Privacy Policy

LINTEL is operated by LINTEL BUILD LTD (trading as LINTEL), a company registered in England and Wales with company number 17061261.

• Contact email: oliver@lintel.build
• Website: https://lintel.build
• Company number: 17061261
• Registered office: 10 Lulworth Close, Hayling Island, Portsmouth, Hampshire, PO11 0NY
• Place of registration: England and Wales

In the context of data protection law, LINTEL acts as a data processor when handling personal data about subcontractor recipients on behalf of the GC (the data controller). LINTEL acts as a data controller for the personal data of GC users who create accounts on our platform.

GC user account data (controller)

• Email address (used for authentication via magic-link sign-in)
• Full name (provided during account setup)
• Organisation membership and role

Document request data (processor, on behalf of GC)

• Recipient email address
• Recipient phone number (where provided by the GC)
• Document label, project name, project code, folder destination
• Vendor name, document type
• Organisation name and requester name (displayed to the recipient for trust)

Upload metadata (processor)

• Original filename, generated filename, file size, and content type
• Timestamps: request creation, upload submission, Procore write confirmation

Event and audit data (processor)

• Event records for request lifecycle milestones (e.g. link opened, upload completed, notification sent), including notification channel and delivery status

Organisation data (controller)

• Organisation name, Procore company identifier, and logo (if uploaded)
• Procore OAuth connection data (encrypted; see Security section)
• Billing contact email address, subscription tier, and payment status (processed by Stripe; LINTEL does not store payment card details)

Technical and infrastructure data

LINTEL does not store IP addresses, user-agent strings, or device fingerprints in its application database. However, our infrastructure providers (Supabase, Resend, Twilio) may process such data in their standard server logs as part of delivering their services, subject to their own privacy policies.

Purpose	Data used	Lawful basis
Deliver upload links to recipients	Recipient email, phone	Legitimate interest of the GC (managing compliance)
Send reminder notifications	Recipient email, phone	Legitimate interest of the GC
Write uploaded files to Procore	File content, metadata, Procore connection	Performance of a contract (the GC’s agreement with LINTEL)
Generate compliant filenames	Vendor, doc type, project code, naming policy	Performance of a contract
Maintain audit trail	Event records, timestamps	Legitimate interest (compliance evidence for the GC)
Authenticate GC users	Email address, session tokens	Performance of a contract (providing the LINTEL service)
Process subscription payments	Billing email, payment method (via Stripe)	Performance of a contract (providing the LINTEL service)

Where we send SMS notifications to recipients, this is done on the instruction of the GC. The GC is responsible for ensuring it has a lawful basis to provide recipient contact details to LINTEL.

We use the following third-party sub-processors to deliver the LINTEL service:

Sub-processor	Role	Data residency	Transfer safeguard
Supabase Inc	Database, authentication, edge functions, storage (org logos)	EU West (Ireland)	N/A (EU-based)
Resend (Plus Five Five, Inc)	Transactional email delivery	United States	Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreement
Twilio Inc	SMS notification delivery	United States	Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs)
Procore Technologies Inc	Destination platform (document write-back via API)	Per the GC’s own Procore contract	Per the GC’s own Procore agreement
Stripe, Inc	Subscription billing and payment processing	United States	Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreement

We do not sell, rent, or share personal data with third parties for marketing purposes.

Your data is primarily stored in the EU West (Ireland) region via Supabase. Where data is transferred to sub-processors located in the United States (Resend, Twilio, Stripe), we rely on the following transfer mechanisms as permitted under UK GDPR:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs
• Binding Corporate Rules (BCRs) where maintained by the sub-processor (Twilio)

Data transferred to Procore is governed by the GC’s own agreement with Procore Technologies Inc and their applicable data transfer mechanisms.

Data category	Retention period
Uploaded files	Transient. Files are read into memory from the recipient’s upload and written directly to Procore. They are not stored in LINTEL’s infrastructure.
Document request metadata and event logs	12 months after request expiry, to provide an audit trail for the GC. Deletion is carried out on request or as part of scheduled retention reviews.
GC user accounts	Retained for the duration of the service relationship. Deleted upon account closure or termination of the service agreement.
Procore OAuth tokens	Retained (encrypted) while the Procore connection is active. Revoked and deleted on disconnection or termination.

GCs may request early deletion of data at any time by contacting oliver@lintel.build.

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data where there is no compelling reason for continued processing.
• Right to restriction — request that we limit how we use your data.
• Right to data portability — receive your data in a structured, commonly used, machine-readable format.
• Right to object — object to processing based on legitimate interest.

To exercise any of these rights, contact oliver@lintel.build. We will respond within one calendar month.

For subcontractor recipients: your personal data is processed by LINTEL on behalf of the GC (the data controller). In the first instance, please direct data subject requests to the GC that created the document request. We will assist the GC in fulfilling your request.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

Landing site (lintel.build): this website does not use cookies or local storage. No analytics or tracking scripts are loaded.

LINTEL application (app): the application uses browser local storage to persist Supabase authentication session tokens for signed-in GC users. These are strictly necessary for the service to function and are not used for tracking or advertising.

We do not use any third-party advertising, analytics, or tracking cookies.

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS/HTTPS for all connections)
• Encryption at rest (Supabase managed encryption)
• AES-GCM encryption of stored Procore OAuth access and refresh tokens
• Row Level Security (RLS) on all database tables, enforcing organisation-scoped access
• Unguessable UUID-based upload links (no sequential or predictable identifiers)
• CSRF-protected OAuth state tokens with automatic 10-minute expiry
• File type validation on upload (PDF by default; JPEG when photo uploads are enabled for the organisation), with a 50 MB maximum
• Service-role isolation in server-side functions

LINTEL is a business-to-business service designed for use by construction industry professionals. We do not knowingly collect personal data from anyone under 16 years of age. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the “Effective date” at the top of this page and, where appropriate, by notifying affected GC users by email. Continued use of the service after changes take effect constitutes acceptance of the revised policy.

This section applies to individuals whose personal data is subject to US state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) and similar state legislation.

Categories of personal information

In the preceding 12 months, we have collected the following categories of personal information as defined under the CCPA:

• Identifiers — name, email address, phone number.
• Commercial information — records of document requests and uploads.
• Internet or other electronic network activity — upload events and notification delivery records.

Use and disclosure

We use personal information solely for the business purposes described in this Privacy Policy. We do not sell or share personal information for cross-context behavioural advertising. We do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA.

Your California rights

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Request correction of inaccurate personal information
• Opt out of the sale or sharing of personal information (we do not sell or share)
• Non-discrimination for exercising your rights

To exercise these rights, contact oliver@lintel.build.

Service provider role

Where LINTEL processes personal information on behalf of a GC, LINTEL acts as a service provider (as defined under the CCPA). We process personal information only for the specific business purposes set out in our agreement with the GC and do not retain, use, or disclose it for any other commercial purpose.

For any questions about this Privacy Policy, or to exercise your data protection rights:

• Email: oliver@lintel.build
• Registered office: LINTEL BUILD LTD, 10 Lulworth Close, Hayling Island, Portsmouth, Hampshire, PO11 0NY
• Company number: 17061261
• Place of registration: England and Wales