Privacy Policy

Last updated: 29 March 2026

1. Introduction

DIY Housebuilder ("we", "us", "our") operates the website diy-housebuilder.com and the DIY Housebuilder mobile applications (together, the "Service"). This Privacy Policy explains how we collect, use, store and protect your personal information when you use the Service.

By using the Service you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

We collect the following types of information:

Account information

  • Name, email address and telephone number provided during registration
  • Organisation/tenant name and code
  • Role and permissions within your account

Project and claim information

  • Property address, planning permission reference and project dates
  • Claimant name, address and contact details
  • Bank details (bank name, account holder, sort code, account number) for VAT refund purposes

Receipt and financial data

  • Uploaded receipt images and PDF documents
  • Data extracted from receipts including supplier names, VAT numbers, dates, amounts and line items
  • Supplier records

Payment information

  • Payment transactions are processed by Stripe. We do not store your full card details. Stripe's privacy policy applies to payment processing.

Technical and usage data

  • IP address, browser type, device information and operating system
  • Pages visited, features used and timestamps
  • Cookies and similar tracking technologies (see Section 8)

3. How We Use Your Information

We use your information to:

  • Provide, maintain and improve the Service
  • Process and extract data from uploaded receipts using optical character recognition (OCR)
  • Validate receipt data and check HMRC eligibility of line items
  • Generate pre-filled VAT431NB claim forms and export documents
  • Process payments and manage your subscription
  • Send service-related notifications (e.g. receipt processing updates, validation alerts)
  • Provide customer support
  • Detect and prevent fraud or misuse of the Service

4. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Contract: Processing necessary to provide the Service you have signed up for
  • Legitimate interests: Improving the Service, preventing fraud, and ensuring security
  • Consent: Where you have given explicit consent, such as for marketing communications
  • Legal obligation: Where we are required to retain data by law

5. Data Storage and Security

Your data is stored on Amazon Web Services (AWS) infrastructure located in the EU (eu-west-2, London region). We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption at rest and in transit (TLS/SSL)
  • Authentication via AWS Cognito with email-based verification — no passwords are stored
  • Access controls and role-based permissions
  • Regular security reviews

While we take reasonable steps to protect your data, no method of electronic storage or transmission is 100% secure.

6. Data Sharing

We do not sell your personal data. We may share data with the following third parties solely to provide the Service:

  • Amazon Web Services (AWS): Cloud hosting, data storage, OCR processing (Textract), authentication (Cognito)
  • Stripe: Payment processing

We may also disclose data if required by law, regulation, or legal process.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. If you delete your account, we will remove your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes.

Receipt images and extracted data are retained for the duration of your account to support your VAT claim process.

8. Cookies

We use essential cookies to maintain your session and remember your preferences (e.g. sidebar state). We do not currently use third-party advertising or analytics cookies. If this changes, we will update this policy and provide appropriate notice and controls.

9. Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data (right to be forgotten)
  • Restrict processing in certain circumstances
  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at privacy@diy-housebuilder.com.

10. Children

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us: