Data Handling & Security

1. Overview

BuildHub Digital Ltd takes data security seriously. This page explains the technical and organisational measures we use to protect your data and your clients' data within the BuildHub platform.

We follow industry-standard security practices and aim to be transparent about how data is stored, transmitted, and protected. If you believe you have identified a security vulnerability in our Platform, please report it immediately to info@getbuildhub.com and we will investigate promptly.

2. Data Encryption

In transit: All data transmitted between your device and the BuildHub Platform is encrypted using TLS (Transport Layer Security). We enforce HTTPS across all Platform endpoints. Unencrypted HTTP connections are not permitted.

At rest: Data stored in our databases and object storage systems is encrypted at rest using AES-256 encryption provided by our hosting infrastructure. This includes all project documents, images, and other files uploaded through The Vault.

Payment data: BuildHub does not store payment card data. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Card details are transmitted directly to Stripe's secure servers and never pass through or are stored on BuildHub's infrastructure.

3. Authentication & Session Management

User authentication uses server-validated session tokens with a 7-day maximum lifetime. Tokens are stored in HttpOnly, Secure cookies that cannot be read by JavaScript — mitigating common cross-site scripting (XSS) attacks.

Every authenticated request is verified against a server-side session table. This means sessions can be revoked instantly on logout, password change, or administrative action — even if the underlying token has not yet expired.

Passwords are never stored in plaintext. We use bcrypt — an industry-standard adaptive hashing algorithm — to hash and salt all user passwords before storage. This means that even in the event of a data breach, raw passwords cannot be recovered from the stored hashes.

Role-based access control (RBAC) is enforced at both the API and UI layers, ensuring that users can only access data and features appropriate to their role (builder admin, builder staff, contractor, homeowner, or system admin).

If you suspect unauthorised access to your account, contact us at info@getbuildhub.com and we will secure it immediately.

4. Secure Development Practices

Our development team follows secure coding principles throughout the software development lifecycle:

• All code changes undergo review before deployment
• Dependencies are regularly audited for known vulnerabilities
• Sensitive configuration values (API keys, secrets) are stored in environment variables and never committed to source code repositories
• SQL injection and other injection attacks are mitigated through the use of parameterised queries and ORM-based database access
• Input validation and output sanitisation are applied throughout the Platform

5. Third-Party Services

BuildHub uses a limited number of carefully selected third-party services to operate the Platform. All third-party providers are evaluated for their security posture and are contractually obligated to protect data processed on our behalf.

Key providers include:

• Stripe: PCI DSS Level 1 certified payment processing
• Replit / Google Cloud Platform: Application and database hosting with enterprise-grade security controls
• Resend: Transactional email delivery with industry-standard security

A full list of processors and their data locations is provided in our Privacy Policy.

6. AI Data Handling

BuildHub's AI features — including AI client updates, AI homeowner Q&A, and AI-assisted quoting (in active development) — are powered by large language model APIs.

What data is sent to AI providers: When you use an AI feature, the relevant input (such as your rough notes, or a homeowner's question alongside relevant project context) is transmitted to the AI provider's API to generate a response. We send the minimum data necessary for the feature to function.

Scoping and isolation: AI responses generated from project data are scoped strictly to the relevant project. Homeowner Q&A responses are generated only from the data of the homeowner's own project — there is no cross-project data exposure.

Model training: We do not use your data or your clients' data to train AI models. Our agreements with AI providers explicitly prohibit the use of API inputs for training purposes.

Review responsibility: All AI-generated outputs are for your review before use. BuildHub makes no warranty as to the accuracy, completeness, or fitness for purpose of any AI-generated content.

7. Access Controls

Access to production systems is restricted to authorised personnel only, using multi-factor authentication and least-privilege access principles. Access logs are maintained and reviewed.

Customer data is not accessed by BuildHub staff for any purpose other than providing the Platform service, responding to legitimate support requests you initiate, or as required by law.

8. Incident Response

In the event of a data security incident affecting your personal data, we will:

• Investigate and contain the incident promptly
• Notify affected users and, where required, the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the incident, in accordance with our obligations under UK GDPR
• Provide clear information about the nature of the incident, the data affected, and the steps we are taking to address it
• Take remedial action to prevent recurrence

We maintain an internal incident response plan that is reviewed and updated regularly.

9. Contact

If you have questions about our security practices, wish to report a security vulnerability, or have concerns about how your data is protected, please contact us at:

BuildHub Digital Ltd
71–75 Shelton Street, Covent Garden, London, WC2H 9JQ
Email: info@getbuildhub.com

We take all security reports seriously and will acknowledge receipt of your report within one business day.