Privacy Policy

1. About This Policy

This Privacy Policy explains how BuildFair Pty Ltd (“BuildFair”, “we”, “us”, “our”) collects, uses, stores, discloses, and protects your personal information when you use our construction payments platform, website, mobile application, and related services (collectively, the “Platform”).

We are committed to complying with the Privacy Act 1988 (Cth) (“Privacy Act”) and the thirteen Australian Privacy Principles (“APPs”). We voluntarily comply with these obligations regardless of whether we meet the annual turnover threshold, because we handle sensitive financial information and believe our users deserve full privacy protection.

This policy applies to all users of the Platform, including builders, subcontractors, suppliers, project owners, and visitors to our website at buildfair.com.au.

2. Information We Collect

2.1 Information you provide directly

• Account and registration information: full name, email address, phone number, business name, ABN/ACN, business address, and your role on the Platform (builder, subcontractor, supplier, or project owner).
• Identity verification (KYC/KYB): government-issued identification documents (driver’s licence, passport), proof of business registration, director and beneficial owner details, as required under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (“AML/CTF Act”).
• Financial information: bank account details (BSB, account number, account name), payment instructions, invoice data, progress claim details, contract values, and transaction history.
• Project information: project names, addresses, contract details, variations, defects, inspection records, and progress payment schedules.
• Communications: messages, emails, support requests, and other correspondence you send to us or through the Platform.
• Subscription billing details: for paid plans, your chosen payment method (credit card or bank direct debit) is collected and tokenised inside our subscription billing provider’s (Zenith Payments) hosted iframe. We never see or store your full card number or bank account number, only the tokenised reference required to bill renewals.
• Supplier invoices forwarded to project email: PDF attachments and email content you (or your suppliers) forward to a project email address, processed for invoice extraction.

2.2 Information we collect automatically

• Device and browser information: IP address, device type, operating system, browser type and version, screen resolution, and device identifiers.
• Usage data: pages visited, features used, click patterns, session duration, login timestamps, and navigation paths.
• Location data: general geographic location inferred from your IP address. We do not collect precise GPS location unless you explicitly enable it in the mobile application.
• Log data: server logs, error reports, and performance data.

2.3 Information we receive from third parties

• Identity verification providers: results of KYC/KYB checks conducted through Sumsub.
• Payment processors: transaction confirmations, settlement details, and compliance-related information from our card-processing partner ZenPay and our funds-holding partner Kobble (which operates under AFSL 545391, Yondr Money Pty Ltd).
• Subscription billing provider: subscription payment status, billing cycle, and tokenised payment instrument references from Zenith Payments (used to charge platform subscriptions).
• Banks and financial institutions: bank feed data where you have authorised a connection, including transaction descriptions, amounts, dates, and balances, used for bank reconciliation.
• Publicly available information: business registration details from ASIC, ABN Lookup, and similar public registers.

2.4 Sensitive information

We do not generally collect sensitive information as defined under APP 3. However, where identity verification requires biometric comparison (e.g. facial recognition matching against a government ID), we will only collect such information with your explicit consent and solely for the purpose of AML/CTF compliance.

3. How We Use Your Information

3.1 Providing the Platform

• Creating and managing your account.
• Processing payments, progress claims, and invoices between parties on a project.
• Maintaining the double-entry immutable ledger that records all financial transactions.
• Facilitating project management, contract administration, and compliance tracking.
• Processing supplier invoices forwarded to project email addresses, including OCR text extraction and AI-assisted field extraction to draft invoices for builder approval.
• Charging your platform subscription using a tokenised card or bank direct debit instrument held by Zenith Payments.
• Generating reports, audit trails, and compliance exports.

3.2 Legal and regulatory compliance

BuildFair is not currently a regulated AUSTRAC reporting entity. We perform identity verification, ongoing due diligence, and transaction monitoring as a matter of policy because verifying every party on the platform is part of how we make construction payments trustworthy. Where we believe a transaction is suspicious or where we are required to do so by law, we may share information with regulators or law-enforcement.

• Performing customer identification, ongoing due diligence, and transaction monitoring as a matter of policy.
• Complying with Security of Payment Act requirements in your state or territory.
• Responding to lawful requests from regulators, law enforcement, or courts.
• Maintaining records as required by Australian taxation and corporate law.

3.3 Platform improvement and communication

• Analysing usage patterns to improve features, performance, and user experience.
• Sending transactional notifications (invoice approvals, payment confirmations, project updates).
• Sending service announcements, security alerts, and policy updates.
• Providing customer support and responding to your enquiries.

3.4 Security and fraud prevention

• Detecting, preventing, and investigating fraud, unauthorised access, and other security incidents.
• Monitoring for suspicious transactions or activity on the Platform.
• Enforcing our Terms of Service.

We will not use your personal information for direct marketing without your prior consent. You may withdraw marketing consent at any time by contacting us or using the unsubscribe mechanism in any marketing communication.

4. Automated Decision-Making

BuildFair uses automated processes in certain areas of the Platform, including:

• Invoice OCR and AI-assisted field extraction: supplier invoices forwarded to your project email address are processed using AWS Textract (optical character recognition) and Anthropic’s Claude model running on AWS Bedrock to extract supplier details, line items, totals, GST, and project references. The extracted draft invoice is presented to the builder for review and approval. No payment is made on the basis of the extraction alone.
• Invoice matching and categorisation: automated systems match extracted supplier and project references against existing platform records, flagging mismatches for human review.
• Bank reconciliation: automated matching of bank transactions against ledger entries to identify discrepancies.
• Payment workflow rules: configurable rules for hold periods, dual-approval thresholds for variations, and payment scheduling.
• Fraud and anomaly detection: automated monitoring of transaction patterns to flag potentially suspicious activity for human review.

These automated processes assist in the operation of the Platform but are subject to human oversight. No automated decision made by the Platform will have a significant adverse effect on you without human review. You have the right to request information about how any automated decision affecting you was made, and to request human review of that decision.

This disclosure is provided in accordance with the automated decision-making transparency requirements under the Privacy and Other Legislation Amendment Act 2024, effective 10 December 2026.

5. Who We Share Your Information With

5.1 Other Platform users

Information necessary for the operation of a project is shared between parties on that project. For example, a builder will see subcontractor business names, invoice details, and payment status for their project. A subcontractor will see the builder’s business name and project details. We only share information relevant to the project relationship.

5.2 Service providers

We engage third-party service providers who process personal information on our behalf, subject to contractual obligations to protect that information:

5.3 Regulatory and legal disclosures

We may disclose personal information where required or authorised by law, including to:

• AUSTRAC, in connection with AML/CTF obligations.
• ASIC, in connection with corporate and financial services regulation.
• Australian Taxation Office, in connection with tax reporting obligations.
• Courts, tribunals, or dispute resolution bodies, in connection with legal proceedings.
• Law enforcement agencies, in response to lawful requests.
• Office of the Australian Information Commissioner (OAIC), in connection with privacy complaints or investigations.

5.4 Business transactions

In the event of a merger, acquisition, restructure, or sale of all or part of our business, personal information may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this policy that result from it.

6. Cross-Border Disclosure of Personal Information

We store all primary Platform data in AWS’s Sydney region (ap-southeast-2) within Australia. However, some personal information may be transferred overseas in the following circumstances:

• Payment and funds-holding providers (ZenPay and Kobble) may operate global infrastructure, and some processing may occur outside Australia in connection with international payment networks.
• Zenith Payments processes subscription billing in Australia. Card network authorisations may transit international networks (Visa, Mastercard, American Express) outside Australia in the normal course of card processing.
• AWS Bedrock processes AI-assisted invoice extraction in the United States, because Anthropic’s Claude model is not currently hosted in the AWS Sydney region. Only extracted invoice text (not full PDFs or financial transaction data) is sent to the model.
• Sumsub may process identity verification data in the European Union or United States.
• Twilio processes SMS delivery through infrastructure primarily located in the United States.
• Resend processes transactional email delivery through infrastructure primarily located in the United States.
• Google Places processes address autocomplete queries through Google’s global infrastructure (primarily United States).
• PostHog processes product analytics events in the United States.
• Grafana Cloud processes logs, metrics, and traces in the United States.

Before disclosing personal information overseas, we take reasonable steps to ensure that the overseas recipient handles the information in accordance with the APPs (APP 8), including through enforceable contractual arrangements that require equivalent data protection standards.

7. Government Identifiers

We collect government identifiers (such as driver’s licence numbers, passport numbers, and tax file numbers) only where required or authorised by law, specifically for identity verification under the AML/CTF Act and for tax reporting obligations under the Taxation Administration Act 1953 (Cth). We do not use government identifiers as our own identifier for you, nor do we disclose them except as required by law (APP 9).

8. Data Quality

We take reasonable steps to ensure the personal information we collect, use, and disclose is accurate, up-to-date, complete, and relevant (APP 10). You can update your profile, company details, and contact information through your account settings at any time. Some changes (such as bank account details) may require re-verification for security purposes.

9. Data Security

We implement both technical and organisational measures to protect your personal information, in accordance with APP 11 as strengthened by the Privacy and Other Legislation Amendment Act 2024.

9.1 Technical measures

• All data encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Multi-factor authentication (MFA) available for all user accounts.
• Role-based access controls restricting access based on job function and need-to-know.
• Row-level security enforcing tenant isolation so users can only access data belonging to their own organisation and projects.
• Regular penetration testing, vulnerability scanning, and security audits.
• Automated monitoring and alerting for security incidents.
• Database backups encrypted and stored in geographically separated locations within Australia.

9.2 Organisational measures

• Access to personal information limited to personnel who require it for their role.
• All personnel with access to personal information bound by confidentiality obligations.
• Access privileges reviewed regularly and revoked promptly when no longer needed.
• Security incident response procedures documented and tested.
• Third-party service providers assessed for security practices before engagement.

10. Access, Correction, and Deletion

10.1 Access (APP 12)

You may request access to the personal information we hold about you. We will respond within 30 days. We may charge a reasonable fee for requests requiring substantial effort, but will inform you of any fee before proceeding.

10.2 Correction (APP 13)

You may request that we correct any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will respond within 30 days. If we refuse to correct information, we will provide written reasons and inform you of your right to request that a statement of the correction sought be associated with the information.

10.3 Account deletion

You may request deletion of your account and associated personal information. We will delete or de-identify your information within 30 days, except where we are required by law to retain it (see Section 13).

Deletion of your account may affect other users on shared projects. We will handle deletions in a way that preserves the integrity of project records and the immutable ledger while removing your personal identifiers where possible.

10.4 Data export

You may request an export of your personal data in a standard, machine-readable format. Exports include your profile data, transaction history, invoices, and project records. Contact us at privacy@buildfair.com.au to request an export.

11. Notifiable Data Breaches

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we become aware of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

• Conduct an assessment within 30 days (or sooner where practicable) to determine whether the breach is an “eligible data breach”.
• Promptly notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if the breach meets the threshold of serious harm.
• Include in our notification: a description of the breach, the kinds of information involved, and recommended steps for affected individuals.

12. Cookies and Tracking Technologies

Our Platform uses cookies and similar technologies for the following purposes:

• Strictly necessary cookies: required for authentication, session management, and security. These cannot be disabled.
• Product analytics: we use PostHog to understand how users interact with our Platform (pages visited, features used, session length) so we can improve the experience. PostHog uses a pseudonymised identifier. We do not send PostHog any financial data, KYC documents, payment instruments, or invoice content. Analytics can be disabled in your browser settings.

We do not use advertising or third-party tracking cookies. We do not sell your personal information to third parties. You can configure your browser to refuse cookies, though this may affect your ability to use the Platform.

13. Data Retention

We retain personal information for as long as necessary to fulfil the purposes for which it was collected, and as required by law:

When personal information is no longer required, we will take reasonable steps to destroy or de-identify it using secure deletion methods in accordance with industry standards.

14. Children's Privacy

BuildFair is a business-to-business platform and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it as soon as practicable.

15. Anti-Money Laundering and Counter-Terrorism Financing

BuildFair is not currently a regulated AUSTRAC reporting entity. We perform identity verification, ongoing due diligence, and transaction monitoring as a matter of policy because verifying every party on the platform is part of how we make construction payments trustworthy. Where we believe a transaction is suspicious or where we are required to do so by law, we may share information with regulators or law-enforcement.

As a matter of policy, we:

• Verify the identity of all users before they can transact on the Platform.
• Monitor transactions for unusual or suspicious activity and review flagged matters internally.
• Maintain internal compliance procedures, including risk assessments and policy reviews.
• Retain identity verification and transaction records for at least 7 years for tax and audit purposes.

The collection and retention of personal information for these purposes is a condition of using our Platform.

16. Direct Marketing

We may use your personal information to send you communications about our services, features, and updates that are relevant to your use of the Platform (APP 7). You can opt out of marketing communications at any time by:

• Clicking the “unsubscribe” link in any marketing email.
• Updating your communication preferences in account settings.
• Contacting us at privacy@buildfair.com.au.

Opting out of marketing communications will not affect transactional or security-related notifications necessary for your use of the Platform.

17. Anonymity and Pseudonymity

You have the option of not identifying yourself, or using a pseudonym, when browsing our public website or making general enquiries (APP 2). However, due to the nature of our services (including payment processing, identity verification under the AML/CTF Act, and contractual obligations), it is impracticable for us to provide Platform services to individuals who have not identified themselves.

18. Complaints

If you believe we have breached the APPs or mishandled your personal information, you may lodge a complaint with us:

• Email: privacy@buildfair.com.au
• Subject line: “Privacy Complaint”

We will acknowledge your complaint within 5 business days and provide a written response within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au/privacy/privacy-complaints
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au
• Mail: GPO Box 5218, Sydney NSW 2001

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on our Platform and, where appropriate, by email or in-app notification. The “Last updated” date at the top of this page indicates when this policy was most recently revised.

Your continued use of the Platform after changes are posted constitutes your acknowledgement of the updated policy.

20. Contact Us

If you have questions about this Privacy Policy or how we handle your personal information, contact our Privacy Officer:

• Email: privacy@buildfair.com.au
• General enquiries: support@buildfair.com.au

For unresolved complaints, contact the Office of the Australian Information Commissioner: www.oaic.gov.au | 1300 363 992 | enquiries@oaic.gov.au | GPO Box 5218, Sydney NSW 2001