacy questions.

What information we collect

  • Account info: name, email, company name, password (hashed)
  • Project data: jobs, variations, claims, retention amounts you enter
  • Connected systems: when you connect Xero, we receive invoice/contact/bank data via OAuth
  • Usage data: log files, IP address, user agent, page views (for security + product improvement)
  • Payment data: handled by Stripe — we never see your card details

How we use it

  • To run the Service and let you manage your projects
  • To compute retention math, generate progress claims, and post invoices to Xero on your instruction
  • To send service emails (trial reminders, billing receipts, password resets)
  • To prevent fraud and abuse
  • To comply with legal obligations (e.g. 7-year retention of accounting records under AU law)

We do not sell your data, and we do not use it to train AI models.

Where it's stored

Your project data is stored in Sydney, Australia via Supabase (Postgres). Backups are encrypted and retained per Supabase's standard schedule.

Some processing and data in transit occurs via the overseas sub-processors listed below (primarily the United States) under contractual safeguards — this is a cross-border disclosure under Australian Privacy Principle 8. Connections to third parties are over TLS; OAuth tokens are encrypted at rest using AES-256 with a key managed via Vercel env vars.

Who we share data with (sub-processors)

We use a small number of reputable providers to run the Service. Each processes only the data needed for its function:

  • Supabase — database & auth hosting — data stored in Sydney, Australia
  • Vercel — application hosting / compute — United States (data in transit)
  • Anthropic (Claude) — parses PDFs you upload (materials, variations, schedules of values, payment summaries) — United States. Processed under contract and not used to train AI models
  • Google (Places API) — address autocomplete — United States
  • Resend — transactional email (receipts, reminders, password resets) — United States
  • Stripe — payments & card data — we never see your card numbers
  • Xero — only when you connect it; OAuth read plus the per-action invoice writes you confirm
  • Sentry — error monitoring, to detect and fix faults

See our full sub-processor list for what each provider handles and where it's located.

Your rights (Australian Privacy Principles)

You have the right to:

  • Access your personal information
  • Correct it if inaccurate
  • Request deletion (subject to legal-retention obligations)
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

Email info@construct-it.au and we'll respond within 30 days.

Cookies

We use first-party cookies for authentication (Supabase session) and the private-preview password gate. We do not use third-party tracking cookies.

Data retention

Active accounts: data is kept for as long as you have an account.

Cancelled accounts: data is preserved 60 days then soft-deleted. Audit logs and accounting records (claims, Xero invoice references) are retained for 7 years as required by Australian tax law.

Changes to this policy

We'll notify you at least 14 days before any material change takes effect, by email and by an in-app banner.