Data Processing Agreement
Annex 1 to the Terms of Service
Last updated: 19 March 2026
This Data Processing Agreement ("DPA") forms Annex 1 to the BuildersAI Terms of Service and is incorporated into the Terms by reference. By accepting the Terms of Service, whether by creating an account, clicking "I agree", or otherwise accessing or using the BuildersAI platform, you agree to this DPA.
1. Definitions
In this DPA:
- "Applicable Data Protection Law" means the UK GDPR and the UK Data Protection Act 2018, and where applicable, EU GDPR (Regulation 2016/679).
- "Controller" means the Customer, the company or individual that has accepted the Terms of Service.
- "Processor" means CM Digital Solutions Ltd, trading as BuildersAI.
- "Customer Personal Data" means any personal data processed by the Processor on behalf of the Controller in connection with the Services.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.
- "Sub-processor" means any third party engaged by the Processor to process Customer Personal Data.
Terms not defined here have the same meanings as in the Terms of Service or Applicable Data Protection Law. In the event of conflict between this DPA and the Terms, this DPA prevails on data protection matters.
2. Roles and Purpose Limitation
The Customer is the Data Controller. CM Digital Solutions Ltd is the Data Processor. The Processor shall process Customer Personal Data only:
- To provide the BuildersAI platform and related services as described in the Terms
- In accordance with the Customer's documented instructions
- Where required by law (in which case the Processor shall inform the Customer before processing, where permitted)
The Customer represents that it has a lawful basis for processing and has provided all required notices to data subjects. Where employees' or workers' personal data is uploaded (including site presence data and photographs), the Customer is responsible for having appropriate workplace data protection policies in place.
3. Processor Obligations
In accordance with Article 28 of the UK GDPR, the Processor shall:
- Process Customer Personal Data only on the Customer's documented instructions
- Ensure that persons authorised to process the data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 5)
- Comply with the conditions for engaging sub-processors (see Section 6)
- Assist the Customer with data subject requests, data protection impact assessments, and breach notifications
- Make available all information necessary to demonstrate compliance
- Allow for and contribute to audits conducted by the Customer or their mandated auditor
4. Data Retention and Deletion
Customer Personal Data is retained in accordance with the following schedule:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Until deletion + 30-day grace period | Account restoration window |
| Project content | Until deletion + 90 days | Team access continuity |
| Site presence events | 12 months | Health & safety records |
| AI chat logs | 24 months | Quality assurance |
| Usage analytics | 12 months (anonymised) | Product improvement |
| Error logs | 90 days | Debugging |
| Payment records | 7 years | UK tax law |
Upon termination, Customer Personal Data remains available for export for 30 days. After that, all data is deleted except where retention is required by law. Upon request, the Processor will confirm deletion in writing.
5. Security Measures
The Processor implements the following technical and organisational measures:
- Encryption at rest: AES-256 for all stored data
- Encryption in transit: TLS 1.3 for all data transmission
- Database isolation: Row-level security (RLS) policies ensuring customers can only access their own data
- Password security: Bcrypt hashing for all credentials
- Access controls: Least-privilege principle for all systems and personnel
- Incident response: Documented procedures for detecting, containing, and reporting breaches
- Automated backups: Point-in-time recovery via Supabase (AWS eu-west-1)
6. Sub-processors
The Customer provides general authorisation for the Processor to engage sub-processors. All sub-processors are bound by data protection obligations no less protective than this DPA. The Processor remains liable for sub-processor acts and omissions.
The current list of sub-processors is maintained at buildersai.co.uk/legal/sub-processors. Changes to the sub-processor list are notified with at least 14 days' prior notice. If the Customer has reasonable grounds to object to a new sub-processor, the parties shall work in good faith to resolve the objection within 30 days. If no resolution is reached, either party may terminate the affected Services without early termination fees.
International Transfers
The majority of sub-processors are located within the EU. Where a sub-processor is located outside the UK/EEA (currently Expo and Firebase/FCM in the United States), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.
7. Data Subject Rights
The Processor assists the Customer in responding to data subject requests under UK GDPR, including requests for access, rectification, erasure, restriction, portability, and objection. Where the Processor receives a request directly, it will promptly notify the Customer and will not respond unless instructed to do so.
The platform provides self-service tools to support compliance:
- In-app data export for portable data copies
- Account and project deletion functionality
- Profile editing for correcting inaccurate data
8. Breach Notification
In the event of a Personal Data Breach, the Processor shall notify the Customer without undue delay and, where feasible, within 72 hours. The notification shall include:
- A description of the breach, including categories and approximate numbers of data subjects and records affected
- The likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
The Customer, as Data Controller, is responsible for determining whether to notify the ICO (under Article 33 UK GDPR) and affected data subjects (under Article 34 UK GDPR). The Processor shall co-operate with any such notifications.
9. Audit Rights
The Processor shall make available all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Customer or their mandated auditor. Audits require 30 days' prior notice, shall be conducted during normal business hours, and are limited to once per calendar year unless required by a supervisory authority or following a confirmed breach.
10. General Provisions
This DPA remains in force for as long as the Processor processes Customer Personal Data. It is governed by the laws of England and Wales. Liability is subject to the provisions in the Terms of Service. The Processor may update this DPA with at least 30 days' notice of material changes; continued use of the Services constitutes acceptance.
Contact
For questions about this DPA or to exercise data protection rights:
CM Digital Solutions Ltd
Company No. 16913770
82a James Carter Road, Mildenhall, Bury St. Edmunds, England, IP28 7DE
Privacy: privacy@buildersai.co.uk
Legal: legal@buildersai.co.uk