Biltevo

Privacy policy

Last updated: 9 May 2026

This policy explains what personal data Biltevo collects, why we collect it, and how we look after it. Biltevo is a programme management tool for construction subcontractors. The service is operated by [Biltevo operating entity — replace with registered name and number] (“Biltevo”, “we”, “us”).

1. Who controls your data

Where you sign up directly, Biltevo is the data controller for your account information. Where your employer invites you onto a project that they pay for, your employer (the “Customer”) is the controller and Biltevo is a data processor acting on their instructions.

2. What we collect

  • Account data: email address, full name, password (hashed by Supabase Auth), MFA enrolment.
  • Company & project data: company name, project metadata, programmes, tasks, dependencies, baselines, site reports, audit log entries.
  • Operational data: tags, comments, photographs you attach to site reports, manning records.
  • Usage and security data: IP address, user agent, request timestamps, audit-log entries for sensitive actions, error reports.

We do not collect special-category data and we ask you not to upload it. We do not sell your data and we do not use it to train machine-learning models.

3. Lawful basis

  • Contract — to provide the service you signed up for.
  • Legitimate interests — to keep the service secure (rate-limiting, abuse detection, audit logs) and to prevent fraud.
  • Legal obligation — to retain audit records where required by law or where evidentially relevant to a construction dispute.
  • Consent — for any optional marketing communication you opt into.

4. Subprocessors

The service is built on the following third-party processors. Each operates under its own DPA and security commitments.

  • Supabase, Inc. — database (PostgreSQL), authentication, file storage. EU region.
  • Vercel Inc. — web application hosting, edge delivery.
  • Fly.io, Inc. — API hosting (London region).
  • Intuition Machines, Inc. (hCaptcha) — bot protection on signup.
  • Functional Software, Inc. (Sentry) — error reporting, when enabled.
  • GitHub, Inc. — source code hosting (no production data).

We will tell you before adding a new subprocessor that processes Customer data, and you may object before the change takes effect.

5. International transfers

Where data leaves the UK or the EEA — for example, to a US-based subprocessor for support purposes — the transfer is protected by the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an equivalent recognised mechanism.

6. Retention

  • Active accounts: kept for as long as your account is active.
  • Deletion requests: when you request account deletion, your account is anonymised within 30 days. The 30-day buffer is to allow recovery from accidental deletion.
  • Audit logs: programme audit-log entries are retained for the lifetime of the project plus six years, because they may be evidentially relevant to a construction dispute (Limitation Act 1980).
  • Backups: encrypted database snapshots are retained for 7 days.

7. Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you,
  • have inaccurate data corrected,
  • have your data erased (subject to the audit-log retention above),
  • port your data to another service,
  • restrict or object to certain processing,
  • complain to the Information Commissioner’s Office at ico.org.uk.

To exercise any of these rights, email privacy@biltevo.co.uk. We’ll respond within one calendar month.

8. Cookies and storage

Biltevo uses strictly necessary cookies and local storage only, for authentication and to keep the app working offline on a mobile device. We do not use advertising or analytics cookies.

9. Security

Data in transit is encrypted with TLS. Data at rest is encrypted by our database provider. Multi-tenant access is enforced at the database level via row-level security. We support TOTP multi-factor authentication on every account. To report a security issue, email security@biltevo.co.uk.

10. Children

Biltevo is a B2B tool and is not directed at children under 16.

11. Changes

If we make material changes to this policy we will notify account holders by email at least 14 days before the change takes effect. The current version is always at /privacywith the “last updated” date at the top.

12. Contact

Privacy: privacy@biltevo.co.uk
Security: security@biltevo.co.uk