Legal
GDPR Compliance
Effective date: 1 May 2025 · Last updated: 1 May 2025
How BuildIQ implements the EU General Data Protection Regulation as an architectural principle, not a compliance checkbox.
1. Our commitment to GDPR
At BuildIQ, GDPR compliance is a core architectural principle, not an afterthought bolted on after launch. Every system design decision — from how tenant data is isolated, to how AI agents scope their context, to how we handle deletion requests — has been made with the requirements of the GDPR in mind.
Syvanto Pvt Ltd is an Australian company. We proactively meet GDPR standards because our enterprise customers often operate across the EU, UK, and EEA, and because we believe the GDPR represents the global gold standard for data protection and privacy.
2. Lawful basis for processing
Under GDPR Article 6, every processing activity must have a lawful basis. The following bases apply to our processing activities:
Contractual necessity (Article 6(1)(b))
Processing necessary to deliver the BuildIQ service under our contract with you, including account management, platform operation, data storage, and AI agent execution.
Legitimate interests (Article 6(1)(f))
Processing necessary for our legitimate business interests, including security monitoring, fraud prevention, platform improvement, and abuse detection, where these interests are not overridden by your rights.
Consent (Article 6(1)(a))
Processing based on your freely given, specific, and informed consent, including sending marketing emails and product newsletters. You can withdraw consent at any time by unsubscribing or contacting us.
Legal obligation (Article 6(1)(c))
Processing required to comply with legal obligations, including financial record retention, responding to lawful regulatory or court requests, and reporting obligations.
3. Data controller vs data processor
GDPR makes an important distinction between data controllers (who determine the purposes and means of processing) and data processors (who process data on behalf of a controller). For BuildIQ, the roles are as follows:
- For your organisation's construction project data: Your organisation is the data controller. Syvanto acts as a data processor, processing your data only on your instructions and for the purposes of delivering the Service.
- For platform account data (user accounts, billing, support): Syvanto is the data controller, as we determine the purposes and means of processing this data.
Enterprise customers requiring a formal Data Processing Agreement (DPA) documenting this controller/processor relationship can request one at dpa@syvanto.com.
4. Data subject rights under GDPR
If you are located in the EU, UK, or EEA, you have the following rights under the GDPR. To exercise any of these rights, email gdpr@syvanto.com.
Right of access
You can request a copy of all personal data we hold about you. We will respond within 30 days with a structured summary of your data and how it is processed.
Right to rectification
You can correct inaccurate or incomplete personal data at any time via your account settings, or by emailing gdpr@syvanto.com.
Right to erasure
You can request deletion of your personal data. We will fulfil erasure requests within 30 days, except where legal retention obligations apply (e.g., financial records under Australian law).
Right to data portability
You can request an export of your data in a structured, commonly used, machine-readable format (JSON or CSV). Available via account settings or by request.
Right to restrict processing
You can request that we limit how we process your personal data while a dispute is being resolved, for example while you contest the accuracy of data we hold.
Right to object
You can object to processing of your personal data where we rely on legitimate interests as the lawful basis. We will cease processing unless we can demonstrate compelling legitimate grounds.
5. Data Processing Agreement (DPA)
Enterprise customers and organisations that process personal data of EU/UK data subjects can request a signed Data Processing Agreement (DPA) from Syvanto. The DPA formally documents the controller/processor relationship, processing purposes, security measures, sub-processor obligations, and data subject rights procedures.
To request a DPA, email dpa@syvanto.com with the subject line "DPA Request — [Your Organisation Name]". We aim to return signed DPAs within 5 business days.
6. Sub-processors
As a data processor, Syvanto engages the following sub-processors to deliver the BuildIQ service. Each sub-processor is contractually bound to GDPR-equivalent data protection obligations:
| Sub-processor | Role | Location | Notes |
|---|---|---|---|
| Supabase | Database hosting and authentication | United States | Data stored in AWS-backed infrastructure. SCCs in place. |
| OpenAI | AI processing for agent operations | United States | API inputs are not retained for model training per OpenAI API terms. |
| Stripe | Payment processing and billing | United States | PCI DSS Level 1 certified. BuildIQ does not store raw card data. |
| Amazon Web Services | Cloud hosting infrastructure | Australia / United States / EU | Enterprise clients may request EU-only data residency. |
We will provide 30 days notice before adding or replacing sub-processors that have access to personal data, giving customers the opportunity to object.
7. Data transfers outside the EEA
Where we transfer personal data from the EU, UK, or EEA to countries that have not been granted an adequacy decision by the European Commission (including Australia and the United States), we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism, as approved by the European Commission under Decision 2021/914.
Enterprise customers with strict data residency requirements can request that their data be hosted exclusively within EU-based AWS regions. Please contact gdpr@syvanto.com to discuss EU data residency options.
8. Technical and organisational security measures
Syvanto implements the following technical and organisational measures (TOMs) to ensure appropriate security of personal data, in compliance with GDPR Article 32:
- Encryption at rest: AES-256 encryption for all stored data
- Encryption in transit: TLS 1.3 for all data in transit
- Tenant isolation: Dedicated PostgreSQL schema per tenant — no shared tables, no cross-tenant query risk
- Access controls: Role-based access control with principle of least privilege; no standing access for support staff
- Audit logging: Immutable, append-only audit trail for all data access
- Penetration testing: Annual penetration testing conducted by an independent third party
- Vulnerability management: Continuous dependency scanning and security patch management
9. Data breach notification
In the event of a personal data breach, Syvanto will:
- Notify affected data controllers within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Provide a description of the nature of the breach, the categories and approximate number of data subjects affected, and the likely consequences
- Describe the measures taken or proposed to address the breach
- Where the breach is likely to result in high risk to data subjects, notify affected individuals directly without undue delay under GDPR Article 34
Breach notifications will be sent to the primary contact email address on your account. Enterprise customers should ensure this address is monitored and up to date.
10. Data Protection Officer
Syvanto has appointed a Data Protection Officer (DPO) who can be contacted at:
- Email: dpo@syvanto.com
- Post: Data Protection Officer, Syvanto Pvt Ltd, Sydney NSW 2000, Australia
11. Right to lodge a complaint
If you believe your GDPR rights have not been respected, you have the right to lodge a complaint with your local supervisory authority. Examples include:
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
- France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
- Germany: The relevant State Data Protection Authority (Datenschutzbehörde)
- Ireland: Data Protection Commission (DPC) — dataprotection.ie
We encourage you to contact us at gdpr@syvanto.com before escalating to a supervisory authority — we will make every effort to resolve your concern promptly.
12. Contact for GDPR matters
For all GDPR-related requests, questions, and complaints:
- General GDPR enquiries: gdpr@syvanto.com
- Data Processing Agreements: dpa@syvanto.com
- Data Protection Officer: dpo@syvanto.com
Questions about this policy?
Our GDPR and privacy team can help with data subject requests, DPAs, and compliance questions.
contact@syvanto.com