Soft launch — this is the live notice.
BuildCompare is in soft launch. We process minimal personal data, run essential cookies and cookieless Cloudflare Web Analytics, and — only with your consent via the cookie banner — Google Analytics 4. We will update this notice in line with our actual practice as the product evolves. Last updated 2026-05-19.
Who we are
This notice explains how Ross Churchill, sole trader, trading as BuildCompare ("we", "us") collects and uses your personal data when you use buildcompare.co.uk, app.buildcompare.co.uk, our support channels and any related services. We are the controller of your personal data unless this notice says otherwise.
You can contact us by email at privacy@buildcompare.co.uk. A postal correspondence address is available on request — email us and we will provide it. Our Privacy Lead is Ross Churchill.
The personal data we collect
Depending on how you use BuildCompare, we may collect:
- • Email address — for early-access signup, magic-link sign-in, support and account notices.
- • Sign-in tokens and authentication logs — one-time magic-link tokens, login timestamps and IP for fraud/abuse detection.
- • IP address, browser and device information — for rate-limiting, abuse prevention and diagnostics.
- • Cookies and similar identifiers — see our Cookie notice.
- • Search terms and click activity — what you search for and which merchant cards you click through to. Used for service improvement and affiliate accounting.
- • Saved baskets and account preferences — products you add to a basket and your stored settings (departments, location preference, sort order).
- • Optional postcode or location — only if you choose to provide it for "nearest branch" features.
- • Affiliate / click attribution data — anonymous click IDs and referral parameters used to reconcile commissions with merchants.
- • Support correspondence and bug reports — when you email us or submit feedback.
- • Billing and subscription data — only if a paid plan launches and you subscribe.
We do not intentionally collect special-category personal data (such as health, religion or ethnicity). Please don't include sensitive information in free-text fields or support emails unless we specifically ask for it.
How we use your data and our lawful bases
Under UK GDPR we must have a lawful basis for each purpose. Our bases by activity:
- • Account, sign-in, search, saved baskets, subscription delivery — Contract (or pre-contract steps at your request).
- • Optional marketing / early-access emails — Consent. You can withdraw at any time.
- • Service security, fraud detection, debugging, affiliate accounting, proportionate analytics — Legitimate interests. We balance our interest against your rights and document the assessment.
- • Tax records, accounting, responding to lawful requests — Legal obligation.
- • Non-essential cookies or similar technologies (if we ever add any) — Consent.
Location data
If you choose to use location features (such as "nearest branch" or local stock), the app sends your postcode or browser-permission coordinates to our servers only for the duration of the request. We compute the nearest-branch result and return it — we do not retain raw location data server-side beyond that request. Your chosen branch preference is stored locally in your browser (localStorage). We do not use precise location for behavioural advertising.
Cookies and similar technologies
We use essential cookies required for the service to function — session, CSRF protection, rate-limiting and your locally saved preferences. Your cookie-banner decision is recorded as bc_consent, scoped to .buildcompare.co.uk so it carries across the marketing site and the app without you having to choose twice. We use Cloudflare Web Analytics, which is a cookieless analytics service: no cookies, no fingerprinting, no cross-site tracking, no personal identifiers. We also use Google Analytics 4 for richer reporting, gated by a cookie banner — Google Analytics cookies are only set after you click "Accept analytics", and we run Google's Consent Mode v2 so the tag respects your choice. Full detail in our Cookie notice.
Who we share personal data with
We use a small number of carefully chosen service providers that process personal data on our behalf:
- • OVHcloud (France) — application database and primary hosting.
- • Purelymail (United States) — email delivery (account magic-links, support, transactional notices). Purelymail is contracted as a processor; transfer safeguards described below.
- • Cloudflare — DNS, edge proxy, DDoS protection and cookieless Web Analytics.
- • Google (Ireland) Limited — Google Analytics 4. Loaded only with your consent via the cookie banner. Property ID G-CS5PBCH62T. Transfers covered by the EU Standard Contractual Clauses + UK IDTA (Google's standard data-processing terms).
- • QNAP (United Kingdom) — encrypted backup mirror.
When you click through to a merchant via a BuildCompare result, that merchant becomes a separate controller for their own checkout, fulfilment and any tracking they do on their site. We do not transmit personal account data to merchants; they may receive a click reference and any tracking parameters built into our affiliate links. Read each merchant's own privacy notice for detail.
We may also share personal data where the law requires it, or where necessary to establish, exercise or defend legal claims.
Where your data is stored and international transfers
Our primary servers are located in France (OVHcloud, Gravelines). Backups are stored in France and the United Kingdom. Cloudflare operates global infrastructure and may serve traffic from multiple regions for performance.
Where we transfer personal data from the UK to providers in the EEA, we rely on the UK's adequacy regulations for EEA destinations. Where personal data is transferred from the EEA back to the UK, the EU's renewed adequacy decision for the UK applies (in force until 27 December 2031). For Purelymail (United States) we rely on contractual safeguards including Standard Contractual Clauses with the UK International Data Transfer Addendum. If we use a provider outside the UK or EEA in future, or if adequacy arrangements change, we will use an appropriate safeguard such as SCCs, the UK Addendum or the UK IDTA and run a transfer-risk assessment.
How long we keep personal data
We keep personal data only for as long as necessary for the purposes set out above, then delete or anonymise it unless we must keep it for legal reasons. Current retention defaults:
- • Magic-link sign-in tokens — 15 minutes, invalidated on use.
- • Server access and security logs — 30 days.
- • Anonymous baskets — 30 days from last activity.
- • Account profile and settings — kept while your account is active, then deleted or anonymised within 30 days of closure (except where another retention duty applies).
- • Saved orders and basket history (account-linked) — up to 24 months after last account activity, unless you delete sooner.
- • Search history linked to an account — 6 months, then aggregated or anonymised.
- • Optional postcode / location — not retained server-side beyond the request.
- • Affiliate click / reconciliation records — 12 months. Network commissions (e.g. TopCashback-style flows) can take many months to settle; 12 months covers the longest realistic reconciliation + dispute window.
- • Support emails and bug reports — 12 months after the ticket is closed.
- • Billing and accounting records — 6 years from the end of the relevant tax year (HMRC requirement).
- • Backup copies — 35-day rolling cycle; deleted data is put beyond use and overwritten on the next cycle.
Security
We apply appropriate technical and organisational measures to protect personal data, proportionate to the risk. Current controls include encrypted connections (TLS in transit), encryption at rest for the production database, role-based access with least-privilege, multi-factor authentication on admin and backup consoles, secrets stored in HashiCorp Vault (not in code or configuration files), security logging and alerting, regular patching, vendor due diligence with Article 28 processor contracts, and a documented incident-response process. No online service can guarantee absolute security, but we design our controls around the actual risks the service faces.
Your rights
Under UK GDPR you have, subject to the law and the particular processing, the right to:
- • Access — request a copy of the personal data we hold about you.
- • Rectification — ask us to correct inaccurate or incomplete data.
- • Erasure — ask us to delete your data ("right to be forgotten").
- • Restriction — ask us to limit how we use your data.
- • Objection — object to processing based on legitimate interests or direct marketing.
- • Portability — receive certain data in a machine-readable format, where the processing is automated and based on consent or contract.
- • Withdraw consent — at any time, as easily as you gave it (for any activity we rely on consent for).
Some rights apply only in certain circumstances. We may need to keep some data where the law requires it (e.g. tax records). To exercise your rights, email privacy@buildcompare.co.uk. We aim to respond without undue delay and usually within one month. We may need to verify your identity before fulfilling a request.
Automated decision-making and profiling
We do not currently make significant decisions about you based solely on automated processing. We use limited automated tools to rank search results (by price and your selected filters), detect technical abuse and analyse aggregate service performance. None of these tools makes decisions with legal or similarly significant effects on you. If we ever introduce solely automated decision-making that has such effects, we will update this notice and explain the safeguards available, including how to request human review.
Children's data
BuildCompare is intended for trade and DIY users (typically aged 18+) and is not designed for children. We do not knowingly collect personal data from children for account, subscription or marketing purposes. If we learn that we have collected children's data inadvertently, we will take appropriate steps to delete or protect it. If our service later becomes likely to be accessed by children, we will apply the ICO's Children's Code and update this notice accordingly.
Complaints
If you have a privacy concern, please contact us first at privacy@buildcompare.co.uk so we can try to resolve it.
You also have the right to complain to the UK Information Commissioner's Office (ICO):
- • Postal: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- • Helpline: 0303 123 1113
- • Web: ico.org.uk
If EU GDPR applies to a particular processing activity, you may also have the right to complain to an EU supervisory authority, including the CNIL in France (3 Place de Fontenoy, 75007 Paris; +33 1 53 73 22 22; cnil.fr).
Changes to this notice
We may update this notice from time to time to reflect changes in our service, providers or legal obligations. Where a change materially affects how we use your personal data, we will take reasonable steps to bring that change to your attention before or when the change takes effect. The "Last updated" date below tells you when the notice was last revised.
Last updated: 2026-05-19. See also: Cookie notice · Terms of service · Affiliate disclosure.