← Back to ViaBuild

Privacy Policy

Last updated: February 2026

ViaBuild Pty Ltd (ABN [to be inserted]) ("ViaBuild", "we", "us", "our") operates the ViaBuild construction management platform accessible at viabuild.app and the ViaSite companion application (together, the "Services"), and the viabuild.au website (the "Website").

This Privacy Policy describes how we collect, use, store, disclose and protect personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"), the Privacy and Other Legislation Amendment Act 2024, and, where applicable, the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and the New Zealand Privacy Act 2020.

We are committed to protecting the privacy of our users, customers, their employees, clients, subcontractors and suppliers whose information may be processed through our Services.

1. Information We Collect

1.1 Account and Organisation Information

When you register for ViaBuild, we collect:

  • Full name, email address, phone number
  • Organisation name, ABN, ACN, business address
  • Job title and role within your organisation
  • Billing and payment information (processed by our payment provider; we do not store full card numbers)
  • Profile photos (optional)

1.2 Service Data

When you and your Authorised Users use the Services, we process information you submit, including:

  • Job and project details (names, addresses, values, dates)
  • Financial data (estimates, budgets, purchase orders, invoices, progress claims, variations)
  • Supplier and subcontractor information (names, contact details, ABNs, banking details)
  • Client information (names, contact details, addresses)
  • Product and materials data, cost codes, labour rates
  • Safety records (inductions, toolbox talks, incident reports, SWMS, site sign-in logs)
  • Documents and files you upload (plans, invoices, photos, reports)
  • Communications sent or received through the Services (emails processed via inbound email functionality)
  • ViaSite field data (daily diaries, progress photos, defect records, inspection notes)

1.3 Information from Integrations

If you connect third-party services, we receive information from:

  • Xero: Contacts, invoices, bills, payments, chart of accounts, tracking categories
  • HubSpot: Contacts, deals, company information
  • Email providers: Emails forwarded for invoice processing
  • Future integrations: As described when you authorise the connection

1.4 Automatically Collected Information

When you access the Website or Services, we automatically collect:

  • Device information (browser type, operating system, device type)
  • IP address and approximate location (country/region level)
  • Usage data (pages viewed, features used, time spent, clicks, navigation paths)
  • Cookies and similar technologies (see Section 9)
  • Log data (access times, error logs, referring URLs)

1.5 Information from Third Parties

We may receive information from:

  • Our marketing partners (HubSpot) when you submit forms or book demos
  • Publicly available business registers (ABN Lookup, ASIC)
  • Our analytics providers (Google Analytics)

2. How We Use Your Information

2.1 Providing and Operating the Services

We use your information to:

  • Create and manage your account and organisation
  • Provide, maintain, and improve the Services and ViaSite app
  • Process invoices using AI-powered extraction and matching
  • Synchronise data with your connected integrations (Xero, HubSpot)
  • Process billing and payments
  • Provide customer support
  • Send transactional communications (account confirmations, invoices, password resets, system notifications)

2.2 Improving and Developing Our Services

We use information to:

  • Analyse usage patterns to improve user experience and features
  • Identify and fix bugs, errors and performance issues
  • Develop new features and services
  • Train and improve our AI models (using de-identified, aggregated data only — see Section 3)
  • Conduct internal research and analytics

2.3 Safety and Security

We use information to:

  • Detect, prevent and address fraud, abuse, and security incidents
  • Enforce our Terms of Service and Acceptable Use Policy
  • Comply with legal obligations, including data breach notification requirements
  • Protect the rights, property and safety of ViaBuild, our users, and the public

2.4 Communications and Marketing

We use information to:

  • Send product updates, feature announcements and tips (you can opt out at any time)
  • Respond to your enquiries and support requests
  • Send marketing communications where you have consented or where we have a legitimate interest (you can unsubscribe at any time)
  • Personalise your experience based on your usage and preferences

3. Aggregated and De-Identified Data

3.1 What Is Aggregated Data

We may collect, compile and create aggregated and de-identified datasets derived from Service Data and usage information ("Aggregated Data"). Aggregated Data is data that has been combined from multiple users and organisations and anonymised so that it cannot identify, and cannot reasonably be used to re-identify, any individual, organisation, job, or project.

3.2 How We Use Aggregated Data

We own all Aggregated Data and may use it without restriction for any lawful purpose, including but not limited to:

  • Producing industry benchmarks, cost indices and statistical reports
  • Improving and training our AI and machine learning models
  • Developing new products, features and services
  • Publishing general industry insights and reports
  • Creating and selling anonymised benchmarking products and data services
  • Internal research and business intelligence
  • Marketing and promotional materials that include aggregated statistics

3.3 Your Rights Regarding Aggregated Data

Because Aggregated Data cannot identify you, your organisation, or any individual, it is not considered "personal information" under the Privacy Act and is not subject to access, correction or deletion requests. We apply industry-standard de-identification techniques before any data is classified as Aggregated Data.

3.4 AI and Automated Processing

Our Services use artificial intelligence to extract data from invoices, suggest purchase order matches, and provide cost insights. We also use de-identified data from across our user base to train and improve these AI models. We do not use your identifiable data to train AI models used by other customers. Where our automated processing produces decisions that significantly affect individuals, we will provide transparency and the ability to request human review, in accordance with Australian Privacy Act requirements effective December 2026.

If you are located in the EEA, UK, or where GDPR applies, our legal bases for processing are:

  • Contract: Processing necessary to provide the Services (Article 6(1)(b))
  • Legitimate interests: Improving our Services, security, fraud prevention, marketing to existing customers, producing Aggregated Data (Article 6(1)(f))
  • Consent: Where you have opted in to marketing or cookies (Article 6(1)(a))
  • Legal obligation: Complying with applicable laws (Article 6(1)(c))

5. How We Share Your Information

5.1 Within Your Organisation

Service Data is accessible to Authorised Users within your organisation in accordance with the roles and permissions configured by your organisation's administrator.

5.2 With Your Integrations

When you connect third-party services (Xero, HubSpot, etc.), we share data in accordance with the integration's scope and your configuration.

5.3 With Service Providers

We engage trusted third-party service providers who process data on our behalf:

ProviderPurposeLocation
SupabaseDatabase hosting, authentication, storageAWS Asia-Pacific (Sydney)
VercelWebsite and application hostingGlobal CDN, origin in Australia where available
Anthropic (Claude AI)Invoice data extractionUnited States
ResendTransactional email deliveryUnited States
PostmarkInbound email processingUnited States
StripePayment processingUnited States
HubSpotCRM and marketing automationUnited States
Google AnalyticsWebsite analyticsUnited States

All service providers are bound by data processing agreements and are required to protect your data in accordance with this Privacy Policy and applicable law.

5.4 Cross-Border Transfers

Some of our service providers are located overseas, primarily in the United States. Before transferring personal information overseas, we take reasonable steps to ensure the recipient handles personal information in a manner consistent with the APPs, in accordance with APP 8. For GDPR users: Transfers outside the EEA/UK are protected by Standard Contractual Clauses or other approved transfer mechanisms.

We may disclose personal information where required or permitted by law, including in response to lawful requests by courts or regulators, to comply with the Notifiable Data Breaches scheme, to protect rights and safety, and in connection with any merger or sale of assets (subject to confidentiality).

We may share your information in other ways if you direct us to or provide consent.

6. Data Retention

We retain your information as follows:

  • Active accounts: Service Data is retained for the duration of your subscription and for 90 days after cancellation, during which time you may export your data.
  • Post-cancellation: After the 90-day export period, Service Data is permanently deleted from our active systems within 30 days. Backups containing your data are overwritten within 90 days.
  • Financial records: We retain billing and invoice records for 7 years as required by Australian taxation law.
  • Aggregated Data: Retained indefinitely as it is not personal information.
  • Log data: Retained for up to 24 months for security and troubleshooting.
  • Marketing contacts: Retained until you unsubscribe and request deletion.

You may request earlier deletion by contacting us at legal@viabuild.au.

7. Data Security

We implement technical and organisational measures to protect personal information, including encryption in transit (TLS 1.2+) and at rest (AES-256), row-level security in our database, role-based access controls, regular security assessments, secure development practices, access logging, and staff training. No method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us at security@viabuild.au.

8. Your Rights

8.1 Under Australian Privacy Law

You have the right to access (APP 12), correction (APP 13), and to lodge a complaint if you believe we have breached the APPs (see Section 12).

8.2 Under the GDPR and UK GDPR (Where Applicable)

If the GDPR or UK GDPR applies, you additionally have the right to erasure, restriction of processing, data portability, to object (including to direct marketing), to withdraw consent, and not to be subject to solely automated decisions that significantly affect you.

8.3 Under the NZ Privacy Act 2020 (Where Applicable)

If you are a New Zealand resident, you have equivalent rights under the Information Privacy Principles.

8.4 Exercising Your Rights

To exercise any of these rights, contact us at legal@viabuild.au. We will respond within 30 days (or such shorter period as required by law). We may need to verify your identity. We will not charge a fee for reasonable requests.

8.5 Organisation Administrators

If you are an Authorised User of a ViaBuild customer organisation, please first direct your requests to your organisation's administrator. We will assist where the organisation is unable to fulfil your request.

9. Cookies and Tracking Technologies

9.1 What We Use

We use cookies for essential (authentication, session, security), analytics (Google Analytics), and marketing (HubSpot, conversion pixels) purposes.

9.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may affect the Services. We respect the Global Privacy Control (GPC) signal where applicable.

9.3 Do Not Track

We currently do not respond to browser "Do Not Track" signals, but we honour the GPC signal and direct requests.

10. Children's Privacy

The Services are not directed to individuals under 18. We do not knowingly collect personal information from children. If we become aware that we have collected such information, we will delete it promptly. Contact us at legal@viabuild.au if you believe a child has provided us with personal information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email, a notice within the Services, and by updating the "Last updated" date. Your continued use of the Services after changes become effective constitutes acceptance of the revised Policy.

12. Complaints

If you believe we have breached the APPs or this Privacy Policy, you may lodge a complaint at legal@viabuild.au. We will acknowledge within 5 business days and respond within 30 days. If not satisfied, you may lodge a complaint with the OAIC (Australia), your local supervisory authority (EU/UK), or the Office of the Privacy Commissioner (New Zealand).

13. Contact Us

ViaBuild Pty Ltd
Email: legal@viabuild.au
Website: https://viabuild.au
Address: [Insert registered address]

For urgent privacy or security matters, contact security@viabuild.au.