Legal
Data Processing Agreement
A summary of how BDITY.LAB, Lda. (processor) handles the personal data that customers (controllers) upload to the Buildity.app platform. The full executable DPA is available on request at geral@buildity.pt.
Last updated: May 2026
1. Parties and roles
BDITY.LAB, Lda. acts as the Processor for personal data that you (the Controller — typically a construction company, GC, or subcontractor) upload to the Buildity.app platform. You decide the purpose and means; we process strictly on your documented instructions, in line with GDPR Art. 28.
2. Subject matter and duration
We process personal data for as long as your customer agreement is active, plus a short defined window after termination for export/deletion. Processing is strictly limited to providing, securing and improving the Buildity.app service for you.
3. Nature and purpose
Storing and presenting invoices, payments, contracts and messages tied to your construction projects. Routing approvals, scheduling payments, generating audit trails, and integrating with the channels you connect (email, WhatsApp, ERP, CRM, drive).
4. Categories of personal data
Names, emails, phone numbers, roles and company affiliations of your team members, subcontractors, suppliers and clients; invoice references; signature data and signing-context metadata (IP, device, timestamp); message and file contents you choose to ingest.
5. Categories of data subjects
Your employees and contractors, subcontractor representatives, suppliers, and the end-clients of your construction projects, to the extent their personal data is uploaded to Buildity.app.
6. Sub-processors
We use a small number of vetted sub-processors: Netlify Inc. (hosting + form storage, EU regions where available), GitLab Inc. (source-code hosting), and EU-based transactional email providers. We notify Controllers of any new sub-processor with at least 30 days' notice; Controllers may object on reasonable grounds.
7. International transfers
Data is processed in the European Union by default. Where a sub-processor must process outside the EU/EEA (e.g., US-headquartered services running EU regions), we rely on Standard Contractual Clauses (2021 EU Commission) and additional safeguards (encryption, access controls).
8. Security measures
Encryption in transit (TLS 1.2+) and at rest (AES-256), strict role-based access control, audit logging on all personal-data access, principle of least privilege for BDITY.LAB staff, mandatory MFA, and quarterly access reviews. Production environments are segregated from staging/development.
9. Personal data breaches
We notify the Controller without undue delay, and in any case within 72 hours of becoming aware of a personal data breach affecting their data. The notification includes the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken.
10. Data subject rights
We provide tooling and APIs to help Controllers respond to data subject access, rectification, deletion and portability requests within GDPR statutory deadlines. We assist with DPIAs where required.
11. Audit and inspection
Controllers may audit our compliance with this DPA on reasonable notice — at most once per year, conducted remotely by default, with on-site inspection available for justified reasons and at the Controller's expense.
12. Return and deletion at termination
On termination of the customer agreement, Controllers can export all their data (invoices, contracts, payments, messages, files) in machine-readable formats (PDF, CSV, JSON). All personal data is then deleted from our systems within 30 days, except where retention is required by law.
13. Contact and execution
The full executable DPA, including specific Annexes (sub-processor list, technical and organisational measures, SCCs where relevant), is available on request. Email geral@buildity.pt to receive the current version for review and signature.
Questions, requests or to execute a signed copy — write to geral@buildity.pt. We reply within 24 business hours.
AI quoting from maps, briefs or listings — in minutes.
Invoices, payments and contracts — the whole site in one place.
Verified electricians, masons and site supervisors, on demand.