As a Data Controller
We are the data controller for personal data collected through our website, marketing activities and sales processes — including enquiry forms, demo requests and personal data provided in the course of our business relationship with you.
As a Data Processor
When you use the ConstructionCRM platform to manage your own contacts, companies, projects and relationships, we act as a data processor on your behalf. We process that data only on your documented instructions. You remain the data controller for the data you enter into the platform, and you are responsible for ensuring you have a lawful basis for processing it.
A Data Processing Agreement (DPA) is available on request for customers who require one. Please contact gdpr@constructioncrm.com.
Under UK GDPR Article 6, we rely on one or more of the following lawful bases when processing personal data:
- Contract — processing is necessary to fulfil our agreement with you (platform delivery, billing, support)
- Legitimate interests — processing serves our legitimate business interests without overriding your rights (e.g. responding to enquiries, product communications to existing customers, security monitoring)
- Consent — where we rely on your explicit consent, such as for marketing emails to prospects. You may withdraw consent at any time via the unsubscribe link or by contacting us
- Legal obligation — where we are required by law to retain or process data
For B2B marketing to construction industry professionals, we may rely on the soft opt-in under PECR where a prior business relationship exists, provided communications are relevant to our Services and recipients have a clear opportunity to opt out.
You have the following rights in relation to personal data we hold about you. To exercise any right, contact us using the details in Section 8. We will respond within one calendar month.
Right of Access
Request a copy of the personal data we hold about you (Subject Access Request).
Right to Rectification
Ask us to correct inaccurate or incomplete data we hold about you.
Right to Erasure
Request deletion of your data where there is no compelling reason to continue processing it.
Right to Portability
Receive your data in a structured, commonly used, machine-readable format.
Right to Restriction
Ask us to restrict processing of your data in certain circumstances.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Automated Decisions
The right not to be subject to solely automated decisions that produce significant effects.
Withdraw Consent
Withdraw consent at any time without affecting prior lawful processing.
We retain personal data only for as long as necessary for the purposes for which it was collected. After the relevant period, data is securely deleted or anonymised.
| Category | Retention period |
|---|---|
| Active customer account data | Duration of contract + 7 years |
| Billing and financial records | 7 years (Companies Act / HMRC) |
| Website enquiry / demo request | 2 years from last contact, or until opt-out |
| Consent records | Until withdrawn + 3 years audit trail |
| Support correspondence | 3 years from resolution |
| Platform audit logs | 12 months rolling |
We use data hosting providers in the US, UK and Ireland. Where personal data is transferred outside the UK or EEA, appropriate safeguards are in place, including UK adequacy regulations, Standard Contractual Clauses (SCCs) and binding contractual protections with sub-processors.
ConstructionCRM serves customers in North America and the UAE. Data for customers in these regions may be hosted on infrastructure in their region. Applicable local data protection requirements will be addressed in your customer agreement.
We implement appropriate technical and organisational measures to protect personal data, including encrypted transmission (TLS), role-based access controls, comprehensive audit logging, regular security reviews and sub-processor due diligence.
Personal data breach procedure
- We will notify the ICO within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms
- Affected individuals will be notified without undue delay where the breach is likely to result in high risk to them
- All breaches are documented in our internal breach register, including those that do not require notification
ConstructionCRM is architected with UK GDPR compliance as a first-class concern. The following tools are native features of the platform to help customers meet their own obligations as data controllers:
GDPR Tab on Contact Records
Every Contact record includes a dedicated GDPR compliance tab for recording consent status, communication preferences and data handling notes at the individual level.
Consent Tab & Record Consent Entity
Explicit consent is captured per contact with date, method and scope. The Record Consent entity is a first-class data model component — not a field — storing fully auditable consent records.
TPS Flagging
Telephone Preference Service status is flagged directly on every contact telephone number and visible across list views, identifying numbers that cannot be called for marketing purposes.
Personally Identifiable Information (PII) Entity
A dedicated entity for managing PII data across the system, supporting subject access requests, data auditing and data minimisation workflows without bespoke development.
Rights to be Forgotten Entity
A formal, auditable workflow for processing erasure requests — distinct from simply deleting a record — providing a documented, traceable right-to-erasure process.
To exercise your rights, request a Data Processing Agreement, raise a breach concern or make any other GDPR-related enquiry:
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.
