Privacy Policy

Version 1.0 | Effective date: November 2, 2025

This Privacy Policy explains how Bauvik Inc. (Bauvik, we, us) collects, uses, discloses, and protects information in the course of providing construction management and owner‑representation services, including use of our websites, portals, mobile apps, collaboration platforms, and project delivery systems (Services). This policy is designed to be exhaustive for construction operations while remaining contract‑ and law‑compliant.

1) Scope and Relationship to Contracts

  • Applies to: project owners, developers, lenders, architects, engineers, consultants, subcontractors, suppliers, vendors, jobsite personnel, visitors, employees/contractors of Bauvik, and website/app users.
  • Covers: online portals, document control systems, CDEs, mobile tools, email, messaging, support channels, and physical jobsite documentation.
  • Does not override: Master Services Agreements (MSA), Professional Services Agreements, Subcontractor/Vendor Agreements, NDAs, Data Processing Addenda (DPA), or platform terms (e.g., Procore, Autodesk Construction Cloud). In case of conflict, signed contract or DPA controls.

2) Roles

  • Controller/organization: Bauvik for Business Contact Data and Usage Data on our own systems; joint controller in limited collaboration contexts as specified by contract.
  • Processor/service provider: Bauvik for Customer/Project Data where we act on the contracting party’s documented instructions (per DPA/contract).

3) Key Definitions

  • Affiliate: entity under common control with Bauvik.
  • Authorized User: person granted access to project systems or Bauvik portals.
  • Business Contact Data: work contact and account information tied to business relationships (e.g., name, company, role, email, phone, billing contacts, verifications).
  • Project/Customer Data: information uploaded or generated for project execution (e.g., drawings, models, RFIs, submittals, schedules, budgets, change orders, cost events, meeting minutes, emails, safety logs, inspections, photos, daily reports, punch lists, close‑out records, warranties, O&M manuals).
  • Workforce Data: information related to jobsite workers and site access (e.g., orientation status, certifications, trade, company affiliation, timekeeping logs, site induction forms, incident reports). Biometrics are avoided unless contractually required and lawful consent is obtained where applicable.
  • Usage Data: device, browser, app telemetry, pages/features used, timestamps, performance/error logs, IP address, coarse geolocation from IP, and similar analytics from Bauvik systems.
  • Third‑Party Systems: external platforms chosen by the customer or Bauvik (e.g., Procore, Autodesk Construction Cloud/BIM 360, PlanGrid, Bluebeam, Google Workspace, Microsoft 365, Slack/Teams, DocuSign, payment processors, HR/timekeeping, fleet/telematics).
  • Aggregated De‑Identified Data: data transformed so it cannot reasonably identify an individual or a specific customer/project.

4) Categories of Information We Collect

  • Business Contact Data
    • Identifiers and professional details; billing, tax, and company information; communications and preference records.
  • Project/Customer Data
    • Design and contract documents; BIM files and model metadata; RFIs, submittals, transmittals; schedules and look‑aheads; cost management records; pay apps and lien waivers (uploaded); commissioning and close‑out; photos/videos including drone imagery where permitted; as‑builts.
  • Workforce and Jobsite Data
    • Orientation/induction records; toolbox talks; training and certifications (e.g., WHMIS, first aid); access logs (badge, PIN, approved whitelist); safety inspections; incident/near‑miss reports; equipment operator qualifications; timesheets where applicable; limited health/safety information necessary to comply with law.
  • Fleet/Asset/Location Data
    • GPS/telematics from equipment or vehicles under Bauvik control; geofencing for site access; tool/asset tracking IDs.
  • Financial/Commercial Data
    • Purchase orders, change orders, invoices, payment confirmations; insurance certificates and bonds provided by vendors; surety documentation.
  • Website and App Data
    • Cookies, SDK/event data for authentication, security, performance, and analytics.

5) Sources of Information

  • Directly from individuals or their employers (uploads, forms, emails, messaging).
  • Automatically from devices and systems used to access Services (telemetry and logs).
  • From Third‑Party Systems connected by the customer (subject to their terms and scopes).
  • From public/commercial sources for B2B validation, sanctions/fraud screening where permitted by law.

6) Purposes of Use

  • Provide and operate the Services (document control, collaboration, schedule and cost management, field data capture, approvals, close‑out).
  • Safety and compliance (worksite induction, training tracking, inspections, incident management, regulatory reporting).
  • Security and integrity (role‑based access control, monitoring, audit trails, fraud prevention, investigations).
  • Performance and reliability (availability, scalability, diagnostics, error remediation, service improvement using de‑identified analytics where feasible).
  • Communications (project notices, change notifications, service announcements, security alerts; marketing communications to business contacts where lawful with opt‑out).
  • Billing and administration (invoicing, collections, tax, insurance/surety requirements, dispute resolution support).
  • Legal obligations (records retention, lien/claim defense, litigation holds, regulatory compliance, workplace safety requirements).

7) Legal Bases (where applicable)

  • Contract necessity to deliver Services.
  • Legitimate interests (security, service improvement, fraud prevention, B2B communications balanced with rights).
  • Legal obligations (construction and safety laws, tax and accounting, WSIB/WCB or equivalent, building authority requirements).
  • Consent where required (e.g., certain cookies/marketing, optional biometrics, specific location tracking features if implemented).

8) AI/ML and Analytics

  • Supported features may include search, classification, summarization, duplicate detection, and quality/safety insights.
  • Customer/Project Data is not used to train models that benefit other customers unless explicitly permitted by contract and implemented via Aggregated De‑Identified Data or customer‑scoped models.
  • Business Contact and Usage Data may be used in de‑identified/aggregated form to improve reliability, safety tooling, and documentation.
  • Third‑party models may be used under contractual and technical safeguards; outputs may contain errors and must be validated before reliance in safety‑critical or legal contexts.
  • No solely automated decisions producing legal or similarly significant effects without appropriate notice and lawful basis.

9) Disclosures and Sharing

  • Project stakeholders: owners/developers, design teams, consultants, subcontractors, suppliers, commissioning agents, and testing/inspection entities as necessary for project execution.
  • Service providers/sub‑processors: hosting, storage, email, e‑signature, analytics, security monitoring, support, timekeeping/HR tools, telematics, AI infrastructure—bound by confidentiality and data‑protection obligations.
  • Insurers, sureties, auditors, and lenders where required by contract or claim.
  • Regulators and authorities: building departments, safety boards, workers’ compensation boards (e.g., WSIB/WCB), and other lawful requests.
  • Corporate transactions: merger, acquisition, financing, restructuring, or asset transfer with appropriate safeguards.
  • With consent or at the direction of the contracting customer.
  • We do not sell Personal Information or share it for cross‑context behavioral advertising under CPRA definitions.

10) International Transfers

  • Data may be processed in Canada, the U.S., the EEA/UK, or other countries where Bauvik or vendors operate.
  • Transfers use appropriate safeguards (e.g., Standard Contractual Clauses and UK addendum, supplementary measures) as required by law.

11) Security

  • Administrative, technical, and physical safeguards aligned with industry standards and proportional to data sensitivity.
  • Examples: encryption in transit, access controls and MFA for privileged roles, least‑privilege and need‑to‑know, logging/monitoring, vendor risk management, vulnerability management and patching, backup and recovery procedures.
  • Incident response and breach notification in accordance with law and contract.

12) Jobsite Imagery and Monitoring

  • Progress documentation via photos, 360 imagery, drones, and fixed cameras where permitted; signage and notices provided where law requires.
  • Imagery used for project management, quality, safety, claims, and training; access restricted to authorized personnel and stakeholders.
  • CCTV or access control logs (badge, turnstile, geofencing) used for security and safety compliance in accordance with applicable law and contracts.

13) Location, Telematics, and Timekeeping

  • Location data may be collected from equipment, vehicles, or check‑in devices to secure sites and coordinate logistics.
  • Worker location/time data is limited to what is necessary for site access, safety, payroll/timekeeping (if applicable), and compliance; optional features that expand tracking require clear notice and, where required, consent.
  • Biometric time clocks are avoided unless expressly authorized by contract and law; if used, additional notices/consents, storage limitations, and deletion timelines apply.

14) Cookies and Similar Technologies

  • Categories: strictly necessary (authentication/security), functionality, performance/analytics, and marketing measurement (for business contacts on our corporate site only).
  • Controls: consent banner where required; browser/OS settings; in‑product privacy settings where available; we honor legally required signals where technically feasible.

15) Retention

  • Project/Customer Data: retained for the project lifecycle and for post‑completion periods necessary for claims, lien and defect limitation periods, close‑out, warranties, and legal/contractual requirements; specific durations may be stated in the contract.
  • Business Contact and Usage Data: retained to fulfill purposes, comply with law, and enforce agreements; de‑identified data may be retained for analytics and service improvement.
  • Litigation/legal holds: data relevant to disputes is preserved as required by law.

16) Individual Rights

  • Rights may include access, correction, deletion, portability, restriction, objection, withdrawal of consent (where applicable), and marketing opt‑out.
  • Requests involving Project/Customer Data should be directed to the contracting customer/controller; Bauvik will assist as required by the DPA and law.
  • Identity verification and response timelines follow applicable law; appeal rights are provided where required (certain U.S. states).

17) Regional Disclosures

  • Canada (PIPEDA): fair information principles observed; service providers may be outside Canada; contact us for access/correction inquiries and complaint handling.
  • EU/UK (GDPR/UK GDPR): legal bases include contract, legitimate interests, consent, and legal obligations; transfers rely on appropriate safeguards; lodge complaints with Supervisory Authorities/ICO.
  • U.S. (CPRA and similar laws): categories, purposes, and disclosures as outlined; no sale or sharing for cross‑context behavioral advertising; rights to know, delete, correct, portability, and limit use of sensitive data where applicable.

18) Sub‑Processors and Vendor Transparency

  • Current sub‑processor categories: cloud hosting/IaaS, storage/backup, email delivery, e‑signature, analytics/telemetry, support desk, security monitoring, timekeeping/HR tools (where used), and AI infrastructure.
  • A current list is available upon request; customers receive notice of material changes as set out in the DPA.

19) Financial Incentives

  • We do not offer price or service differences in exchange for personal information. If that changes, we will provide required notices and opt‑in mechanisms.

20) Children

  • Services are not directed to children; we do not knowingly collect personal information from minors where parental consent is required. Contact us to request deletion if you believe a minor’s information was provided.

21) How to Exercise Rights or Contact Us

  • Email: info@bauvik.com
  • Mail: Privacy Office, Bauvik Inc., 68 Claremont St, Toronto, ON M6J 2M5
  • Provide: name, organization, role, contact email used, the nature of your request, and region/country.

22) Changes to this Policy

  • We may update this policy to reflect changes in law, regulation, platforms, or practices. We will post updates with a new effective date and provide notice and/or seek consent where required by law or contract.

23) Customer Responsibilities

  • Configure access controls, retention, and exports in selected project platforms.
  • Limit uploads to data necessary for project delivery; avoid restricted/special categories unless contractually permitted and lawful.
  • Review and manage Third‑Party Systems and permissions; revoke access when no longer needed.
  • Execute a DPA and transfer mechanisms where required; notify Bauvik of special compliance needs (e.g., union agreements, public sector procurement rules, sensitive infrastructure restrictions).