Effective date: 9 May 2026
GradeSpace Ltd ("Company", "we", "us", "our") operates BuildGrade at trybuildgrade.com ("Service"). This Privacy Policy explains how we collect, use, and protect your personal data, and the rights you have under UK GDPR and the Data Protection Act 2018.
1. Data controller
The data controller is GradeSpace Ltd, registered in England and Wales. Privacy enquiries: privacy@trybuildgrade.com.
2. Data we collect
Account data
When you register we collect your name, email address, and a bcrypt-hashed password. We never store plain-text passwords.
Project and content data
We store the projects, blueprints, phases, tasks, estimates, and client quotes you create. This content belongs to you (see Section 7).
Usage and telemetry data
We record which features you use, pages you visit, and timestamps of key actions. This data is aggregated to improve the Service.
Payment data
Billing is handled entirely by Stripe. We store your Stripe customer ID and subscription status only — we never see or store card numbers, expiry dates, or CVCs.
Technical data
Server logs may include your IP address, browser type, operating system, and device type. Logs are retained for up to 90 days for security purposes.
Communications
If you contact us by email, we retain that correspondence to handle your enquiry.
3. How we use your data
- To provide, maintain, and improve the Service.
- To process payments and manage your subscription via Stripe.
- To send transactional emails (account confirmation, password reset, invoices).
- To generate AI blueprints — your project description and answers are sent to OpenAI's API (see Section 5).
- To detect and prevent fraud, abuse, or security incidents.
- To comply with legal obligations.
- To send marketing communications, only if you have opted in.
4. Legal basis (UK GDPR)
| Purpose | Legal basis |
|---|---|
| Providing the Service | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance (Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Product analytics and improvement | Legitimate interests (Art. 6(1)(f)) |
| Marketing emails | Consent (Art. 6(1)(a)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
5. Sub-processors and data sharing
We do not sell your personal data. We share it only with the service providers listed below, each bound by a Data Processing Agreement.
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and subscription management | USA (SCCs) |
| OpenAI | AI blueprint generation — project descriptions and answers are sent to GPT-4o | USA (SCCs) |
| Hetzner | Cloud hosting and database | EU (Germany) |
| Brevo | Transactional email delivery | EU (France) |
We may also disclose data if required by law, court order, or to protect the rights and safety of our users or the public.
6. International transfers
Some sub-processors are based outside the UK/EEA (Stripe, OpenAI). Transfers rely on Standard Contractual Clauses (SCCs) approved by the UK ICO.
7. Data retention
We retain account and project data for as long as your account is active. On account closure, personal data is deleted or anonymised within 30 days, except where retention is required by law (e.g. financial records: up to 7 years). Technical logs are retained for up to 90 days.
8. Your rights
Under UK GDPR you have the right to:
- Access: request a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure: request deletion of your personal data ("right to be forgotten").
- Restriction: ask us to limit processing in certain circumstances.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests or for direct marketing.
- Withdraw consent: where processing relies on consent, withdraw it at any time without affecting prior processing.
To exercise any right, email privacy@trybuildgrade.com. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
9. Cookies
We use essential cookies for authentication and optional cookies for analytics. See our Cookie Policy for full details.
10. Children
The Service is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided personal data, contact us and we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by email. The "Last updated" date above will reflect the most recent revision.
12. Contact
Privacy enquiries: privacy@trybuildgrade.com
General enquiries: hello@trybuildgrade.com