Privacy Policy

BuilderExpert AI is a product of Builder Expert Ltd("we", "us", "our"), a company registered in England & Wales under company number 11338345, VAT registered GB 370 8103 16. Registered office: 92 Clarke's Avenue, Surrey, KT4 8QB, United Kingdom. We are the data controller for personal data collected through builderexpert.ai. For any privacy questions contact: info@builderexpert.uk or call +44 20 3617 1286.

• Account data: name, email, password (hashed), optional company and phone number
• Quote data: project descriptions, dimensions, specifications, generated quotes, and any client details you choose to enter (client name, address, contact)
• Usage data: IP address, browser type, pages visited, timestamps
• Cookies and similar storage: essential cookies needed for login (NextAuth session); plus, only if you consent via the cookie banner, product-analytics storage (PostHog) used to understand which features people use. You can decline analytics and the site works the same. See section 8 for the full list.
• Product analytics (only with your consent): page views, button clicks, feature usage, anonymous session replays with all form inputs and text content automatically masked. We use these to improve the product, never to identify you personally or to sell to anyone.

• To provide the quote generation service you requested
• To authenticate your account and keep it secure
• To send necessary service emails (e.g. password reset, account changes)
• To investigate abuse, fraud, or technical issues
• To comply with legal obligations

We never sell your data. We do not share your data with advertisers, data brokers, or any third party for marketing or profiling purposes.

Sub-processors we use to run the service:

• Vercel (USA) — application hosting
• Supabase (Frankfurt, EU) — database storage
• Anthropic (USA) — AI quote generation. Your inputs are processed under a no-training agreement and never used to improve their models.
• Stripe (USA / EU) — payment processing, subscription management, and VAT invoicing. We never see your card number.
• Resend (EU region) — transactional email (verification, password reset, receipts)
• Cloudflare (USA) — DNS and CAPTCHA (Turnstile) on signup
• Sentry (EU region) — error monitoring with PII masking
• PostHog (Frankfurt, EU) — product analytics and anonymous session replay, used only with your consent (via the cookie banner). All form inputs and text content are masked in replays. We use this to understand which features people use; we do not use it for advertising or profiling. You can opt out at any time by clearing the analytics cookies.

These providers process data strictly on our behalf under written agreements that hold them to the same data-protection standards we apply, and they are never permitted to use your data for their own purposes.

Your AI-generated quotes are not used to train AI models. The AI provider we use is contractually required to process your data only to generate your results, never to improve its own models.

International transfers. Some of our service providers operate outside the UK. Where this happens, transfers are covered by UK Standard Contractual Clauses or other safeguards approved under UK GDPR.

Your data is encrypted in transit (TLS 1.2+) and at rest. Passwords are hashed using industry-standard algorithms with a server-side secret, never stored in plain text. Access to production data is limited to a small number of engineers under two-factor authentication. We run automated backups with point-in-time recovery.

We follow industry-standard security practices but no online service can guarantee 100% protection. If you suspect a security issue, please email info@builderexpert.uk.

We keep your account data for as long as your account is active. You can delete your account at any time from your account page. Deleted accounts and their data are removed within 30 days, except where we are required to retain records by law (e.g. tax records).

Unverified accounts. If you register but do not confirm your email address within 7 days, the account is automatically deleted along with all associated personal data. You can re-register at any time using the same email.

Fraud-prevention exception (one-trial-per-customer rule). To stop abuse of the free trial, when any customer starts a Starter trial we record a one-way cryptographic hash of (a) their email address and (b) their card's Stripe-issued fingerprint (a hash we receive from Stripe — we never see the card number). These hashes survive account deletion so that a deleted-then-re-registered email cannot claim a second free trial. We rely on UK GDPR Article 6(1)(f) (legitimate interests, fraud prevention) for this retention. The stored values are not personal data in identifiable form — they cannot be reversed to recover an email or card without our server-side secret key.

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (right to be forgotten)
• Restrict or object to processing
• Receive your data in a portable format
• Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights email info@builderexpert.uk.

We split cookies into two groups: strictly-necessary cookies that we set automatically (UK GDPR + PECR exemption), and analytics cookies that we set only after you choose "Accept" on our cookie banner. If you choose "Decline", no analytics cookies are set and the site works exactly the same.

Strictly necessary (always on)

• NextAuth session (httpOnly, ~30 days) — keeps you logged in.
• CSRF token (httpOnly, session) — protects login and account forms from cross-site forgery.
• Cookie-consent flag(~1 year) — remembers whether you accepted or declined analytics, so we don't show the banner on every page load.
• Stripe Checkout cookies (set on js.stripe.com) — required for the embedded payment form to operate. Set only on /checkout. See Stripe's cookie policy.
• Cloudflare Turnstile (set on the registration form) — anti-bot CAPTCHA. Privacy-preserving, no fingerprinting.

Analytics (only set after you click "Accept")

• PostHog cookies and localStorage (ph_*, __ph_opt_in_out_*, ~1 year) — anonymous user ID + session info for product analytics and session replay. Set on our own domain, not third-party. Data is sent to PostHog's EU region (Frankfurt). All form inputs and text content are masked in session replays. You can withdraw consent at any time by clearing your browser's cookies for this site — the banner will reappear and you can choose "Decline".

Our service is not intended for children under 16. We do not knowingly collect data from children.

We may update this policy from time to time. We will notify users of material changes by email or via a notice on the site.