This policy explains how Build & Let (“Build & Let”, “we”, “us”, “our”) handles personal data when you visit our website, create an account, or use our property-management software (the “Service”). We are committed to handling personal data in line with the UK GDPR and the Data Protection Act 2018.
1Who we are
The Service is provided by BULUK BIZ LTD (trading as Build & Let), a company registered in England & Wales (company number 17106164), registered office Flat 6, 5 Corys Road, Rochester, England, ME1 1GU.
For privacy questions, contact our data protection point of contact at privacy@buildandlet.com.
2Our role: controller and processor
Data protection law distinguishes between a controller (who decides why and how personal data is processed) and a processor (who processes it on the controller's behalf). Build & Let acts in both roles depending on the data:
- We are the controller of the data we need to run our business with you, our customer: the account and contact details of the people who sign up and use the Service, billing information, our website analytics-free server logs, and our communications with you.
- We are a processor for the business records you and your team put into the Service: your projects, properties, costs, documents, photos and, importantly, the personal data of your tenants, contractors, suppliers and other contacts (“Customer Data”). For Customer Data, you, our customer, are the controller. We only process Customer Data on your documented instructions to provide the Service, as set out in the Terms and our Data Processing Addendum.
This matters for your rights: if your personal data sits inside a customer's workspace because you are their tenant or contact, that customer is the controller and is responsible for it. Please direct any requests to them; we will support them in responding.
3Personal data we process
Account & profile data (we are controller)
Your name, email address, optional phone number, the company/workspace you belong to, your role, a securely hashed password, and basic usage timestamps (such as when you were last active).
Billing data (we are controller)
Your plan, billing cycle and subscription status, and identifiers from our payment processor. We never see or store full card numbers — card details are handled directly by Stripe (see section 5).
Customer Data you upload (we are processor)
Records you create about your business, which may contain personal data about third parties, including: tenant names, contact details, tenancy dates, rent and deposit information; contractor and supplier names and contact details; and uploaded documents such as contracts, agreements and certificates. You control what you put into the Service.
AI assistant data (we are processor for your content)
When you use the in-app AI assistant, the messages you send and the relevant records it needs to answer (for example a project name or rent figure) are sent to our AI sub-processor to generate a response. We keep an audit log of the actions the assistant takes on your data.
Technical data
Limited technical information needed to operate and secure the Service, such as IP address, device/browser type and security and error logs. We do not use advertising or third-party tracking cookies (see section 10).
4How and why we use it, and our lawful bases
| What we do | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Create and run your account; provide the Service; let your team collaborate | Performance of a contract |
| Take payment, manage the trial and subscriptions, prevent non-payment | Performance of a contract; legal obligation (tax/accounting) |
| Secure the Service, prevent fraud and abuse, keep audit logs, debug errors | Legitimate interests (running a secure, reliable service) |
| Send service and transactional emails (invites, password resets, important notices) | Performance of a contract; legitimate interests |
| Respond to your requests and provide support | Legitimate interests; performance of a contract |
| Comply with legal and regulatory obligations | Legal obligation |
| Process Customer Data through the Service | On your instructions, as your processor (you determine the lawful basis as controller) |
We do not sell personal data, and we do not use Customer Data to train AI models. As the controller of Customer Data, you are responsible for having a lawful basis to process it and for telling your own data subjects (such as your tenants) how their data is used.
Special category data. The Service is not designed to hold special category data (such as health information). If documents you upload happen to contain it, you are responsible, as controller, for ensuring an appropriate Article 9 condition applies.
5Who we share it with
We share personal data only with the sub-processors and partners we need to run the Service, each under a contract that requires them to protect it:
| Provider | Purpose | Location |
|---|---|---|
| Fly.io | Application & database hosting | United Kingdom (London) |
| Cloudflare | File/document storage (R2), site delivery, custom domains | UK/EU with global edge network |
| Stripe | Payment processing | EU / USA |
| OpenAI | AI assistant features | USA |
| Resend | Transactional email (invites, resets, notices) | USA |
We may also share data with our professional advisers (lawyers, accountants, auditors), and with regulators, law-enforcement or others where we are required to by law or to protect our rights. If we are ever involved in a merger, acquisition or sale of assets, data may transfer to the relevant party under this policy. A current list of sub-processors is available on request from privacy@buildandlet.com.
6International transfers
Our core hosting and database are in the United Kingdom. Some sub-processors (for example Stripe, OpenAI and Resend) process data outside the UK, including in the United States. Where personal data leaves the UK, we rely on an appropriate safeguard under UK data protection law — such as UK adequacy regulations or the International Data Transfer Agreement / UK Addendum to the EU Standard Contractual Clauses — together with additional measures where needed. You can ask us for details of the safeguards in place.
7How long we keep it
- Account & Customer Data: kept for as long as your workspace is active. When an owner deletes a workspace, the workspace and its records are deleted from our live systems.
- Backups: residual copies may persist in routine encrypted backups for a limited period before they are overwritten.
- Billing records: retained for up to 7 years to meet UK tax and accounting obligations.
- Sign-in sessions and links: login sessions and invitation/reset links are time-limited and expire automatically.
- Security & audit logs: retained for a limited period for security and accountability.
Where you are a contact within a customer's workspace, the customer determines how long their records are kept.
8How we protect it
We use appropriate technical and organisational measures designed to protect personal data, including:
- Encryption of data in transit and at rest.
- Passwords stored only as a strong, one-way hash — never in plain text.
- Uploaded files kept in private storage and served only through short-lived, access-controlled links.
- Strict separation of each workspace's data, with role-based access controls so people only see what their role allows.
- Time-limited sign-in sessions and invitation/reset links, and audit logging of automated actions.
No service can be guaranteed to be completely secure. While we work hard to protect your information, no method of transmission over the internet or method of electronic storage is 100% secure, and we cannot and do not warrant absolute security. You also play a vital part: keep your password confidential, use strong and unique credentials, and tell us immediately at security@buildandlet.com if you suspect any unauthorised access. Our and your respective responsibilities, and the limits of our liability, are set out in the Terms.
9Your rights
Subject to certain conditions, you have the right to: be informed; access a copy of your personal data; have inaccurate data corrected; have your data erased; restrict or object to processing; and data portability. Where we rely on consent, you can withdraw it at any time.
To exercise these rights over data for which we are the controller, email privacy@buildandlet.com. If your data sits within a customer's workspace, that customer is the controller — contact them, and we will assist them as their processor.
You also have the right to complain to the ICO at ico.org.uk, though we'd appreciate the chance to put things right first.
10Cookies and local storage
We keep this simple. We use only strictly necessary cookies and browser storage that are essential to sign you in and keep the app working:
- A secure, essential session cookie that keeps you signed in.
- A sign-in token kept in your browser as a fallback for browsers that restrict cross-site cookies.
We do not use advertising, analytics or third-party tracking cookies, so no cookie-consent banner is required for these essential cookies. You can clear them at any time through your browser settings, though doing so will sign you out.
11Children
The Service is a business tool intended for users aged 18 and over. It is not directed at children, and we do not knowingly collect their personal data.
12Changes to this policy
We may update this policy from time to time. We'll change the “last updated” date above and, where changes are significant, take reasonable steps to let you know.
13How to contact us
Privacy questions or requests: privacy@buildandlet.com. Security concerns: security@buildandlet.com. Or write to us at BULUK BIZ LTD (trading as Build & Let), Flat 6, 5 Corys Road, Rochester, England, ME1 1GU.