Data Handling Policy

This policy sets out how we collect, store, process, transfer, and delete the data you upload to or generate within the Platform, including residential building plans, drawings, client information, trades quotes, estimates, and verification records.

You own your data. Everything you upload to or create within the Platform remains your intellectual property. We process it solely to provide the Platform services to you. We do not claim ownership of, sell, or commercially exploit your project data.

Project Data

Residential building plans, drawings, specifications, scope documents, estimates, and quotes that you upload or generate.

Client Data

Names, contact details, and communications relating to your residential building clients that are entered into or processed through the Platform.

Commercial Data

Trades quotes, supplier pricing, and cost data that is entered or received through the Platform. This data is treated as commercially sensitive and is accessible only to the account holder and any users within that account.

Professional Credentials Data

State-based builder's licence numbers, trade licence numbers, licence class and jurisdiction, and insurance policy details collected at registration and maintained throughout the account lifecycle.

Account and Usage Data

Login records, feature usage, and platform activity logs used for security, support, and service improvement. Authentication is handled via third-party identity providers (such as Google OAuth) --- we do not store passwords.

Verification Records

Timestamped logs of in-platform verification steps completed by users prior to sending quotes or estimates to clients. These records are retained as part of the platform safety framework and may be relevant in the event of a dispute.

All primary data storage is on servers located in Australia. We do not transfer your project or client data to servers outside of Australia without your explicit consent, except where required by law.

Where AI processing is performed through third-party AI providers, that processing may occur on infrastructure located outside Australia. All such providers are contractually required to apply equivalent privacy protections and are prohibited from retaining your data following processing. We will update this policy if our data residency arrangements change.

Our storage infrastructure uses industry-standard security measures to protect data at rest and in transit. Access to stored data is restricted to authorised personnel only, on a need-to-know basis.

Within your account, you control who has access to your data. The Platform provides role-based access controls allowing you to set permissions for any team members or subcontractors you invite to your account. We do not grant any third party access to your data without your authorisation, except as required by law.

When you upload documents to the Platform, our AI systems process the content of those documents to generate residential building estimates and flag scope items. This processing may involve third-party AI providers as described in our AI Use Policy. Your documents are not used to train AI models and are not retained by third-party AI providers following processing.

We collect and analyse aggregated and anonymised usage data for the purpose of improving the Platform and the quality of its AI outputs. This includes data on feature usage patterns, workflow completion rates, error rates, and general interaction patterns. Where review of individual project data is required --- for example, to resolve support requests, investigate output quality, or respond to disputes --- it is conducted by authorised personnel under strict access controls and limited to what is reasonably necessary. Aggregated usage data is not shared with third parties. See section 1.5 of the Privacy Policy for further details.

We retain your data for the duration of your account and for seven years following account closure, in accordance with Australian tax and business record-keeping obligations under the Income Tax Assessment Act and relevant state building legislation. Verification records are retained for the same period and may be retained for longer where a dispute is pending or unresolved. Professional credentials data is retained for the duration of the account and for seven years following closure.

Upon account closure, you may request an export of your data prior to deletion. After the retention period, data is securely and permanently deleted using methods that prevent recovery.

We use a limited number of third-party service providers (subprocessors) to operate the Platform. All subprocessors are contractually bound to handle your data only as directed by us, are required to maintain equivalent security standards, and are prohibited from using your data for any purpose other than providing services to us.

Current subprocessor categories include:

• Cloud infrastructure provider --- server hosting and data storage (Australia)
• Payment processor --- subscription billing and payment processing
• Email delivery provider --- transactional email and notifications
• AI model providers --- a combination of AI tools used for document processing and estimation
• Content delivery and security provider --- content delivery and application protection

A current and complete list of subprocessors is maintained and available upon request. To request the full list, contact info@struxo.com. We will notify users of material changes to our subprocessor arrangements with at least 30 days' notice.

In the event of a data breach affecting your personal information, we will comply with our obligations under the Notifiable Data Breaches (NDB) scheme. See our Data Breach Response Plan for full details of how we respond to and communicate breaches.