BuildCompare Try the app

Legal

Privacy notice.

How we collect, use and protect your personal data when you use BuildCompare.

Soft launch — this is the live notice.

BuildCompare is in soft launch. We process minimal personal data, run essential cookies and cookieless Cloudflare Web Analytics, and — only with your consent via the cookie banner — Google Analytics 4. We will update this notice in line with our actual practice as the product evolves. Last updated 2026-05-19.

Who we are

This notice explains how Ross Churchill, sole trader, trading as BuildCompare ("we", "us") collects and uses your personal data when you use buildcompare.co.uk, app.buildcompare.co.uk, our support channels and any related services. We are the controller of your personal data unless this notice says otherwise.

You can contact us by email at [email protected]. A postal correspondence address is available on request — email us and we will provide it. Our Privacy Lead is Ross Churchill.

The personal data we collect

Depending on how you use BuildCompare, we may collect:

We do not intentionally collect special-category personal data (such as health, religion or ethnicity). Please don't include sensitive information in free-text fields or support emails unless we specifically ask for it.

How we use your data and our lawful bases

Under UK GDPR we must have a lawful basis for each purpose. Our bases by activity:

Location data

If you choose to use location features (such as "nearest branch" or local stock), the app sends your postcode or browser-permission coordinates to our servers only for the duration of the request. We compute the nearest-branch result and return it — we do not retain raw location data server-side beyond that request. Your chosen branch preference is stored locally in your browser (localStorage). We do not use precise location for behavioural advertising.

Cookies and similar technologies

We use essential cookies required for the service to function — session, CSRF protection, rate-limiting and your locally saved preferences. Your cookie-banner decision is recorded as bc_consent, scoped to .buildcompare.co.uk so it carries across the marketing site and the app without you having to choose twice. We use Cloudflare Web Analytics, which is a cookieless analytics service: no cookies, no fingerprinting, no cross-site tracking, no personal identifiers. We also use Google Analytics 4 for richer reporting, gated by a cookie banner — Google Analytics cookies are only set after you click "Accept analytics", and we run Google's Consent Mode v2 so the tag respects your choice. Full detail in our Cookie notice.

Who we share personal data with

We use a small number of carefully chosen service providers that process personal data on our behalf:

When you click through to a merchant via a BuildCompare result, that merchant becomes a separate controller for their own checkout, fulfilment and any tracking they do on their site. We do not transmit personal account data to merchants; they may receive a click reference and any tracking parameters built into our affiliate links. Read each merchant's own privacy notice for detail.

We may also share personal data where the law requires it, or where necessary to establish, exercise or defend legal claims.

Where your data is stored and international transfers

Our primary servers are located in France (OVHcloud, Gravelines). Backups are stored in France and the United Kingdom. Cloudflare operates global infrastructure and may serve traffic from multiple regions for performance.

Where we transfer personal data from the UK to providers in the EEA, we rely on the UK's adequacy regulations for EEA destinations. Where personal data is transferred from the EEA back to the UK, the EU's renewed adequacy decision for the UK applies (in force until 27 December 2031). For Purelymail (United States) we rely on contractual safeguards including Standard Contractual Clauses with the UK International Data Transfer Addendum. If we use a provider outside the UK or EEA in future, or if adequacy arrangements change, we will use an appropriate safeguard such as SCCs, the UK Addendum or the UK IDTA and run a transfer-risk assessment.

How long we keep personal data

We keep personal data only for as long as necessary for the purposes set out above, then delete or anonymise it unless we must keep it for legal reasons. Current retention defaults:

Security

We apply appropriate technical and organisational measures to protect personal data, proportionate to the risk. Current controls include encrypted connections (TLS in transit), encryption at rest for the production database, role-based access with least-privilege, multi-factor authentication on admin and backup consoles, secrets stored in HashiCorp Vault (not in code or configuration files), security logging and alerting, regular patching, vendor due diligence with Article 28 processor contracts, and a documented incident-response process. No online service can guarantee absolute security, but we design our controls around the actual risks the service faces.

Your rights

Under UK GDPR you have, subject to the law and the particular processing, the right to:

Some rights apply only in certain circumstances. We may need to keep some data where the law requires it (e.g. tax records). To exercise your rights, email [email protected]. We aim to respond without undue delay and usually within one month. We may need to verify your identity before fulfilling a request.

Automated decision-making and profiling

We do not currently make significant decisions about you based solely on automated processing. We use limited automated tools to rank search results (by price and your selected filters), detect technical abuse and analyse aggregate service performance. None of these tools makes decisions with legal or similarly significant effects on you. If we ever introduce solely automated decision-making that has such effects, we will update this notice and explain the safeguards available, including how to request human review.

Children's data

BuildCompare is intended for trade and DIY users (typically aged 18+) and is not designed for children. We do not knowingly collect personal data from children for account, subscription or marketing purposes. If we learn that we have collected children's data inadvertently, we will take appropriate steps to delete or protect it. If our service later becomes likely to be accessed by children, we will apply the ICO's Children's Code and update this notice accordingly.

Complaints

If you have a privacy concern, please contact us first at [email protected] so we can try to resolve it.

You also have the right to complain to the UK Information Commissioner's Office (ICO):

If EU GDPR applies to a particular processing activity, you may also have the right to complain to an EU supervisory authority, including the CNIL in France (3 Place de Fontenoy, 75007 Paris; +33 1 53 73 22 22; cnil.fr).

Changes to this notice

We may update this notice from time to time to reflect changes in our service, providers or legal obligations. Where a change materially affects how we use your personal data, we will take reasonable steps to bring that change to your attention before or when the change takes effect. The "Last updated" date below tells you when the notice was last revised.

Last updated: 2026-05-19. See also: Cookie notice · Terms of service · Affiliate disclosure.