Privacy Policy

Definitions

"Structa", "we", "us": the operator of the service. "Service": the Structa quoting tool, hosted at structa.build and accessed through any related software.

The service is a piece of software: it generates cost estimates from inputs you supply. We do not act as a builder, broker, agent, or matching service, and we do not connect homeowners with builders.

What data we collect

Account data

• Email address or mobile number (used for authentication).
• Password (hashed by Firebase Authentication).
• Auth provider linkage (for Google sign-in).

Quote inputs

• Project type, dimensions, spec choices.
• Postcode prefix (used for regional cost multipliers).
• Site condition answers (drainage, subsidence risk, etc.).

Quote outputs

• Generated line items, costs and risk notes.
• For builders, edits made in the editor are stored as an append-only delta log alongside the engine baseline.
• Optional read-only share links that you generate from the editor.

Payment data

• Card details are never stored on Structa. Payments are processed by Stripe under their own terms; we receive the Stripe session ID, the customer email Stripe collects at checkout, and the success or expiry status of the session.

Technical data

• IP address (used for rate limiting on quote generation).
• Browser, device and basic usage telemetry.
• Support correspondence and feedback submissions.

Why we collect it

• To authenticate you and protect your account.
• To generate, save, and (for builders) edit your quote.
• To process the per-quote payment that unlocks delivery.
• To rate-limit abusive use of the quote-generation endpoint and prevent fraud.
• To respond to support requests.
• To meet our legal and accounting obligations.
• To improve the engine and its underlying cost data in aggregate, anonymised form.

We do not sell your data, place advertising cookies, or share your inputs with third-party builders or marketers.

Legal basis (UK GDPR)

• Contract performance: to deliver the service you signed up for.
• Legitimate interests: security, rate-limiting, anti-fraud, improving the engine.
• Consent: for optional marketing communications, withdrawable at any time.
• Legal obligation: accounting, tax, and regulatory requests.

Who can access your data

Structa team

A small number of staff can access account data for customer support, security, content moderation and technical maintenance. Access is logged and granted only when required.

Sub-processors

• Firebase / Google Cloud: authentication, Firestore database, file storage.
• Stripe: payment processing.
• Upstash: Redis-backed rate limiting.
• Google Gemini: generation of the narrative summary attached to a quote.
• Email delivery providers: transactional notifications.

All sub-processors are bound by data-processing agreements and process data only on our instructions.

Public surfaces

Share links generated from the builder editor are unlisted but unauthenticated. Anyone with the link can see the quote, the share-view sub-totals, and the builder's public name. Do not share a link with anyone you would not give the underlying quote to.

International transfers

Where personal data is transferred outside the UK (e.g. via Firebase or Google Gemini infrastructure), we rely on UK adequacy regulations and / or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

Retention

• Quote cache: 24-hour TTL after generation, unless saved into a builder session.
• Builder sessions & deltas: retained while your account is active.
• Account data: retained while your account is active. Deleted on closure, subject to legal retention requirements.
• Payment records: retained for at least seven years to meet UK accounting obligations.
• Backups: purged on a rolling 90-day window.

Security

• TLS in transit; at-rest encryption on Firebase and Stripe.
• Firebase Auth handles password hashing and session tokens. We do not see your password.
• Server-side routes verify Firebase ID tokens; resource access is constrained to the authenticated owner (IDOR checks).
• Webhook signatures from Stripe are verified against the signing secret before any state change.

No system is perfectly secure. In the event of a breach that poses a high risk to individuals, we will notify the ICO within 72 hours and affected users without undue delay.

Your rights

• Access: request a copy of the data we hold about you.
• Correction: update inaccurate or incomplete data.
• Deletion: request removal of your account data.
• Restriction: limit how we use your data.
• Portability: receive your data in a portable format.
• Objection: object to processing based on legitimate interests, or to direct marketing.

Email info@structa.build to exercise any of these rights. We will respond within one month and may need to verify your identity.

Cookies

We use a small number of strictly necessary cookies for session management and rate limiting. We do not use advertising cookies. Analytics, if any, are aggregated and anonymised at source.

Children

The service is not intended for use by anyone under 18 and we do not knowingly collect data from children. If you believe a child has provided data to us, email the address below and we will remove it.

Changes

We may update this policy. Material changes will be announced on the service before they take effect.