Privacy Policy
Last updated: March 2026
1. Introduction
BuildMate Pty Ltd (ABN: [ABN to be inserted]), trading as BuildMate ("we," "us," "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and otherwise handle your personal information in accordance with:
- The Privacy Act 1988(Cth) and the Australian Privacy Principles (APPs 1–13)
- The Information Privacy Act 2014 (Vic) and the Victorian Information Privacy Principles
- The Surveillance Devices Act 1999 (Vic) in relation to voice recording consent
- The Spam Act 2003 (Cth) for commercial electronic messages
- The Notifiable Data Breaches scheme under Part IIIC of the Privacy Act
- OAIC guidelines on AI and personal information
We provide a voice-first AI job management platform designed for Australian tradies and builders. This policy applies to all users of our platform, whether accessed via web or mobile applications.
Registered address: [Registered address to be inserted]
Contact: privacy@buildmate.build
2. What Personal Information We Collect
Contact and Identity Information
- Full name, email address, phone number (mobile and work)
- Business name and Australian Business Number (ABN)
- Business address
- Proof of identity documents (uploaded during verification)
Voice and Audio Data
- Voice recordings made through our platform
- Transcripts generated from your voice recordings
- Audio files stored securely in our cloud infrastructure
Financial and Business Information
- Business financial data imported from your accounting system (Xero)
- Invoice and quote data
- Expense records and receipts (text and photos)
- Job costings and pricing information
- Bank account and payment information (processed via Stripe)
Job and Location Information
- Job site addresses and location coordinates
- Calendar events (from Google Calendar sync)
- Job descriptions, quotes, and status updates
- Photos and documents related to jobs
Device and Technical Information
- Device type and operating system
- Browser or app version and IP address
- Usage analytics and feature interaction data
- Push notification identifiers
Authentication Information
- Email address and password (hashed and securely stored)
- OAuth tokens from Google and other third-party authentication providers
- Session and cookie identifiers
3. How We Collect Your Information
We collect personal information through:
- Registration and account setup: When you create a BuildMate account
- Voice recordings: When you use our voice features to create jobs, quotes, or briefings (with your explicit consent per the Surveillance Devices Act 1999 (Vic))
- Receipt photos: When you upload photos of receipts and invoices
- Third-party integrations: When you authorise us to sync data with Xero, Google Calendar, or similar services
- Manual input: When you enter information directly into the platform
- Automatic collection: Through cookies, log files, and analytics tools as you use the platform
- Payments: When you subscribe and pay via Stripe
4. Purpose of Collection and Use
We collect and use your personal information for the following purposes:
- Service delivery: To provide, maintain, and improve the BuildMate platform
- Account management: To create and manage your account, verify identity, and process subscriptions
- Voice processing: To transcribe, store, and analyse your voice recordings
- AI processing:To extract information from your voice recordings and documents using AssemblyAI and Anthropic's Claude for job insights, pricing briefings, and content generation
- Financial transactions: To process payments via Stripe and maintain billing records
- Communication: To send you service-related emails, updates, and support responses
- Analytics: To understand how you use the platform and improve features
- Legal compliance: To comply with applicable Commonwealth and Victorian laws and regulations
- Fraud prevention: To detect, prevent, and address fraud or security issues
- Customer support: To respond to your inquiries and provide technical assistance
We will not use your personal information for direct marketing without your prior opt-in consent, as required by the Spam Act 2003 (Cth). You can withdraw consent at any time by clicking the unsubscribe link or contacting us.
5. Voice Recording Consent (Surveillance Devices Act 1999 Vic)
The Surveillance Devices Act 1999 (Vic) requires that all parties to a private conversation consent to the recording of that conversation. By using BuildMate's voice features, you:
- Provide explicit consent to the recording, storage, transcription, and AI processing of your voice
- Consent to the transmission of your voice recordings to AssemblyAI (US-based) for speech-to-text transcription
- Consent to the transmission of transcribed text to Anthropic (US-based) for AI analysis and entity extraction
- Understand that voice recordings are retained on our servers and may be processed by our third-party service providers
Recording third parties: If you record conversations with clients, suppliers, employees, or any other party, you are solely responsible for obtaining their consent as required by the Surveillance Devices Act 1999 (Vic) and equivalent legislation in other Australian states and territories. BuildMate does not obtain consent on your behalf from third parties.
Withdrawal of consent: You may withdraw your consent to voice recording at any time by ceasing to use the voice features. You can delete existing recordings from your account settings. Deleted recordings are removed from our active systems within 7 days but may persist in encrypted backups for up to 90 days.
6. AI Data Processing Disclosure
BuildMate uses artificial intelligence to process your data. In accordance with OAIC guidelines on AI and personal information, we disclose the following:
How AI Processes Your Data
- Voice transcription (AssemblyAI):Your voice recordings are sent to AssemblyAI's API for speech-to-text conversion. AssemblyAI processes the audio and returns text transcripts. AssemblyAI's servers are located in the United States.
- AI analysis (Anthropic Claude):Transcribed text, job data, and financial information are sent to Anthropic's Claude API for entity extraction, briefing generation, quote assistance, and business insights. Anthropic's servers are located in the United States.
AI Data Handling Commitments
- Your data sent to AI providers is used solely for processing your requests and is not used to train their general models (subject to each provider's enterprise API terms)
- AI-generated outputs (transcripts, insights, quotes) are stored in your account and are subject to this Privacy Policy
- We do not make automated decisions that produce legal or similarly significant effects on you without human review
- You are responsible for reviewing all AI-generated content before relying on it for business decisions
7. Disclosure of Your Information to Third Parties
Essential Service Providers
| Third Party | Data Shared | Purpose | Location |
|---|---|---|---|
| Supabase | All account data, auth credentials, voice recordings, financial data | Database hosting, authentication, file storage | Australia (Sydney region) |
| Stripe | Name, email, payment method, billing address | Payment processing and subscription management | United States (with AU entity) |
| Xero | ABN, financial records, invoices, expenses | Accounting data synchronisation | Australia / New Zealand |
| Email address, calendar data, OAuth token | Calendar integration and authentication | United States | |
| AssemblyAI | Voice recordings and audio files | Speech-to-text transcription | United States |
| Anthropic (Claude) | Transcribed text, job data, financial information | AI-powered entity extraction and briefing generation | United States |
| Twilio | Phone number | SMS delivery for notifications | United States |
| Resend | Email address | Email delivery for notifications and support | United States |
Legal Requirements
We may disclose your information if required by law, court order, subpoena, or government request under Commonwealth or Victorian legislation, and to protect our legal rights, your safety, or the safety of others.
Business Transfers
If BuildMate Pty Ltd is acquired, merged, or its assets are transferred, your personal information may be transferred as part of that transaction. We will notify you via email and prominent notice on the platform at least 30 days before any such transfer and inform you of any choices you may have regarding your personal information.
8. Cross-Border Data Transfer
In accordance with APP 8, we disclose that your personal information may be transferred to and processed in the United States by the following service providers:
- AssemblyAI(US) — voice recordings for transcription
- Anthropic(US) — text data for AI processing
- Stripe(US) — payment information
- Google(US) — calendar and authentication data
- Twilio(US) — phone numbers for SMS
- Resend(US) — email addresses for transactional email
The United States does not have privacy laws equivalent to the Privacy Act 1988 (Cth). Before transferring your data, we take reasonable steps under APP 8.1 to ensure overseas recipients handle your information in accordance with the APPs, including entering into contractual arrangements with our service providers that require them to protect your personal information.
Your primary data (account information, job records, financial data) is stored in Australia via Supabase's Sydney region. Data is only transmitted overseas for the specific processing purposes described above.
9. Data Retention Schedule
| Data Type | Retention Period | Basis |
|---|---|---|
| Account information | Duration of account + 30 days | Service delivery |
| Voice recordings | Duration of account (user-deletable) | Service delivery; user consent |
| Transcripts and AI outputs | Duration of account + 30 days | Service delivery |
| Financial records and invoices | 7 years after creation | Tax and legal compliance (ATO requirements) |
| Payment records (Stripe) | 7 years | Tax and legal compliance |
| Server logs and IP addresses | 90 days | Security and fraud prevention |
| Encrypted backups | 90 days after deletion from active systems | Disaster recovery |
| Support correspondence | 2 years after resolution | Customer support and dispute resolution |
When personal information is no longer needed for any purpose for which it may be used or disclosed under this policy, we will take reasonable steps to destroy or de-identify it in accordance with APP 11.2.
10. Data Storage and Security
Storage Location
Your personal information is primarily stored in Australia using Supabase infrastructure (Sydney region). Some data is transmitted to US-based service providers for processing as described in sections 7 and 8 above.
Security Measures
We implement the following security measures to protect your personal information in accordance with APP 11.1:
- Encryption in transit: All data transmitted to and from our platform uses HTTPS/TLS 1.3 encryption
- Encryption at rest: Voice recordings, financial data, and sensitive documents are encrypted at rest using AES-256
- Access controls: Role-based access with the principle of least privilege; only authorised personnel have access to personal information
- Authentication: Industry-standard password hashing (bcrypt) and session management
- Regular audits: We periodically review our security practices and access logs
- Multi-tenancy isolation:Each organisation's data is logically isolated at the database level
Limitations
While we take reasonable steps to protect your personal information, no security system is completely secure. We cannot guarantee absolute security of your information.
11. Notifiable Data Breaches Scheme
In accordance with Part IIIC of the Privacy Act 1988 (Cth), if we become aware of an eligible data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:
- Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
- Notify the Office of the Victorian Information Commissioner (OVIC) where applicable
- Notify affected individuals as soon as practicable, including a description of the breach, the kinds of information involved, and recommendations about the steps individuals should take in response
- Take all reasonable steps to contain the breach and mitigate any potential harm
We maintain an internal data breach response plan that is reviewed and tested annually.
12. Australian Privacy Principles — Compliance Summary
| APP | Principle | How We Comply |
|---|---|---|
| APP 1 | Open and transparent management | This Privacy Policy; we maintain and make freely available an up-to-date policy describing our information handling practices |
| APP 2 | Anonymity and pseudonymity | Where practicable, you may interact with us anonymously (e.g., browsing our marketing site). Account creation requires identification for service delivery. |
| APP 3 | Collection of solicited personal information | We collect only information reasonably necessary for our functions. Sensitive information is collected only with consent. |
| APP 4 | Dealing with unsolicited personal information | If we receive unsolicited personal information, we assess whether we could have collected it under APP 3. If not, we destroy or de-identify it as soon as practicable. |
| APP 5 | Notification of collection | We notify you of our collection practices at or before collection via this policy and in-app consent prompts. |
| APP 6 | Use or disclosure | We use and disclose information only for the primary purpose of collection or a related secondary purpose you would reasonably expect, as described in sections 4 and 7. |
| APP 7 | Direct marketing | We do not use personal information for direct marketing without opt-in consent. You can opt out at any time. |
| APP 8 | Cross-border disclosure | Cross-border transfers are disclosed in section 8. We take reasonable steps to ensure overseas recipients comply with the APPs. |
| APP 9 | Adoption, use, or disclosure of government-related identifiers | We collect ABNs for service delivery only and do not adopt them as our own identifier. |
| APP 10 | Quality of personal information | We take reasonable steps to ensure personal information is accurate, up-to-date, and complete. You can update your information via account settings. |
| APP 11 | Security of personal information | We implement technical and organisational measures as described in section 10. Information no longer needed is destroyed or de-identified. |
| APP 12 | Access to personal information | You may request access to your personal information. We will respond within 30 days. See section 13. |
| APP 13 | Correction of personal information | You may request correction of inaccurate, out-of-date, or incomplete information. See section 13. |
13. Your Rights
Access and Correction (APP 12 & 13)
You have the right to request access to your personal information and request corrections if it is inaccurate, out-of-date, or incomplete. To make a request, contact us at privacy@buildmate.build.
We will respond to your request within 30 days. If we refuse a request, we will provide written reasons and inform you of your right to complain.
Data Portability
You can request a copy of your personal information in a portable, commonly used electronic format (CSV or JSON). Contact us at privacy@buildmate.build.
Account Closure and Deletion
When you close your BuildMate account:
- We immediately remove your access to the platform
- Your information is retained for 30 days (grace period in case you wish to recover your account)
- After 30 days, all personal information is permanently deleted from our active systems
- Encrypted backup copies may be retained for up to 90 days for disaster recovery
- Financial records required for tax compliance may be retained for up to 7 years in de-identified or aggregated form
14. Cookies and Tracking
At launch, we use only essential authentication cookies (Supabase session tokens). These are strictly necessary for the platform to function and do not require explicit consent under Australian privacy law.
For full details, see our Cookie Policy.
15. Children's Privacy
BuildMate is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will delete such information promptly.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website with the updated "Last updated" date
- Sending you an email notification if the change significantly affects how we handle your information
- Providing at least 30 days' notice before material changes take effect
Your continued use of BuildMate after changes become effective constitutes your acceptance of the updated policy.
17. Complaints and Contact
Privacy Enquiries
If you have questions about this Privacy Policy or our privacy practices, contact us at:
BuildMate Pty Ltd
Email: privacy@buildmate.build
Address: [Registered address to be inserted]
Complaints Process
If you believe we have breached the Australian Privacy Principles or Victorian Information Privacy Principles, you may:
- Contact us directly at privacy@buildmate.build. We will acknowledge your complaint within 5 business days and respond with a resolution within 30 days.
- Lodge a complaint with the OAIC (Office of the Australian Information Commissioner):
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au - Lodge a complaint with OVIC (Office of the Victorian Information Commissioner):
Website: ovic.vic.gov.au
Phone: 1300 006 842
Email: enquiries@ovic.vic.gov.au
18. Sensitive Information
We do not intentionally collect sensitive information (such as health information, racial or ethnic origin, religious beliefs, sexual orientation, or criminal history) unless you voluntarily provide it in voice recordings or uploaded documents. Any sensitive information incidentally collected will be handled with strict confidentiality and will not be used for any purpose other than providing the service.
19. Marketing Communications
In accordance with the Spam Act 2003 (Cth), we will only send you commercial electronic messages (email, SMS) if you have provided your express or inferred consent. All marketing messages will:
- Clearly identify BuildMate Pty Ltd as the sender
- Include accurate contact information
- Contain a functional unsubscribe mechanism that is honoured within 5 business days
Transactional messages (payment confirmations, security alerts, service updates) are not considered marketing and may be sent without separate consent.