Privacy Policy

1. Information We Collect

Personal information you provide

• Account details: name, email address, phone number, password
• Profile information: business name, trading name, ABN, service areas, profile photos, bio, portfolio
• Job postings: project descriptions, location, budget, photos
• Communications: messages between users, support enquiries
• Payment information: billing details processed securely via our payment provider (we do not store full card numbers on our servers)

Identity and credential verification information

To verify trade professionals and construction companies, we collect and process the following categories of information. This applies to builders, tradies, and enterprise account holders — not homeowners or customers.

• Australian Business Number (ABN): verified against the Australian Business Register (ABR). We store the ABN, registered entity name, and verification status.
• Trade licence numbers: verified against NSW Fair Trading (Trades, Security, Asbestos, Design & Building, High Risk Work, White Card registers) and the QBCC Licensed Contractors Register in Queensland. We store the licence number, the licensee name returned by the register, the licence type/class, and verification status. Personal trade licences are tied to the individual; business licences are tied to the entity.
• White Card (NSW SafeWork): verified against the NSW SafeWork Construction Induction register. The card number is stored in encrypted form (AES-256-GCM) and is not returned to the browser after submission. The card holder's name is stored in plain text for cross-matching.
• Government-issued identity document: Australian driver's licence (front and back) or passport (photo page). The image file is stored in a private storage bucket accessible only via short-lived signed URLs. We use AI optical character recognition (OCR) to extract the holder's name and the document expiry date for cross-matching against your account name and verified credentials. We also read the date of birth from the document (via OCR and, where available, the barcode or MRZ data described below) solely to confirm that the account holder is 18 or over, as required by our Terms of Service; the date of birth is used transiently for this check and is not stored. We do not persist the document number or date of birth — only the extracted name, expiry date, and a record of whether the verification (including the age check) passed. For Australian driver's licences with a PDF417 barcode on the back, we decode the barcode in-process to check that the front-side OCR matches the structured payload, and we record whether the tamper-evidence check passed. For passports, we validate the Machine-Readable Zone (MRZ) check digits using the ICAO standard and record whether the checksum passed. We do not persist the MRZ text or the document number from either source.
• Insurance certificates: we accept Public Liability and Professional Indemnity certificates as uploaded documents. AI vision is used to extract the insurer name, policy number, coverage amount, and expiry date for verification.

All credential verifications are a non-exhaustive check against official Australian government and industry sources at the point of submission. They do not constitute an endorsement or guarantee of any user — see Sections 4 and 6 of our Terms of Service.

Information collected automatically

• Device information: browser type, operating system, device identifiers
• Usage data: pages visited, features used, time spent on the Platform
• Location data: approximate location based on IP address or, with your consent, precise location
• Cookies and similar technologies (see Section 9)

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the BLDESY! Platform and Services
• Create and manage your user account
• Connect homeowners and construction companies with relevant trade professionals
• Process subscription payments and manage billing
• Verify ABN, trade licences, White Cards, government-issued identity documents, and insurance certificates submitted by builders, tradies, and enterprise account holders, including running automated cross-matching, AI-assisted OCR, and (for compatible documents) structured tamper-evidence checks against the Australian Privacy Principles
• Display verification badges on profiles to indicate which credentials have passed verification
• Send transactional communications (account confirmations, job updates, messages)
• Send marketing communications where you have opted in
• Analyse usage patterns to improve our Services and user experience
• Detect, prevent, and address fraud, abuse, and security issues
• Comply with legal obligations and enforce our Terms of Service

3. Sharing Your Information

We do not sell your personal information. We may share or disclose your information with the following categories of recipients:

• Other users of the Platform: Profile information, verification badges, and (where applicable) verified business name and trade categories are visible to other users as necessary for the Platform to function. Contact details (phone, email) are gated behind authentication and shared only after a user explicitly initiates contact.
• Government and industry verification sources: We send licence numbers, ABNs, and (where applicable) personal names to the Australian Business Register, NSW Fair Trading APIs, the NSW SafeWork register, and the Queensland Building and Construction Commission (QBCC) register to verify the information against the source of truth. These are official Australian government and industry registers.
• Service providers (Australia and overseas): We use trusted third-party providers to operate the Platform. The current categories and named providers are:
  • Hosting and database: Vercel Inc. (United States) for application hosting; Supabase Inc. (United States, with regional data residency options) for database, authentication, and file storage.
  • AI processing for identity and document verification: Anthropic, PBC (United States), via the Claude API, for optical character recognition of identity documents and insurance certificates, and for our AI-assisted chat assistant and “write it for me” generation. Before you use an AI chat or generation feature for the first time, we show a disclosure and ask for your consent to your input being sent to Anthropic, a third-party AI provider that processes data overseas (including in the United States); AI-generated responses are labelled as such. Images and prompts sent to Anthropic are processed under Anthropic's commercial terms and zero-data-retention API agreement where applicable.
  • Payment processing: Stripe Payments Australia Pty Ltd (with processing performed by Stripe Inc., United States) for subscriptions, one-time payments, and card data.
  • Error tracking and performance monitoring: Functional Software Inc. d/b/a Sentry (United States), which may collect technical information about errors, requests, and (in limited cases) session replays. We configure Sentry to mask form inputs and identity-document upload surfaces.
  • Rate limiting and abuse prevention: Upstash Inc. (United States) for short-lived rate-limit counters keyed by user ID or IP address.
  • Email delivery: Resend (United States) for transactional emails such as account-confirmation, password-reset, account-deletion confirmations, and notification emails. We share the recipient email address and message content.
• Legal requirements: When required by Australian law, regulation, legal process, or governmental request, including responses to lawful subpoenas, court orders, or law enforcement requests.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify users of any change in ownership or use of personal information.

4. Overseas Disclosure (APP 8)

Several of the service providers listed in Section 3 are located outside Australia, primarily in the United States. This means that personal information we hold about you — including identity-verification information — may be disclosed to overseas recipients in the course of providing the Services.

Specifically, identity-document images and other identity-verification data are processed by Anthropic, PBC (United States) for OCR, and stored by Supabase Inc. (United States, with regional data residency where elected). Application hosting, error monitoring, rate limiting, and payment processing also involve overseas recipients as listed above.

We take reasonable steps to ensure that overseas recipients handle your personal information in a manner consistent with the Australian Privacy Principles, including by selecting providers with established privacy and security programs, configuring providers to minimise the data sent (e.g. zero-data-retention API agreements where available, masked form inputs in error-tracking, no persistence of document numbers), and contracting on the providers' standard terms which include data-protection obligations. By using the Platform you consent to the overseas disclosures described in this Privacy Policy.

5. Data Security

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

• Encryption of data in transit (TLS/SSL) and at rest in our database
• Identity documents stored in a private bucket accessible only via short-lived signed URLs issued to authenticated users (staff or the document owner) — not publicly accessible
• White Card numbers encrypted at rest using AES-256-GCM with a key held outside the database; encrypted values are not returned to the browser after submission
• Document numbers and dates of birth from driver's licences and passports are not persisted by design — only the extracted name, expiry, and verification outcome (including whether the 18+ age check passed) are stored
• Row-level security (RLS) on all database tables to restrict who can read or write each row
• Server-side rate limiting on verification, login, and signup endpoints to deter abuse
• Secure authentication and session management
• Regular security assessments and monitoring
• Restricted access to personal information on a need-to-know basis

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Retention and Deletion

We retain personal information only for as long as is necessary to provide the Services and to meet our legal, accounting, and reporting obligations.

• Account information (profile, listings, communications) is retained for the life of the account and for a reasonable period afterwards to support reactivation, dispute resolution, and audit obligations.
• Identity-document images (driver's licence, passport) are retained for as long as your verified account is active so that we can re-confirm verification if the source register changes, or to respond to fraud or dispute investigations. You may request earlier deletion (see below).
• Verification metadata (extracted name, expiry, verification status, structured-check outcome) is retained alongside the account record and used to display badges and to support verification audits.
• Payment records are retained for the period required by Australian taxation and consumer-protection law (currently 7 years).
• Verification logs and audit trails are retained for a reasonable period to support security monitoring and breach investigation.

You can request deletion of your account or of specific verification artifacts by emailing hello@bldesy.com.au. We will action deletion requests within a reasonable time, subject to any legal retention obligations or active fraud / dispute investigations.

7. Notifiable Data Breaches

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of a data breach involving personal information that is likely to result in serious harm to affected individuals, and the breach cannot be remediated in time to prevent that harm, we will notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable. Suspected data breaches can be reported to hello@bldesy.com.au.

8. Your Rights

Under the Australian Privacy Act 1988, you have the right to:

• Access: Request access to the personal information we hold about you, including identity-verification artifacts.
• Correction: Request correction of inaccurate, out-of-date, or incomplete personal information.
• Deletion: Request deletion of your account or specific verification artifacts (see Section 6).
• Complaint: Lodge a complaint if you believe we have breached the Australian Privacy Principles.
• Opt out: Unsubscribe from marketing communications at any time.

To exercise any of these rights, please contact us at hello@bldesy.com.au. We will respond to your request within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

9. Cookies

We use cookies and similar tracking technologies to enhance your experience on the Platform. Cookies are small text files stored on your device that help us remember your preferences and understand how you use our Services.

For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

10. Children's Privacy

BLDESY! is not intended for children under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately and we will take steps to delete that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on the Platform and updating the “Last updated” date. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our handling of your personal information, please contact us: