Construction Hub is a cloud platform for construction project management, provided as a service (SaaS). For the purposes of Regulation (EU) 2016/679 (GDPR), the data controller is the legal entity identified in section 17 of this policy.
The Controller determines the purposes and means of processing personal data collected through the Platform.
When a Client (legal entity) uses the Platform to manage data about its employees, subcontractors, or partners, the Client acts as an independent controller for that data, and Construction Hub acts as a data processor within the meaning of Art. 28 of the GDPR.
The relationship between Construction Hub and the Client as processor is governed by a Data Processing Agreement (DPA), which is an integral part of the subscription agreement.
2. Definitions
For the purposes of this Privacy Policy:
"Personal Data" -- any information relating to an identified or identifiable natural person (data subject).
"Processing" -- any operation with personal data: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" -- a natural person whose personal data is processed (users, employees of clients, contact persons of partners).
"Data Processor" -- a person who processes personal data on behalf of the controller.
"Sub-processor" -- a third party to whom the processor has delegated part of the processing.
"Personal Data Breach" -- a breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
3. Scope and Applicability
This Privacy Policy applies to:
All individuals who visit the website constructionhub.bg.
Users who create an account and use the Platform.
Contact persons of legal entities -- clients, suppliers, and partners whose data is entered into the Platform.
Individuals who contact us through the contact form, email, or other channels.
Employees and representatives of client companies whose data is processed under the subscription agreement.
This Policy does not apply to anonymized or aggregated data that does not allow identification of a natural person.
4. Categories of Personal Data We Collect
4.1. Identification and Contact Data
During registration and use of the Platform, we collect:
User's first and last name.
Business email address.
Phone number (if provided).
Company name, registration number, and address of the client entity.
Position/role in the organization.
4.2. Technical Data
Automatically collected when accessing the Platform:
IP address and approximate geographic location (country/city level).
Browser type and version, operating system.
Device identifiers.
Date, time, and duration of sessions.
Pages and features visited.
4.3. Business Data
In the course of working with the Platform, the following may be processed:
Data from invoices, contracts, offers, and other documents entered by the Client.
Names and contacts of employees, subcontractors, and partners entered by the Client.
Financial information (bank accounts, invoice amounts) entered by the Client.
Data about construction sites, quantity surveys, and inventory.
Important: For business data entered by the Client, the Client is the data controller. Construction Hub processes this data solely on the Client's instructions and pursuant to the Data Processing Agreement.
4.4. Payment Data
For processing subscription payments:
Construction Hub does NOT store full bank card numbers.
Payments are processed by a certified payment operator (Stripe), which complies with PCI DSS Level 1 standards.
We store only: the last 4 digits of the card, card type, expiration date, and transaction identifier.
5. Purposes and Legal Bases for Processing
We process personal data only when there is a valid legal basis under Art. 6(1) of the GDPR:
5.1. Performance of a Contract (Art. 6(1)(b))
Creating and managing user accounts.
Providing the subscription service and technical support.
Processing payments and issuing invoices.
Communication regarding the service (system notifications, changes to terms).
5.2. Legitimate Interest (Art. 6(1)(f))
Subject to a balancing test ensuring our interest does not override the data subject's rights:
Improving the Platform through usage analysis (aggregated data).
Ensuring security -- detecting unauthorized access, abuse, and cyberattacks.
Preventing fraud and misuse of the service.
Internal reporting and auditing.
5.3. Legal Obligation (Art. 6(1)(c))
Retention of accounting documents pursuant to the Accounting Act (10 years).
Providing data when required by law or by order of a competent authority.
Fulfillment of tax obligations.
5.4. Consent (Art. 6(1)(a))
Only when no other legal basis applies:
Sending marketing communications and newsletters (with the right to opt out at any time).
Use of optional cookies for analytics and advertising.
Participation in satisfaction surveys and research.
Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before the withdrawal.
6. Cookies and Tracking Technologies
We use the following categories of cookies:
6.1. Strictly Necessary (no consent required)
Session cookies for authentication and maintaining the user session.
CSRF protection cookies (form security).
Cookies for remembering language preferences.
6.2. Analytics (with consent)
Google Analytics -- for traffic and visitor behavior analysis.
Internal analytics -- for improving the user experience.
6.3. Cookie Management
You can manage cookies through your browser settings or through the cookie banner on your first visit. Disabling strictly necessary cookies may impair the functionality of the Platform.
7. Data Retention Period
We retain personal data only as long as necessary for the purpose for which it was collected:
Account data -- until subscription termination plus 30 days for data export.
Client business data -- until contract termination plus 30 days for export, after which it is permanently deleted.
Accounting documents -- 10 years pursuant to the Accounting Act.
Security logs -- up to 12 months.
Marketing consent -- until withdrawal by the data subject.
Contact form data -- up to 6 months after the inquiry is resolved.
Backups -- up to 90 days, after which they are automatically overwritten.
After the retention periods expire, data is deleted or irreversibly anonymized. In case of a dispute or legal claim, data may be retained until the proceedings are finally concluded.
8. Sharing Data with Third Parties
We do not sell, rent, or trade personal data. We share data only in the following cases:
8.1. Sub-processors
We use trusted service providers to deliver the service, with whom we have concluded agreements under Art. 28 of the GDPR:
Hosting and infrastructure -- for storing data on EU servers.
Payment services (Stripe) -- for processing subscription payments.
Email services -- for sending system and transactional emails.
AI processing (OpenAI) -- for intelligent document recognition (see section 12).
Monitoring and error tracking -- for ensuring service stability.
8.2. Legal Requirements
We may disclose personal data when required by:
Applicable legislation or regulatory act.
Court order or act of a competent authority.
Protection of the rights, property, or safety of Construction Hub, its users, or the public.
9. International Data Transfer
Your data is stored on servers in the European Union.
When transfer outside the EEA is necessary (e.g., to sub-processors in the USA), we ensure an adequate level of protection through Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914).
AI processing (OpenAI) may involve transfer to the USA. OpenAI is certified under the EU-US Data Privacy Framework and applies additional technical protection measures.
Before each transfer, we conduct a Transfer Impact Assessment (TIA) in accordance with EDPB guidelines.
A list of sub-processors and their locations is available upon request at info@constructionhub.bg.
10. Your Rights Under GDPR
Under Regulation (EU) 2016/679, you have the following rights:
Right of Access (Art. 15)
You have the right to obtain confirmation whether your personal data is being processed, access to it, and information about the purposes, categories of data, recipients, and retention period.
Right to Rectification (Art. 16)
You have the right to request correction of inaccurate personal data or completion of incomplete data without undue delay.
Right to Erasure (Art. 17)
You have the right to request erasure of your personal data when: the data is no longer necessary for its purpose; you withdraw your consent; you object to processing; or the data has been unlawfully processed. This right does not apply when processing is necessary for compliance with a legal obligation.
Right to Restriction (Art. 18)
You have the right to request restriction of processing when you contest the accuracy of data, processing is unlawful, or you have objected to processing pending verification.
Right to Data Portability (Art. 20)
You have the right to receive your data in a structured, commonly used, and machine-readable format (JSON, CSV) and to transmit it to another controller. The Platform provides a data export function from the user panel.
Right to Object (Art. 21)
You have the right to object to data processing based on legitimate interest. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You may object to processing for direct marketing at any time unconditionally.
Right Not to Be Subject to Automated Decision-Making (Art. 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you. Construction Hub does not make automated decisions with legal effects without human intervention.
11. Exercising Your Rights
To exercise any of your rights, you can contact us through the following channels:
Through the contact form at constructionhub.bg/contact.
By letter to the address specified in section 17.
For your protection, we may request verification of your identity before processing your request.
We respond to every request within 30 days. In case of complexity or multiple requests, the deadline may be extended by up to 60 days, of which you will be notified.
Exercising your rights is free of charge. For manifestly unfounded or excessive requests (particularly due to repetitiveness), we may impose a reasonable fee or refuse to act.
12. AI Processing and Automated Decision-Making
The Platform uses artificial intelligence (AI) for the following purposes:
Automatic recognition and extraction of data from scanned documents (invoices, quantity surveys, protocols).
Intelligent matching of nomenclature items through semantic vectors (embeddings).
Suggestions for document categorization and classification.
Safeguards for AI Processing
AI results are always suggestions -- the final decision rests with the user, who reviews and approves/rejects the results.
No automated decisions with legal or significant effects are made without human intervention.
Documents sent for AI processing are processed in real-time and are not stored by the AI provider for model training.
AI processing may involve data transfer to a sub-processor (OpenAI) as described in section 9.
You have the right to request human intervention or to refuse AI processing at any time.
13. Data Protection by Design and by Default
In accordance with Art. 25 of the GDPR, we apply the principles of Data Protection by Design and by Default:
Data minimization -- we collect only data necessary for the specific purpose.
Data isolation (multi-tenancy) -- each Client's data is strictly isolated at the database level. No Client can access another Client's data.
Role-based access control (RBAC) -- each user accesses only the data for which they have permission, as determined by the Account Administrator.
Encryption by default -- all data is encrypted in transit (TLS 1.3) and at rest.
Audit trail -- every user action is logged for traceability and accountability.
Pseudonymization -- where possible, we use internal identifiers instead of direct personal data.
14. Technical and Organizational Security Measures
We apply the following measures pursuant to Art. 32 of the GDPR:
14.1. Technical Measures
Data encryption in transit via TLS 1.3 and HSTS.
Data encryption at rest (AES-256) for databases and backups.
Multi-factor authentication (MFA) for administrative access.
Web Application Firewall (WAF) and DDoS protection.
Automatic anomaly and suspicious activity detection.
Regular vulnerability scanning and penetration testing.
Regular automated backups with geographic replication.
14.2. Organizational Measures
Principle of least privilege for employee access.
Staff training on data protection.
Personal data incident management policy.
Regular review and update of security measures.
Confidentiality agreements with all employees and subcontractors.
15. Breach Notification
In the event of a personal data breach:
We notify the Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware, when the breach is likely to result in a risk to the rights and freedoms of natural persons (Art. 33 GDPR).
We notify affected data subjects without undue delay when the breach is likely to result in a high risk (Art. 34 GDPR).
We document every breach, including the facts, consequences, and corrective measures taken.
When Construction Hub acts as a processor, we notify the Client (controller) without undue delay so they can fulfill their notification obligations.
16. Data Protection Officer (DPO)
For all questions related to personal data protection, you can contact our Data Protection Officer:
Email: info@constructionhub.bg
Subject: "DPO / Data Protection"
The DPO reviews all inquiries and requests related to personal data processing and coordinates the fulfillment of data subjects' rights.
17. Right to Complaint and Contact with the Supervisory Authority
If you believe that the processing of your personal data violates the GDPR, you have the right to file a complaint with the supervisory authority:
Commission for Personal Data Protection (CPDP)
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
Phone: 02/91-53-518
Email: kzld@cpdp.bg
Website: www.cpdp.bg
We recommend contacting us first at info@constructionhub.bg to resolve the matter directly.
18. Children's Data
Construction Hub is a B2B platform intended for legal entities and their employees. We do not knowingly collect personal data from individuals under 16 years of age. If we discover that we have collected data from a child, we will delete it immediately. If you believe a child has provided personal data through the Platform, please contact us at info@constructionhub.bg.
19. Changes to the Privacy Policy
We reserve the right to update this Policy in case of:
Changes in applicable legislation or supervisory authority guidance.
Changes in services, features, or sub-processors.
Technological changes requiring adaptation of protection measures.
Recommendations from audits or impact assessments.
For material changes, we will notify you by email and/or notification in the Platform at least 30 days in advance. Continued use of the Platform after the changes take effect constitutes acceptance of the updated Policy.
20. Applicable Law and Contact Information
This Privacy Policy is governed by Regulation (EU) 2016/679 (GDPR), the Bulgarian Personal Data Protection Act, and applicable European and national legislation.
Contact for data protection inquiries:
Email: info@constructionhub.bg
Website: constructionhub.bg
Subject: "Personal Data Protection"
We use cookies to ensure the proper functioning of the platform and to improve your experience. Learn more about cookies