Back to Built Diff

Privacy Policy

Last updated: March 4, 2026

Built Diff ("we," "us," or "our") operates the Built Diff construction project management platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, phone number, company name, and job title. If you sign in via Google or Apple, we receive your name and email from those identity providers.

1.2 Financial Data

If you choose to connect a bank account through our integration with Plaid Inc. ("Plaid"), we access the following data with your explicit consent:

  • Account name, type, and last four digits of account number
  • Account balances (current and available)
  • Transaction history (date, amount, merchant name, category, location)
  • Institution name and identifier

By using our Plaid integration, you acknowledge and agree that your information will be transmitted, collected, processed, and stored by Plaid in accordance with the Plaid End User Privacy Policy.

1.3 Project & Business Data

You may upload or enter project plans, floor plans, budgets, invoices, schedules, photos, videos, team rosters, subcontractor information, material lists, and other construction project data. This data is stored to provide the Service.

1.4 Communications Data

If you use our email integration, walkie-talkie, or AI agent features, we process the content of those communications solely to deliver the functionality you requested.

1.5 Usage & Analytics Data

We automatically collect device type, browser type, IP address, pages visited, and interaction events to improve the Service. Analytics are processed by PostHog and Vercel Analytics.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and secure your account
  • Sync and display your bank account balances and transactions for project financial tracking
  • Generate invoices, track expenses, and manage draw requests
  • Send transactional emails (account verification, invoice delivery, notifications)
  • Power AI features (chat, voice, email agent) at your direction
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

3. How We Share Your Information

We do not sell your personal information. We share data only as follows:

3.1 Service Providers

We use the following third-party processors, each bound by contractual data protection obligations:

  • Supabase — Database hosting, authentication, file storage (US data centers, SOC 2 Type II compliant)
  • Vercel — Application hosting and edge delivery
  • Plaid — Bank account linking and transaction retrieval
  • Modern Treasury — ACH and wire payment processing
  • Telnyx — SMS and voice communications
  • Resend — Transactional email delivery
  • OpenAI — AI agent processing (no training on your data per our API agreement)
  • Google — OAuth authentication, Maps, Gmail integration
  • Mapbox — Map rendering and geocoding

3.2 Legal Requirements

We may disclose information if required by law, subpoena, court order, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

4. Data Security

We implement industry-standard security measures including:

  • Encryption in transit — All data is transmitted over TLS 1.2 or higher. We enforce HSTS with a two-year max-age, including subdomains and preload.
  • Encryption at rest — All database storage is encrypted using AES-256 via our infrastructure provider (Supabase/AWS).
  • Access controls — Role-based access control (RBAC) enforced at the application and database level. Row-Level Security (RLS) policies ensure users can only access their own data.
  • Multi-factor authentication — SMS-based two-factor authentication with cryptographically secure OTP generation and hashed backup codes.
  • Security headers — Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are enforced on all responses.
  • Rate limiting — Authentication endpoints, API routes, and webhook handlers are rate-limited to prevent abuse.
  • Webhook verification — All incoming webhooks from Plaid and other providers are cryptographically verified.

5. Data Retention & Deletion

  • Active accounts — We retain your data for as long as your account is active and as needed to provide the Service.
  • Bank data — Financial data from Plaid is retained only while your bank account connection is active. When you disconnect an account, we revoke the Plaid access token and delete associated transaction data within 30 days.
  • Account deletion — You may request complete deletion of your account and all associated data by contacting us at privacy@builtdiff.com. We will process deletion requests within 30 days, except where retention is required by law.
  • Backups — Encrypted backups may retain deleted data for up to 90 days before automatic purging.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — Request a copy of the personal data we hold about you
  • Correction — Request correction of inaccurate or incomplete data
  • Deletion — Request deletion of your personal data
  • Portability — Request your data in a structured, machine-readable format
  • Objection — Object to processing of your data for certain purposes
  • Withdrawal of consent — Withdraw consent for bank account access at any time by disconnecting your accounts

To exercise any of these rights, contact us at privacy@builtdiff.com.

7. Cookies & Tracking

We use essential cookies for authentication and session management. We use PostHog for product analytics, which may set first-party cookies. We do not use third-party advertising cookies or sell data to advertisers.

8. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

9. State-Specific Disclosures

California (CCPA/CPRA)

California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information. To make a request, email privacy@builtdiff.com.

Other US States

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with consumer privacy laws may exercise their applicable rights by contacting us at the email above.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

See also: Terms of Service