Privacy Policy

This Privacy Policy explains how BuildPass Pty Ltd ACN 652 324 635 (BuildPass, we, us or our) collects, uses, stores, discloses and protects Personal Information in connection with BuildPass Ledger, Ledger, app.ledger.build, ledger.build, related websites, APIs, dashboards, integrations, support services and associated products and services (Ledger).

Ledger is a construction finance platform that helps connect construction operational activity with accounting and financial actuals. Ledger may be used as a standalone product, as a BuildPass add-on, or as part of a BuildPass bundle.

For privacy questions, contact:

The Privacy Office BuildPass Pty Ltd privacy@buildpass.com.au

For product support, contact support@buildpass.com.au.

1. Related documents

This Privacy Policy should be read together with:

• the Ledger Terms of Service, available at https://ledger.build/terms-of-service;
• the Ledger AI Policy, available at https://ledger.build/ai-policy; and
• the Ledger Subprocessors and Third-Party Services page, available at https://ledger.build/subprocessors.

2. Scope of this policy

2.1 This Privacy Policy applies to Personal Information that we collect and process in connection with Ledger.

2.2 In this Privacy Policy, Personal Information means "personal information", "personal data", or similar terms under applicable privacy laws. Ledger is initially intended for use in Australia, New Zealand, the United States and Canada. Different privacy laws may apply depending on where a Customer, User, or individual is located.

2.3 Ledger is intended for business use by builders, contractors, subcontractors, site managers, project managers, finance teams, administrators, external accountants, bookkeepers, consultants, invited collaborators and client portal users. Ledger is not intended for personal, household, or consumer use.

2.4 We process some Personal Information in our own right, such as account, billing, support, marketing, website and security information. We also process some Personal Information on behalf of Customers, such as Personal Information contained in Customer Data, Accounting Platform Data, project records, invoices, claims, purchase orders, operational records, portal records, reports, documents and AI outputs.

2.5 This Privacy Policy does not govern how a Customer handles Personal Information. Customers are responsible for their own privacy notices, consents, legal bases, role permissions, internal controls and handling of Personal Information.

3. Information we collect

We may collect the following categories of information.

3.1 Account and contact information

This may include name, email address, phone number, company name, business address, job title, role, team, region, account settings, user permissions, authentication information and related profile details.

3.2 Customer and business information

This may include business name, ABN/ACN or similar business identifiers, billing details, plan details, subscription details, support history, implementation information, project names, customer configuration and commercial relationship information.

3.3 Accounting Platform Data

If a Customer connects an accounting, finance, ERP, bookkeeping or related platform, Ledger may collect and process data from that platform (Accounting Platform Data). Depending on the integration, permissions and settings, this may include:

• company and organisation profile information;
• chart of accounts, accounts, cost codes, classes, locations, categories and tracking categories;
• customers, clients, vendors, suppliers, subcontractors and contacts;
• invoices, bills, purchase orders, quotes, receipts and line items;
• payment records and payment status, generally on a read-only basis unless expressly enabled;
• tax rates, tax codes and tax-related metadata;
• items, products, services, inventory metadata or catalogue information;
• attachments and supporting documents;
• reports, including profit and loss, cash flow, general ledger, balance sheet, receivables and payables reports;
• journal entries and general ledger records; and
• other data authorised by the Customer or supported by the connected platform.

3.4 Operational and project data

If enabled by the Customer, Ledger may collect or import operational construction data from BuildPass or other systems. This may include project budgets, cost codes, purchase orders, site diaries, sign-on information, plant and equipment data, delivery data, dockets, photos, RFIs, workflows, subcontractor claims, client claims, client payment information and other project records.

Ledger is not primarily intended to process worker-level safety, licence, ticket, incident, timesheet, check-in/check-out, geolocation, pay-rate or similar workforce data. However, such information may be processed if a Customer chooses to sync, import, upload, or include it in documents, accounting records, project records, BuildPass-integrated data, or other Customer Data.

3.5 AI inputs and outputs

Ledger may collect and process prompts, uploaded documents, accounting records, project records, extracted text, OCR outputs, suggested cost codes, classifications, summaries, anomaly flags, forecasts, reconciliation suggestions, margin insights, corrections, feedback and other inputs or outputs generated or used by AI Features.

More detail is provided in the Ledger AI Policy at https://ledger.build/ai-policy.

3.6 Usage, device and technical information

We may collect information about how Ledger is accessed and used, including IP address, device type, browser, operating system, pages viewed, features used, actions taken, event logs, audit logs, API logs, integration logs, error logs, session information, authentication logs and diagnostic data.

3.7 Billing and payment information

We may collect billing contact details, plan information, invoice information, transaction metadata and payment status. Payments may be processed through Stripe or another payment provider. We generally do not store full credit card numbers ourselves.

3.8 Communications and support information

We may collect information submitted through support requests, calls, emails, chat, demos, onboarding, feedback, surveys, sales enquiries and other communications.

3.9 Information we do not intentionally require

Ledger is not designed to require tax file numbers, social security numbers, social insurance numbers, bank account details, credit card numbers, superannuation account details, protected health information, or highly sensitive worker information. Customers should not submit such information unless it is necessary, lawful and authorised.

If such information is included in Customer Data, documents, accounting records, operational records, or connected-platform data, we will process it as Customer Data in accordance with this Privacy Policy, the Ledger Terms of Service and the Customer's instructions.

4. How we collect information

We may collect information:

• directly from Users or Customers when they create accounts, subscribe, configure Ledger, contact us, or use Ledger;
• from connected Accounting Platforms, such as QuickBooks, Xero, Sage, or other platforms, when authorised by the Customer;
• from BuildPass or other operational systems when the Customer enables an integration;
• from subcontractors, contractors, clients, accountants, bookkeepers, or other portal users invited by the Customer;
• from payment processors, authentication providers, support providers, analytics tools and other service providers;
• automatically through cookies, logs, telemetry, analytics and similar technologies; and
• from public sources or third parties where lawful and relevant to our business relationship.

If a Customer or User provides Personal Information about another person, they must ensure they have authority to do so and have provided any required notice or obtained any required consent.

5. How we use information

We use information to:

• provide, operate, secure and support Ledger;
• create and manage accounts, organisations, subscriptions and User access;
• authenticate Users and manage permissions;
• connect, sync and maintain integrations authorised by the Customer;
• import, classify, map, reconcile, display, report, export, create, or update construction finance and accounting records;
• display dashboards, reports, project financials, budgets, actuals, work in progress, cost-to-complete views, forecasts, margins and related workflows;
• support purchase order, invoice, bill, claim, budget, client payment and subcontractor workflows;
• enable controlled write-back to connected systems where authorised and approved by Users;
• provide AI Features, including coding, classification, variance explanation, anomaly detection, invoice summarisation, forecasting, margin insights, OCR and reconciliation suggestions;
• provide support, onboarding, implementation and training;
• process payments and manage subscriptions;
• communicate with Customers and Users about Ledger;
• send service, security, billing and administrative notices;
• send marketing communications where permitted by law;
• monitor, troubleshoot, debug, improve and develop Ledger;
• create de-identified or aggregated analytics, benchmarks, insights and product improvements;
• detect, prevent, investigate and respond to fraud, misuse, security incidents, unauthorised access and technical issues;
• comply with law, legal process, third-party platform requirements and contractual obligations;
• enforce our terms and protect rights, safety, property and security; and
• support corporate transactions such as financing, investment, merger, acquisition, restructuring, or sale of assets.

6. AI-assisted processing

Ledger may use AI providers to support AI Features. AI Features may process Customer Data, Accounting Platform Data, operational data, documents, prompts, outputs, feedback and metadata to provide coding, classification, extraction, matching, forecasting, variance explanation, summarisation, drafting and similar features.

Unless otherwise agreed, BuildPass does not permit third-party AI providers to use Customer Data submitted through Ledger to train their general foundation models under BuildPass's applicable commercial arrangements. AI outputs are recommendations or drafts only and must be reviewed by Users before reliance or write-back.

More detail is provided in the Ledger AI Policy at https://ledger.build/ai-policy.

7. Disclosure of information

We may disclose Personal Information to:

• BuildPass personnel, affiliates, contractors and advisers who need access for the purposes described in this Privacy Policy;
• service providers that help us provide hosting, infrastructure, authentication, billing, communications, analytics, monitoring, support, AI processing, storage, security, integrations and related functions;
• connected platforms and third-party services at the Customer's direction or as required for an enabled integration;
• professional advisers, auditors, insurers, legal representatives and prospective investors or acquirers;
• regulators, courts, law enforcement, government agencies and other parties where required or permitted by law;
• parties involved in a merger, acquisition, financing, restructuring, sale of assets, or similar corporate transaction; and
• other parties with consent or at the direction of the Customer or individual.

The current Ledger Subprocessors and Third-Party Services page is available at https://ledger.build/subprocessors.

8. No sale of Personal Information or Customer Data

BuildPass does not sell Personal Information, Customer Data or Accounting Platform Data.

BuildPass does not provide one Customer's identifiable Customer Data to another Customer. BuildPass may use aggregated, de-identified, or anonymised information for analytics, benchmarking, product improvement, security, research and business purposes, provided it does not reasonably identify the Customer, Users, individuals, or confidential Customer Data.

We do not share mobile phone numbers, SMS opt-in data, or SMS consent data with third parties for their own marketing or promotional purposes.

9. International processing

Ledger may be hosted, supported, or processed in Australia, New Zealand, the United States, Canada and other countries where BuildPass, its service providers, or integration providers operate. Privacy laws in those countries may differ from the laws in your location.

Where we transfer Personal Information internationally, we take reasonable steps designed to ensure appropriate handling, including contractual protections, provider security reviews and other safeguards where appropriate.

10. Cookies, analytics and tracking

Ledger and related websites may use cookies, local storage, analytics tools, logs, pixels and similar technologies to provide the service, remember preferences, improve performance, understand usage, monitor security and support marketing where permitted.

Users can manage some cookie settings through their browser. Disabling cookies may affect functionality.

11. Security

We take reasonable steps to protect Personal Information from misuse, interference, loss, unauthorised access, modification and disclosure. These steps may include encryption in transit, encryption at rest where supported, access controls, role-based permissions, audit logs, least-privilege access, token encryption, monitoring, staff controls, incident response processes and vendor reviews.

No method of transmission or storage is completely secure. Customers and Users are responsible for securing their own accounts, devices, credentials, permissions, exports, connected-system access and internal processes.

12. Data retention, export and deletion

We retain Personal Information and Customer Data for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide Ledger, maintain business and financial records, preserve audit trails, comply with legal obligations, resolve disputes, enforce agreements, maintain backups, protect security and support legitimate business purposes.

If a Customer disconnects an integration, cancels Ledger, or requests deletion, we may retain certain data where necessary for legal, audit, security, backup, dispute-resolution, accounting, or legitimate business purposes. Where deletion is appropriate and technically feasible, we will take reasonable steps to delete or de-identify data in accordance with our retention practices and applicable law.

Deleted Customer Data may remain in backups for up to 30 days, unless a longer period is required for legal, security, continuity, or technical reasons.

Customers may be able to export certain Ledger data before deletion or termination. Export availability and formats may depend on the feature, plan, integration, technical feasibility and applicable law.

13. Access, correction and privacy rights

Individuals may request access to, correction of, or deletion of Personal Information we hold about them. Depending on location and applicable law, individuals may also have rights to object, restrict processing, withdraw consent, request portability, opt out of certain marketing, or lodge a complaint with a regulator.

Some requests may need to be made through the Customer where BuildPass processes Personal Information on the Customer's behalf. We may need to verify identity before responding. We may refuse or limit a request where permitted by law, including where information must be retained for legal, audit, security, accounting, backup, or dispute-resolution purposes.

We will respond to privacy requests within a reasonable period and, where a specific timeframe is required by applicable law, within that timeframe.

14. Marketing and communications

We may send service, product and marketing communications where permitted by law. Individuals can opt out of marketing communications by using unsubscribe links or contacting us. Some transactional, security, support, legal, or service-related communications are necessary and cannot be opted out of while using Ledger.

Where SMS, phone, or messaging notifications are used, message frequency and charges may vary. Consent to receive marketing SMS is not a condition of purchasing Ledger. Individuals can opt out of marketing SMS where required by law.

15. Children and young people

Ledger is intended for business use and is not directed to children under 18. If we learn that we have collected Personal Information from a child without appropriate consent, we will take reasonable steps to delete it.

Where a Customer includes information about apprentices, trainees, junior workers, graduates, or other young people in Customer Data, the Customer is responsible for ensuring that information is collected, used and disclosed lawfully.

16. Third-party links and services

Ledger may link to or integrate with third-party services. Those services have their own privacy policies, security practices and terms. We are not responsible for third-party privacy or security practices except where required by law or expressly agreed in writing.

17. Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify Customers or Users. Continued use of Ledger after an updated policy takes effect means the updated policy applies to future use.

18. Contact

For privacy questions, requests, or complaints, contact:

The Privacy Office BuildPass Pty Ltd privacy@buildpass.com.au

For product support, contact support@buildpass.com.au.