Supasite Privacy Policy

BuildPass Pty Ltd (ACN 652 324 635), referred to in this policy as "we", "us", or "our", is committed to protecting the privacy of individuals using Supasite, our AI-powered phone call summarisation tool for the construction industry. This Privacy Policy explains what personal information we collect through Supasite, how we use and handle it, and the rights individuals have regarding their information. We adhere to the requirements of the Australian Privacy Act 1988 (Cth) (including the Australian Privacy Principles), and the EU/UK General Data Protection Regulation (GDPR) where applicable.

‍

By using Supasite, you agree to the collection, use, and disclosure of your personal information as described in this Privacy Policy. We publish this Policy so you can easily understand what data we collect, why we collect it, how it is used, and how you can control it.

• Users: This Policy applies to all users of the Supasite platform, whether you create an account or use our services in any capacity. It covers personal information we handle in our own capacity and information we process on behalf of our users through Supasite.
• Personal Information: In this Policy, "personal information" (or "personal data") means any information about an identifiable individual, as defined under the Australian Privacy Act and GDPR. This Policy does not cover information about companies or organisations, but it does cover information about individuals within those entities.
• Minors: Supasite is intended for users 18 years and older. We do not knowingly collect personal information from children under 18 without parental consent. If we become aware of such data collection, we will promptly delete the information. By providing us personal information about someone else, you must have their consent to do so.

• Counterparties on calls: When a Supasite User uses the Call Summary Features (defined in our Terms of Service) on a telephone call to which you are also a party, BuildPass may process information about you (including your voice during the call, the content of what you say, and any personal information you disclose during the call) on behalf of that User. This Privacy Policy explains how we handle that information. The User who placed or received the call is responsible for giving you notice and obtaining any required consent under applicable Recording Laws (as defined in our Terms of Service).

We only collect information that is reasonably necessary to operate Supasite and provide our services. This may include:

• Identity Information: Name, job title, and company/organization (if applicable).
• Contact Information: Mobile phone number (required for account verification and service delivery). Email address (optional, collected only if you choose to link your Supasite account to a BuildPass account or opt in to email communications).
• Account Credentials: Your account is authenticated via your verified mobile phone number. We do not collect passwords.
• Profile and Usage Data: Information you provide when setting up your profile or using Supasite. We also collect usage data like feature use, clicks, and interactions to understand how our service is used.
• Phone Call Data: When you use Supasite's Call Summary Features, we capture the audio of the telephone call as it occurs, transcribe it in real time, and generate written outputs (a summary, action items, follow-up suggestions and reminders). The audio is processed transiently and then deleted. We retain the written transcript on our systems to operate the service. The summary, action items and reminders are stored in your account and made available to you. The transcript is not made available to you. We also retain metadata about the call (such as time, duration, the Supasite User who placed or received the call, and the Counterparty's number where it has been provided to the platform).
• Photos (where available): Where Supasite supports the upload of photos, we will store the photo and any associated metadata you provide.
• Site Inspection Data: Any data submitted for analysis by Supasite's AI features – this may include images, audio recordings (which may be transcribed), video, text descriptions, or other project documents that you upload for AI processing. This data may sometimes include personal information if, for example, an image has people in it or a voice recording includes personal remarks.
• Analytics Data: We use analytics tooling to collect technical information when you use Supasite. This can include your device type, browser type, IP address, operating system, referring URLs, and timestamps of actions.
• Cookies and Similar Technologies: Supasite uses cookies and similar tracking technologies to operate the website and gather analytics. (See Section 6: Cookies and Analytics below for more details.)
• Communications: If you contact us (for example, via support email or feedback forms), we will collect the information you provide in those communications.

We do not intentionally collect any sensitive personal information (such as government ID numbers, health or biometric data) through Supasite. We only collect payment information when you choose to subscribe to a paid tier (when available). We ask that you avoid submitting any sensitive personal data unless it is necessary for using the service.

The Call Summary Features have specific data-handling characteristics that we want to disclose plainly:

‍

• Audio is not retained. Audio captured during a call is processed transiently to generate a written transcript. It is then deleted from our systems. We do not store call audio for playback, evidentiary, training or any other purpose.
• Transcripts are retained but not surfaced to users. The written transcript is stored on our systems for the purpose of operating the service (for example, generating the summary, action items and reminders that you do see, and supporting future product features). The transcript itself is not made available to you in your Supasite account. You receive the summary, action items and reminders.
• Default retention. We retain transcripts, summaries, action items and reminders indefinitely by default. You may request deletion of specific calls or your account, in which case the corresponding data will be deleted in accordance with Section 5A. We may, in the future, introduce user-configurable retention periods.
• Voiceprints. We do not generate biometric voiceprints or perform speaker-identification processing on call audio that is used for biometric purposes. Speaker labels in our internal transcripts (such as "Me" / "Other party") are derived from call metadata, not from a biometric voice analysis of the participants.
• AI subprocessors. Audio is processed by our voice transcription provider for the sole purpose of producing the transcript, and the resulting transcript is then processed by our AI model providers for summarisation, action item extraction and reminder generation. Both categories of provider act as processors on our behalf under contractual data-protection terms. A current list of our subprocessors is maintained at our Trust Centre, trust.buildpass.com.au/subprocessors. See Section 7 (AI and Automated Processing) and Section 8 (Disclosure of Personal Information to Third Parties) for more detail.
• Counterparties. Where the User has shared a Counterparty's phone number or other identifying information with Supasite, that information is stored alongside the relevant transcript, summary, action items and reminders.
• Counterparty rights. If you are a Counterparty and wish to access, correct or delete information held about you in connection with a call, please contact us using the details in Section 12. We may need to direct you to the User who initiated the call, who is the entity primarily responsible for the call and the resulting Content. We will assist you in routing your request appropriately.

4. How We Collect Information

We collect personal information in several ways:

‍

• Directly from You: Most data is provided directly by you. For example, you enter information when signing up for Supasite, completing your user profile, or contacting us for support.
• Through Your Use of Supasite: As you interact with our platform or app, we automatically collect technical data via cookies, log files, and analytic scripts.
• Phone Call Capture: When a User uses the Call Summary Features, audio from the call is captured at the User's device and transmitted to our voice transcription provider for real-time transcription, and the resulting transcript is then transmitted to our AI model providers for summarisation, action item extraction and reminder generation. See Section 3A for further detail.
• AI Processing of User Content: If you use our AI Features, the content you provide will be transmitted to our AI model providers for processing. (See Section 7 for more details on how AI inputs/outputs are handled.)
• Third-Party Services: Some information may be collected or transmitted through third-party service providers integrated with Supasite. For example, when you sign up or log in, our identity and SMS verification provider processes your phone number on our behalf to authenticate you. These third parties collect and share information with us as needed to provide the Supasite service.

We will always endeavor to let you know when personal information is being collected and the purpose (for instance, by providing just-in-time notices or through this Privacy Policy). You may choose not to provide certain information; however, this may limit your ability to use some Supasite features. For example, if you choose not to enable certain cookies or not to provide an email address, some functionalities (like account creation or staying logged in) may not work.

5. How We Use Personal Information

We use the collected information for purposes necessary to provide and improve Supasite. The primary purposes include:

‍

• Providing Services: We use your information to create and manage your Supasite account, authenticate you upon login, and deliver the features of the service.
• Phone Call Summarisation: When you use the Call Summary Features, we use the captured audio to generate a written transcript, and we use the transcript to generate a summary, action items and reminders, which we store for your access in your Supasite account. We do not use the contents of your call transcripts or summaries to train our AI models or those of our AI model providers without your explicit consent. We may use anonymised, aggregated metadata about call usage (such as call duration distributions and feature engagement) to improve Supasite.
• Improving and Developing Supasite: Usage data and analytics help us understand how our product is performing. We analyse this data to fix bugs, optimise user experience, and inform new features.
• Communications: We may use your contact information to send service-related communications. This includes confirmations, technical alerts, and customer support responses, as well as material change notices to these Terms or to this Privacy Policy.
• Analytics and Product Research: We use third-party analytics (e.g., PostHog) to gather aggregated information on user behaviour.
• Platform Integration: We may use your information to facilitate integration between Supasite and the main BuildPass platform pursuant to our legitimate business interests in providing a cohesive suite of services. This includes using your data to enhance user experience across our products and to offer relevant BuildPass services based on your Supasite activity.
• AI Model Training and Improvement: We may use anonymised data from your AI interactions to train and improve our AI models and reasoning capabilities to provide better outcomes to all users. This includes advancing our ability to recognize construction site issues and enhancing the accuracy of our AI responses.
• Security and Fraud Prevention: We may process personal information to monitor for suspicious or malicious activity, verify user identities where necessary, and otherwise protect against unauthorised access, fraud, or abuse of our services.
• Legal Compliance: Where required, we will use and disclose personal information to comply with legal obligations, resolve disputes, enforce our Terms of Service, or respond to lawful requests by public authorities.

We will only use your personal information for the purposes outlined above or for purposes that are compatible with those original purposes. If we need to use your information for an unrelated purpose, we will notify you and obtain your consent or ensure we have a lawful basis as required by applicable law.

6. Cookies & Analytics

Supasite uses cookies and similar technologies to ensure the platform functions correctly and to analyse usage:

‍

• What Are Cookies: Cookies are small text files stored on your device that allow us to remember certain information between pages or visits.
• Essential Cookies: Some cookies are necessary for the website to operate.
• Analytics Cookies: We use third-party analytics tooling to collect information about how users interact with Supasite. The specific analytics provider we use is listed at our Trust Centre, trust.buildpass.com.au/subprocessors.
• Your Choices: Upon your first visit, and from time to time, we may present a cookie notice or preferences tool where required by law. You can manage or disable cookies in your browser settings.
• Do Not Track: Supasite does not currently respond to "Do Not Track" signals.

By using Supasite with cookies enabled in your browser, you consent to our use of cookies as described here.

7. AI and Automated Processing

Supasite is an AI-powered platform. We leverage third-party artificial intelligence services to provide certain features, primarily voice transcription, phone call summarisation, action item extraction, and reminder generation. It is important for you to understand how your data is handled in these processes.

7.1 AI Providers and Processing

Supasite integrates with third-party AI model providers to power our intelligent features, including a voice transcription provider and one or more large language model providers used for summarisation, action item extraction and reminder generation.

‍

These providers act as processors of data on our behalf when you use our AI-powered features. They receive the input data we provide on your behalf (such as call audio for transcription, or transcripts for summarisation) and return an output (such as a transcript, a summary, action items or reminders).

‍

A current list of all subprocessors involved in providing Supasite, including AI providers, is maintained at our Trust Centre, trust.buildpass.com.au/subprocessors. The list is updated whenever we add, remove or replace a subprocessor.

‍

7.2 Data Handling in AI Features

‍

• Phone Call Audio: When you use the Call Summary Features, audio is transmitted to our voice transcription provider over an encrypted connection. The provider returns a written transcript, after which the audio is deleted. The transcript is then transmitted to one or more AI model providers to generate a summary, action items and reminders. Both categories of provider act as processors on our behalf and are bound by contractual data-protection terms. They do not use this Content to train their general-purpose models.
• Input Data Transmission: When you use any AI Feature, the necessary data is sent securely to the corresponding AI provider's API. We send only the information required for the task.
• Temporary Processing: The AI providers process the data and send back a response. They may store the data for a short duration for purposes of processing, caching, or monitoring for abuse, in line with their published policies.
• No Secondary Use by Supasite: We do not use the contents of your phone call transcripts, summaries, action items or reminders to train our own AI models without your explicit consent. We may review AI interactions in an aggregated or anonymised way to evaluate performance.
• Human Oversight: We reserve the right to observe AI interactions both by human and automated processes for quality and improvement purposes. On occasion, authorised team members might review specific interactions if needed to investigate a problem or misuse, always under strict privacy controls.

7.3 No Fully Automated Decisions with Legal Effects

‍

Supasite's AI Features are tools to assist users in capturing and organising information from phone calls. They do not independently make binding decisions about individuals. All AI outputs should be reviewed by a human user. We do not subject anyone to purely automated decisions that have legal or significant effects on them, as defined under GDPR Article 22.

7.4 Accuracy and Limitations

‍

While we strive to use high-quality AI models, AI predictions or generated outputs can sometimes be incorrect or misleading. We do not guarantee the accuracy or completeness of any AI-generated content. Users should not rely on Supasite's AI Features as professional advice or the sole basis for decisions.

7.5 User Control

‍

If you do not want certain information processed by third-party AI, you should not use the corresponding feature in Supasite. By using the AI tools within Supasite, you consent to your data being transferred to and processed by the AI providers as described.

8. Disclosure of Personal Information to Third Parties

We treat your personal information with care and confidentiality. We do not sell your personal data to unrelated third parties for their own marketing or any other purposes. However, we do share information with certain trusted third parties in order to run Supasite effectively, as outlined below:

‍

• Service Providers: We use third-party companies to support our operations and services. These providers only receive the information necessary for them to perform their function, and they are contractually obligated to protect it and use it only for our purposes. Our key service providers include:
  • Convex: Hosts our application database. Personal data in our database is therefore stored on Convex's infrastructure.
  • Vercel: Hosts and serves the Supasite web application.
  • PostHog: Provides analytics services.
  • Deepgram: Powers voice transcription features in Supasite, including transcription of phone calls captured by the Call Summary Features. Audio is transmitted to Deepgram's API for transcription and is deleted from our systems once a transcript has been returned. Deepgram may temporarily process the audio in memory for transcription and may retain it briefly for service-quality and abuse-prevention purposes in line with their terms.
  • AI Providers (OpenAI, Anthropic, Google, xAI): As detailed in Section 7, these third parties process the content we submit to AI Features and generate outputs. They act as processors of that data for us, under strict terms.
  • Telecommunication and Voice Infrastructure Providers: We use telecommunications providers to enable the Call Summary Features and to send SMS messages (such as login codes and account notices). These providers carry call audio and text messages between your device and our systems and may temporarily process this data for the purpose of routing the communications.
  • Expo/EAS: We use Expo's services for building and updating the mobile app.
• Within BuildPass and Affiliates: Supasite is operated by BuildPass Pty Ltd. Information collected through Supasite may be shared with the broader BuildPass team in pursuit of providing integrated services.
• Legal and Safety Reasons: We may disclose personal information if we reasonably believe that doing so is necessary to comply with any applicable law, regulation, legal process, or governmental request.
• Business Transactions: If BuildPass is involved in a merger, acquisition, sale of assets, or reorganisation, your information may be transferred as part of that transaction. We will provide notice before personal data is transferred or becomes subject to a different privacy policy.

9. International Data Transfers

Supasite is a global service. The personal information we collect may be accessed or processed in countries other than the country you reside in. In particular, many of our third-party providers are based in (or may store data in) the United States and other jurisdictions outside of Australia or the European Economic Area (EEA).

• Our Location: Our company, BuildPass Pty Ltd, is based in Australia. For Supasite Users located in Australia, we are progressively migrating storage of Supasite Content (including call transcripts, summaries, action items and reminders) to Australian-resident infrastructure (AWS Sydney, ap-southeast-2). Where data is hosted in Australia, the international transfer position described in the rest of this Section will not apply to that storage; transient processing of audio and transcripts by AI subprocessors located outside Australia continues to be subject to the safeguards described above.
• Risks: Different countries have different data protection laws. When your data is transferred from your home country to another country, it may become subject to those foreign laws.
• Our Safeguards: We take reasonable steps to ensure that international data transfers comply with applicable laws. For transfers from Australia, we abide by Australian Privacy Principle 8. For transfers from the EEA/UK or other regions with data transfer restrictions, we utilise appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or we rely on an adequacy decision where applicable.
• Your Consent in Some Cases: IIn certain situations, we may ask for your consent to transfer data overseas. If you agree to such a transfer, we will inform you of any relevant risks and handle the data in accordance with that consent and this Policy.

Despite the global transfer of data, your information remains protected by the measures described in this Policy. We maintain high standards of data protection regardless of where data is processed and continue to be responsible for it. If you have questions about our international data transfer practices, please contact us (see Section 12).

10. Data Security and Storage

We implement a variety of administrative, technical, and physical security measures to protect your data from unauthorised access, alteration, disclosure, or destruction. These include:

‍

• Encryption: Data exchanged with Supasite is encrypted in transit using SSL/TLS. Sensitive data in our databases is encrypted at rest.
• Access Controls: Personal information is accessible only to those personnel and service providers who need it to perform their duties or services.
• Security Testing and Maintenance: We regularly update our software and systems to address security vulnerabilities.
• Anonymization: Where possible, we de-identify or pseudonymise personal data within our analytics and testing environments.
• Physical Security: Our data is stored on secure servers operated by reputable cloud providers.

Despite our efforts, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.

‍

If we become aware of a data breach that compromises your personal information, we will notify affected individuals and relevant authorities as required by law.

11. Your Rights and Choices

You have certain rights regarding your personal information held by us:

• Access: You have the right to request a copy of the personal information we hold about you
• Correction: If you believe any personal data we have is incorrect or incomplete, you have the right to request we correct it.
• Deletion (Right to Erasure): You may request that we delete your personal information.
• Withdrawal of Consent: If we are processing your personal information based on your consent, you have the right to withdraw that consent at any time.
• Objection to Processing: You have the right to object to certain processing activities.
• Restriction of Processing: You can request that we temporarily limit the processing of your personal information in certain situations.
• Data Portability: For EU/UK users (and others where applicable), you have the right to data portability.
• Automated Decision-Making: Supasite does not make solely automated decisions with legal or similarly significant effects.
  ‍

Counterparty Rights. If you are a Counterparty (a person on a phone call with a Supasite User), you have the same rights of access, correction, deletion, objection and complaint as any other individual to whom this Policy applies, in respect of personal information about you that we hold. Because the User who initiated the call is the party with the primary relationship to the resulting Content, we may need to direct your request to that User in the first instance, and may need their cooperation to action your request. We will assist you in routing your request and we will respond to you within the timeframes set out in this Section regardless. Where a User does not cooperate with a valid Counterparty request, BuildPass reserves the right to action the request directly and to suspend the User's access in accordance with Section 9.2 of our Terms of Service.

‍

How to Exercise Your Rights: You can exercise most of the above rights by contacting us (see Section 12). For certain requests, we may need to verify your identity to ensure we don't disclose or delete data to the wrong person.

12. Questions, Complaints, and Contacting Us

If you have any questions about this Privacy Policy, wish to exercise any of your rights, or have a concern or complaint about privacy, please contact us:

‍

Privacy Contact Office:

Email: hello@supasite.ai

‍

Australia:

Postal Mail: The Privacy Officer

BuildPass Pty Ltd (Supasite)

Unit 2, 33 Stewart St

Richmond, VIC 3121, Australia

‍

United States:

Postal Mail: The Privacy Officer

BuildPass Inc (Supasite)

3212 E Cesar Chavez, Building 1, Suite 1115

Austin, TX 78702, United States

‍

‍

If you are not satisfied with our response to a privacy complaint, you have the right to escalate the matter to the appropriate supervisory authority. For Australian users, you may contact the Office of the Australian Information Commissioner (OAIC). For individuals in the EU/EEA, you can reach out to your local Data Protection Authority. UK users can contact the Information Commissioner's Office (ICO).

‍

13. Changes to this Privacy Policy

Supasite and our data practices may evolve over time. We reserve the right to update or modify this Privacy Policy at any time. If we make material changes, we will notify you via a notice within the Supasite app and on our website, and by SMS to your registered phone number. Where you have provided an email address, we will also send notice by email. The "Last Updated" date at the top of this Policy will always indicate when the latest changes were made.

‍

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Continued use of Supasite after any changes to this Policy constitutes your acceptance of the revised terms, to the extent permitted by law.

‍