1. Introduction

Construction Hub ("we", "us" or "our company") is a cloud-based construction project management platform provided as a service (SaaS). This Privacy Policy explains how we collect, use, store and protect your information in accordance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and applicable Bulgarian legislation (Personal Data Protection Act).

This policy applies to all platform users — registered accounts, website visitors, and individuals whose data is processed through our services (e.g., employees of client companies).

Key terms: "Data Controller" is Construction Hub; "Data Processor" is any third party processing data on our behalf; "Data Subject" is any natural person whose data we process.

2. What data we collect

We collect data in several ways:

3. How we use your data

We use your data for the following purposes:

• Service delivery: creating and managing accounts, processing projects, contracts, invoices and quantity surveys
• Payment processing: invoicing, subscriptions and payment management through a certified payment provider
• Communication: sending system notifications, registration confirmations, service change notices
• AI-based features: automatic recognition of nomenclature items from IFC files, price suggestions, quantity validation
• Platform improvement: analyzing usage patterns to optimize user experience
• Security: detecting suspicious activity, preventing unauthorized access, audit logging
• Legal compliance: accounting and tax obligations, responding to legal requests

4. Legal basis for processing

We process your personal data on the following legal bases under Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)): processing necessary for providing the service — registration, account management, project processing
• Legal obligation (Art. 6(1)(c)): compliance with accounting, tax and regulatory requirements
• Legitimate interest (Art. 6(1)(f)): platform improvement, security, fraud prevention
• Consent (Art. 6(1)(a)): marketing communications, optional analytics cookies — you may withdraw consent at any time

5. Sharing data with third parties

We do not sell your personal data. We share data only with trusted service providers bound by Data Processing Agreements (DPA):

All third parties outside the EU are bound by Standard Contractual Clauses (SCCs) pursuant to European Commission Decision (EU) 2021/914.

6. Data retention

We retain your data for different periods depending on the type:

• Account data: until account closure + 30 days for technical deletion
• Audit logs: 3 years for change tracking
• Technical logs (server): 90 days
• Cookie data: up to 12 months or until consent withdrawal
• Anonymized data: may be stored indefinitely (not personal data)

After expiry, data is automatically deleted or irreversibly anonymized.

7. Cookies and tracking technologies

We use cookies for the proper functioning of the platform:

• Essential cookies: session cookies for authentication and form protection, cookie consent. These cookies are necessary and cannot be disabled
• Functional cookies: language preferences, theme (light/dark), last visited page
• Analytics cookies: Google Analytics (if enabled) for traffic analysis — only with your consent

You can manage cookies through the consent banner or from the settings in the site footer. For more information, see our Cookie Policy.

8. Security measures

We implement technical and organizational measures to protect your data:

• Encryption in transit and at rest: all communication is secured with TLS 1.3 (HTTPS). Passwords are stored using industry-standard hashing
• Access control: access management system with detailed permissions. Each company's data is fully isolated and inaccessible to other organizations
• Monitoring and prevention: automatic account lockout on suspicious activity, detailed audit logs tracking every action in the system
• Backups: automatic encrypted backups for rapid recovery in case of an incident
• Application security: multi-layered protection against the most common web threats, including injections, request forgery and scripting attacks

9. International data transfers

The primary database is stored in data centers within the European Union. Some of our service providers are based outside the EU. For these transfers we apply:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Additional technical measures: encryption in transit and at rest, data minimization
• Transfer Impact Assessments (TIA) where necessary

10. Automated decision-making and AI

Construction Hub uses artificial intelligence to enhance its services:

• Automatic nomenclature recognition: AI analyzes construction elements from BIM models and maps them to appropriate nomenclature items
• Price suggestions: AI suggests unit prices based on historical data from your projects
• Quantity validation: AI checks for anomalies and inconsistencies in extracted quantities

These features do not make automated decisions with legal effects for you. All AI suggestions are subject to manual review and approval by the user. No personal data is sent during AI processing — only technical descriptions of construction elements.

11. Children's data

Construction Hub is a professional construction project management platform. The service is not intended for persons under 16 years of age and we do not knowingly collect data from children. If we discover that we have collected data from a person under 16, we will delete it immediately.

12. Data breach notification

In the event of a personal data security breach, we are committed to:

• Notifying the Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects' rights
• Notifying affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Documenting every breach, including the circumstances, consequences and measures taken

13. Your rights

Under the GDPR (Chapter III, Articles 15-22) you have the following rights:

• Right of access (Art. 15): to obtain confirmation of whether we process your data and to receive a copy
• Right to rectification (Art. 16): to request correction of inaccurate or incomplete data
• Right to erasure (Art. 17): to request deletion of your data ("right to be forgotten"), except where retention is a legal obligation
• Right to restriction (Art. 18): to request temporary suspension of processing under certain conditions
• Right to portability (Art. 20): to receive your data in a structured, machine-readable format (JSON) and transfer it to another controller
• Right to object (Art. 21): to object to processing based on legitimate interest
• Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal

To exercise your rights, you can use the "Privacy" function in your account settings or contact us at info@constructionhub.bg. We respond within 30 days of receiving the request.

14. Policy changes

We may periodically update this Privacy Policy to reflect changes in our practices or legal requirements. For material changes, we will notify you by email or through a platform notification at least 14 days before the changes take effect. By continuing to use the service after notification, you accept the updated policy.

15. Contact and supervisory authority

Data Controller:

If you believe the processing of your data violates the GDPR, you have the right to lodge a complaint with: