BUILD/LOG Privacy Policy
Effective date: 12 May 2026 Last updated: 13 May 2026
1. General information
This Privacy Policy describes how we collect, use, store, and protect personal data of users of the BUILD/LOG mobile application and the related web platform available at https://buildlog.app (collectively: the "Application").
By using the Application, you accept the rules described below. If you do not agree with them, please do not install or use the Application.
2. Data controller
The controller of your personal data is:
Baya Lab spółka z ograniczoną odpowiedzialnością (Baya Lab Limited Liability Company) ul. Długoszyńska 35E 43-600 Jaworzno, Poland KRS (National Court Register): 0001116118 REGON: 529158898 NIP (Tax ID): 6322037733
Contact for personal data matters: Email: privacy@buildlog.app Correspondence address: as above
3. Definitions
- Application — the BUILD/LOG mobile application (iOS, Android) and the related web platform available at https://buildlog.app.
- User — a natural person using the Application, including construction workers, inspectors, site managers, investors, and subcontractors.
- Organization — the company or entity on behalf of which the User uses the Application (e.g. general contractor, investor).
- Project — a construction undertaking managed in the Application.
- Issue — any record created in the Application: defect, work documentation, acceptance, RFI, health & safety report, etc.
- GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
4. What data we collect
4.1. Account data
During registration and use of the Application we collect:
- first and last name,
- email address,
- phone number,
- password (stored only in encrypted form — hash),
- Organization name and role (e.g. Investor, Site Manager, Inspector),
- profile photo (optional),
- preferred language and notification settings.
4.2. Content created by the User
In the course of daily use of the Application we process content that the User enters independently:
- Photos and video material taken on the construction site or uploaded from the device, along with technical metadata of the photos: date and time of capture, GPS coordinates (if the photo was taken with system camera geolocation enabled), device model,
- Issue descriptions, comments, notes,
- Project data — names, locations, dates, participant lists,
- Documents attached to issues (PDFs, drawings, schematics),
- Project participant data — contacts of persons assigned to tasks and issues.
Note: Construction site photos may contain images of third parties, vehicle license plates, project data, or other sensitive information. The User is responsible for ensuring that they have a legal basis to capture and process such data within their professional duties.
4.3. Technical and diagnostic data
We automatically collect the minimum range of technical data necessary to maintain the Application:
- device model and operating system,
- Application version,
- application installation identifier,
- IP address,
- error logs and application activity logs.
4.4. Application quality and performance monitoring (Sentry)
To ensure the stability, availability, and high quality of the Application, we use the monitoring and diagnostics service Sentry, provided by Functional Software, Inc. d/b/a Sentry, headquartered in San Francisco, USA. Application data sent to Sentry is physically stored in Sentry's European data center (Frankfurt, Germany).
Sentry processes:
- Error and crash reports — information about unhandled exceptions, application crashes, stack traces,
- Performance monitoring data — response times, network transactions, identification of slow queries,
- Session Replay recordings — reproductions of the User's interactions with the Application interface in the form of UI event recordings, used to diagnose errors and usability issues.
What is masked in Session Replay:
In our configuration, Sentry automatically masks:
- contents of all text fields and input fields (including passwords, issue descriptions, comments, login data),
- all images, photos, and media displayed in the Application,
- contents of elements marked as sensitive.
In practice this means that Sentry records the structure of interactions (clicks, scrolling, sequence of screens, duration of actions), but does not record the content entered by the User or photos from the construction site.
Purpose of processing: detecting and diagnosing errors, improving the stability and performance of the Application, identifying UX issues. The data is not used for profiling, advertising, marketing, or sale to third parties.
Legal basis: Article 6(1)(f) GDPR — legitimate interest of the controller in ensuring the stability, security, and quality of the services provided. You may object to this processing at any time (see section 8).
Retention period: data in Sentry is retained for a maximum of 90 days, after which it is automatically deleted.
Legal status: Sentry acts as a data processor within the meaning of Article 28 GDPR, on the basis of a Data Processing Agreement. Sentry's privacy policy: https://sentry.io/privacy/.
4.5. What we do NOT collect
- We do not collect device location data in the current version of the Application. The Application does not require GPS access permissions. (GPS coordinates may be present in photo metadata — see section 4.2 — if the system camera saves them in the files, but the Application itself does not retrieve device location.)
- We do not collect data from your contacts list beyond what you add yourself as project participants.
- We do not scan your photo gallery — access is limited to the photos you select or take within the Application yourself.
- We do not collect biometric data (e.g. face recognition from your profile photos).
- We do not use marketing analytics tools such as Google Analytics, Firebase Analytics, Mixpanel, PostHog, or Hotjar. Sentry serves exclusively diagnostic and technical quality monitoring purposes.
- We do not use User data for tracking within the meaning of Apple App Tracking Transparency.
- We do not sell personal data to third parties for any purpose, including marketing.
5. Purposes and legal bases of processing (GDPR)
| Purpose of processing | Legal basis (GDPR) |
|---|---|
| Provision of Application services (account, issues, reports) | Art. 6(1)(b) — performance of a contract |
| Communication with the User (support, operational notifications) | Art. 6(1)(b) — performance of a contract |
| Ensuring security, detection of abuse | Art. 6(1)(f) — legitimate interest of the controller |
| Diagnostics, quality monitoring (Sentry), product development | Art. 6(1)(f) — legitimate interest of the controller |
| Compliance with legal obligations (accounting, taxes) | Art. 6(1)(c) — legal obligation |
6. Data sharing
6.1. Within your Organization and Project
Issues, photos, reports, and comments created within a given Project are visible to other Users assigned to that Project according to their permissions (e.g. Investor, General Contractor, Inspector, Subcontractor). This is the essence of the Application as a collaboration tool.
6.2. Data processors
We entrust data processing to trusted providers with whom we have concluded data processing agreements in accordance with Article 28 GDPR:
| Provider | Purpose | Data storage location |
|---|---|---|
| Hetzner Online GmbH | Hosting of server infrastructure; storage of application data and photos | Germany / Finland (EU) |
| Functional Software, Inc. d/b/a Sentry | Application quality and performance monitoring, error reports, Session Replay | Frankfurt, Germany (Sentry EU region) |
All Application data (user accounts, issues, photos, documents, system-sent emails) is stored and processed on infrastructure hosted in Hetzner data centers within the European Union. System emails (e.g. registration confirmations, notifications) are sent directly from our server, without the involvement of external email service providers.
Diagnostic and monitoring data (errors, performance, Session Replay) is transmitted to Sentry and physically stored in its European data center in Frankfurt.
6.3. Public authorities
We may disclose data to state authorities (court, prosecutor's office, tax authorities, data protection supervisory authority) if required by applicable law.
6.4. Data transfers outside the EEA
Application data is physically stored exclusively in data centers within the European Union — both primary data (Hetzner, Germany/Finland) and diagnostic data (Sentry, Frankfurt).
However, please note that Functional Software, Inc. (Sentry) is a US-based company whose administrative and technical support personnel may have limited access to the data for service maintenance purposes, even though the data is physically located in the EU. Such access is considered a transfer of data to a third country within the meaning of GDPR and is carried out on the basis of:
- standard contractual clauses approved by the European Commission (Article 46 GDPR), and
- EU-U.S. Data Privacy Framework — to the extent Sentry is certified under that mechanism.
In the event of future changes (e.g. launching push notifications requiring Apple or Google intermediation), this Policy will be updated.
7. Data retention periods
| Data category | Retention period |
|---|---|
| Account data | For the duration of account ownership + up to 30 days after deletion (for potential restoration) |
| Project data, issues, photos | For the duration of the project + the archiving period required by your Organization (by default 6 years in accordance with Polish regulations on construction and tax documentation) |
| Technical and diagnostic logs (our own) | Up to 12 months |
| Data in Sentry (errors, performance, Session Replay) | Up to 90 days |
| Invoicing and accounting data | 5 years from the end of the financial year (statutory obligation) |
After these periods expire, data is deleted or permanently anonymized.
8. Your rights (GDPR)
You have the following rights regarding your personal data:
- Right of access to data (Art. 15 GDPR),
- Right to rectification of data (Art. 16 GDPR),
- Right to erasure — "right to be forgotten" (Art. 17 GDPR),
- Right to restriction of processing (Art. 18 GDPR),
- Right to data portability (Art. 20 GDPR),
- Right to object to processing based on legitimate interest (Art. 21 GDPR) — including the Sentry monitoring described in section 4.4,
- Right to withdraw consent at any time — without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR),
- Right to lodge a complaint with the supervisory authority — President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, https://uodo.gov.pl.
To exercise any of the above rights, contact us at privacy@buildlog.app. We respond within 30 days of receiving the request.
Account deletion: you may delete your account at any time in the Application settings or by sending a request to privacy@buildlog.app.
Important: Some project data (issues, photos) created within your Organization's Project may be treated as documentation belonging to the Organization rather than to the individual User. In such cases, their deletion after leaving the Organization may not be possible — they remain the property of the Project/Organization.
9. Data security
We apply technical and organizational data protection measures appropriate to the risk, including:
- encryption of connections (TLS 1.2+) between the Application and servers,
- encryption of data at rest on the server infrastructure side,
- password hashing (bcrypt algorithm or equivalent),
- automatic masking of sensitive fields, text content, and images in Session Replay recordings (Sentry),
- regular backups,
- role-based access control (RBAC),
- regular security updates and reviews,
- incident response procedures in accordance with Articles 33–34 GDPR.
In the event of a data breach posing a risk to Users, we will notify you and the President of UODO within the time limits provided by GDPR.
10. Offline work and local data on the device
The Application operates on an offline-first architecture — some data (issues, photos awaiting synchronization) is stored locally in the device's memory, within the Application's private area.
- Data is synchronized with the server when the device has an Internet connection.
- After logging out of the account, local data is removed.
- Uninstalling the Application removes all local data.
11. The buildlog.app website
The https://buildlog.app website currently serves a marketing function. The website does not use any tracking tools, analytical cookies, or marketing cookies. Only cookies strictly necessary for the proper functioning of the site are used (if applicable).
If analytical or marketing tools are deployed in the future, this Privacy Policy will be updated, and Users will be provided with a consent management mechanism (cookie banner).
12. Children
The Application is not intended for persons under the age of 16. We do not knowingly collect personal data from children. If we discover that we have collected data from a person under 16, we will delete it promptly.
13. Third-party links
The Application may contain links to external sites (e.g. documentation, providers). We are not responsible for the privacy policies of these entities — we encourage you to review them before using their services.
14. Changes to the Privacy Policy
We may update this Privacy Policy. We will inform you of material changes:
- by email sent to the address associated with your account,
- through a notification in the Application,
- by updating the "Last updated" date at the beginning of the document.
Continued use of the Application after the changes take effect constitutes acceptance.
15. Provisions for the App Store and Google Play
The Application is distributed through Apple App Store and Google Play. These platforms may collect their own data in accordance with their privacy policies:
- Apple — https://www.apple.com/legal/privacy/
- Google — https://policies.google.com/privacy
Within the App Store Privacy Labels and Google Play Data Safety disclosures, we declare the following categories of collected data:
| Category | Purpose | Linked to identity | Used for tracking |
|---|---|---|---|
| Contact data (email, name, phone) | Functionality, account | Yes | No |
| User content (photos, descriptions, comments) | Functionality | Yes | No |
| Identifiers (device ID, installation ID) | Functionality, security | Yes | No |
| Diagnostic data (crash reports, performance — Sentry) | Application diagnostics | Yes | No |
| Product interaction data (Session Replay — Sentry) | Diagnostics, product quality | Yes | No |
We do not use User data for tracking within the meaning of Apple App Tracking Transparency. We do not sell personal data to third parties. We do not use marketing analytics tools or advertising networks.
16. Contact
Any questions regarding this Privacy Policy or the processing of your data should be directed to:
Email: privacy@buildlog.app Address: Baya Lab sp. z o.o., ul. Długoszyńska 35E, 43-600 Jaworzno, Poland Website: https://buildlog.app
This Privacy Policy was originally drafted in Polish. In the event of discrepancies between the Polish version and translations, the Polish version prevails.