Privacy policy.

This policy describes what information BrickBook collects about you, why we hold it, who we share it with, and the rights you have under the UK General Data Protection Regulation and the Data Protection Act 2018. We have tried to keep it short and specific.

Who we are

BrickBook is a trading name of Lab81 Ltd, a company registered in England and Wales. For the purposes of data protection law, we are the data controller of the information you provide through the BrickBook application and website. You can reach us at hello@lab81.io.

What we collect

We keep to the minimum needed to run the service:

Account information

Name, email address, and a hashed password. If you enable two-factor authentication, we hold an encrypted TOTP secret and bcrypt-hashed backup codes.

Property records

Addresses, property type, tenure, and the compliance obligations you choose to track.

Certificates and documents

Files you upload (gas safety, EICR, EPC, legionella, fire risk assessments) together with metadata extracted from them.

Financial records

Rental income, expenses, and supporting notes that you enter for tax and reporting purposes.

HMRC identifiers

If you use Making Tax Digital (MTD) submissions, we store your Unique Taxpayer Reference (UTR) and National Insurance number (NINO). These are required by HMRC's fraud-prevention standards and are never shared with third parties outside HMRC.

Billing information

We do not store your card details. Payments are processed by Stripe; we hold only a customer reference and the status of your subscription.

Technical data

IP address, browser type, device information, and request logs. Used for security, rate-limiting, and diagnosing faults.

Why we hold it — our lawful bases

• Contract. To provide the service you have signed up for — account access, compliance tracking, submissions to HMRC.
• Legal obligation. To meet HMRC's requirements for MTD software, including fraud-prevention headers.
• Legitimate interests. To secure the service against abuse, prevent fraud, and improve the product.
• Consent. For optional communications such as product announcements. You can withdraw consent at any time.

Who we share it with

We use a small number of carefully chosen processors:

HMRC

Quarterly updates and final declarations submitted through the Making Tax Digital API, together with fraud-prevention headers required by HMRC.

Stripe

Subscription payments. Stripe are an independent controller of your payment details. See stripe.com/gb/privacy.

SendGrid (Twilio)

Transactional email delivery — account verification, password resets, reminders.

Anthropic

Certificate photographs and PDFs are sent to Anthropic's Claude API for metadata extraction. Anthropic do not train their models on this content. See anthropic.com/privacy.

Hostinger

Our servers are hosted on a UK-region virtual private server provided by Hostinger.

We do not sell your data. We do not share it with advertisers. We will only disclose it to other parties where required by law or with your explicit consent.

Where it is stored

Your account data and database records are held on servers located within the United Kingdom. Some of our processors (Stripe, SendGrid, Anthropic) are headquartered in the United States and may process data there under Standard Contractual Clauses or an adequacy decision.

How long we keep it

• Active accounts: for as long as the account exists.
• Closed accounts: deleted within 30 days of account closure, except records we are legally required to keep (e.g. for HMRC audit purposes — typically 6 years for tax records).
• Backups: encrypted database backups are retained for 30 days before being overwritten.

Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete information.
• Request erasure of your data, subject to our legal obligations.
• Export your data in a machine-readable format.
• Object to, or restrict, certain types of processing.
• Withdraw consent for any processing based on consent.
• Lodge a complaint with the Information Commissioner's Office at ico.org.uk.

To exercise any of these rights, email hello@lab81.io. We will respond within one calendar month.

Cookies

BrickBook uses only strictly necessary cookies to keep you signed in and to remember your session preferences. We do not use advertising, analytics, or tracking cookies, and we do not integrate third-party trackers. Because no non-essential cookies are set, no cookie consent banner is shown.

Security

We follow industry practice: passwords are bcrypt-hashed, TOTP secrets are Fernet-encrypted at rest, all traffic is served over TLS, and database access is restricted to our application servers. We do not store payment card details at all.

Changes to this policy

If we make material changes we will notify you by email and update the "last revised" date at the top of this page. Minor clarifications will be made quietly without notice.