Privacy Policy for Basegrove

Last Updated: 02 Aug 2025

1. Introduction and Scope

Welcome to Basegrove Corporation ("we," "us," "our"). We provide a cloud-based Construction Sustainability and Compliance Software-as-a-Service platform (the "Services"). Protecting our customers' and their users' private information is our priority.

This Privacy Policy governs the data we collect from visitors to our website and from authorized users of our Services. It is designed to provide transparency into our privacy practices and principles. It details how we collect, use, process, and safeguard your information in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).

This policy distinguishes between two types of data:

  • User Account Data: Personal data we collect about the individuals representing our business customers (the "Users"). For this data, Basegrove is the Data Controller.
  • Customer Data: Data that our customers (the "Customer") and their Users upload, submit, or create within our Services for processing and storage. For this data, the Customer is the Data Controller, and Basegrove is the Data Processor. Our obligations as a processor are further defined in our Data Processing Agreement (DPA) with our Customers.

2. Our Role: Data Controller and Data Processor

To understand our privacy commitments, it is important to distinguish between our roles under GDPR:

  • As a Data Controller, Basegrove determines the purposes and means of processing personal data. This applies to User Account Data—the information we collect for account creation, billing, and direct communication with our customers and their designated users (e.g., your name, email, and company information).
  • As a Data Processor, Basegrove processes data on behalf of our Customers and in accordance with their instructions. This applies to Customer Data—the information you upload into our Services (e.g., project compliance files, supplier details, sustainability metrics). If you are a User of our Services, your employer (the Customer) is the Data Controller for this data, and any questions or requests regarding it should be directed to them.

3. Information We Collect and Process

A. As a Data Controller (User Account Data):

We collect the following information directly from our website visitors and when a User registers for our Services:

  1. Information You Provide Directly:
    • Identity and Contact Data: Full Name, Email, Phone Number.
    • Professional Data: Organization Name, Employees Count, Job Title, or Role.
    • Location Data: Country or Region.
    • Billing Information: Credit card details, billing address, and other payment information, which a secure third-party payment processor processes.
    • Consent Records: We maintain records of your consent to this privacy policy (Privacy Consent) and your preferences for receiving marketing communications (Marketing Consent).
    • Communications: Any information you provide when you fill in the message field, contact our support team, or respond to surveys.
  2. Information We Collect Automatically:
    • Technical and Usage Data: IP Address, USER_AGENT (browser/device type), ORIGIN (referral source), login information, and other diagnostic data related to your interaction with our website and Services.
    • Cookies and Tracking Technologies: We use cookies and similar technologies. For detailed information, please see our separate Cookie Policy.

B. As a Data Processor (Customer Data):

We process the data that you, our Customer, upload into the Services. This may include, but is not limited to, project documentation, compliance records, supplier information, environmental reports, and employee details related to specific projects. The Customer is solely responsible for the type and nature of the personal data contained within its Customer Data. We process this data strictly on the Customer's behalf and according to the instructions outlined in our DPA.

4. How and Why We Use Your Data

A. Use of User Account Data (As Controller):

Purpose of Processing Data Used Legal Basis (under GDPR)
To Provide and Manage the Services Identity, Professional, Contact, Technical Data Performance of a Contract with your organization.
To Process Payments Identity, Contact, Billing Information Performance of a Contract.
To Provide Customer Support Identity, Contact, Communications Performance of a Contract and our Legitimate Interest in retaining customers.
To Send Service-Related Communications Email, Full Name Performance of a Contract (e.g., notifying of maintenance or feature updates).
To Send Marketing Communications Email, Full Name, Org Name Consent. You can opt-out at any time.
For Security, Compliance, and Fraud Prevention IP Address, Technical Data, Identity Data Our Legitimate Interest in protecting our Services and our Legal Obligation to comply with regulations.
To Improve our Website and Services (Analytics) Aggregated Usage Data, Technical Data Consent (for tools like Microsoft Clarity) or Legitimate Interest (for aggregated analytics).

B. Use of Customer Data (As Processor):

Our processing of Customer Data is governed by the DPA with our Customer. Our sole purpose is to provide, maintain, and secure the Services as instructed by the Customer. We will not use Customer Data for any other purpose, such as advertising or our own research, without the Customer's explicit permission.

5. Data Sharing and Disclosure

We do not sell or rent personal data. We may share data under the following limited circumstances:

  1. With Sub-processors: We engage trusted third-party companies to help us provide the Services. These "Sub-processors" are contractually bound to protect the data and only use it for the specific services they provide. Our key Sub-processors include:
    • Cloud Hosting: Hetzner Online GMBH (Germany Data Center - Primary DC, Finland Data Center - DR), Microsoft Azure (KMS), Zoho Catalyst (India Data Center - IAM Management)
    • CRM: HubSpot, Inc.
    • Analytics: Google Analytics and Cloudflare Web Analytics
    • Session Replay: Microsoft Clarity
    • Spam Prevention: Cloudflare Turnstile
    • A full list of our Sub-processors is available to Customers upon request.
  2. For Legal Compliance: We may disclose your information if required to do so by law, subpoena, or other legal process, or if we have a good faith belief that disclosure is necessary to protect our rights, your safety, or the safety of others.
  3. Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of the transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

6. International Data Transfers

Your information will be processed in countries outside of your own, including Germany (for data hosting), Finland (for backup & disaster recovery), India (for auth management) and the United States (where some of our Sub-processors are based). We have implemented robust safeguards to ensure your data is protected when transferred from the UK or EEA. We primarily rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK's Information Commissioner's Office for such transfers.

7. Data Security

We take data security very seriously and have implemented comprehensive measures to protect all data within our platform. These include:

  • Organizational Measures: Regular employee training on data security, strict internal access policies based on the principle of least privilege, and formal incident response plans.
  • Technical Measures: Encryption of data both in transit (using TLS/SSL) and at rest; network firewalls and intrusion detection systems; and regular vulnerability scanning and penetration testing.
  • Physical Measures: Our cloud provider, Hetzner, Zoho, maintains state-of-the-art physical security at its data centers, including 24/7 monitoring, biometric access controls, and environmental controls.

8. Data Retention

  • User Account Data: We retain this data as long as you are a customer and for a reasonable period thereafter to comply with our legal and financial obligations (typically up to 7 years after contract termination). Waitlist data is deleted within one year if you do not become a customer.
  • Customer Data: We retain Customer Data for the duration of the Customer's contract with us. Upon termination, Customer Data will be deleted from our production systems in accordance with the terms of the DPA, typically within 90 days.

9. Your Data Protection Rights

  • For User Account Data (where we are Controller): You have rights including access, rectification, erasure, restriction of processing, data portability, and the right to object. To exercise these rights, please contact our privacy team.
  • For Customer Data (where we are Processor): As we process this data on behalf of our Customers, any individual seeking to exercise their data protection rights for data within our Services must direct their request to the relevant Customer (e.g., your employer). We will assist our Customers in responding to these requests as required by our DPA

10. Children's Privacy

Our Services are designed for a professional business audience and are not intended for individuals under the age of 18 ("Children"). We do not knowingly collect personal data from children. If we discover we have inadvertently collected such data, we will take immediate steps to delete it.

11. Changes to This Privacy Policy

We may update this policy to reflect changes in our practices or for legal reasons. We will notify you of any material changes via email or a notice within the Services. The "Last Updated" date at the top of this policy indicates the latest revision.

12. Contact Us / Data Protection Officer

For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact our designated privacy team: