Privacy Policy
Last updated: April 2026
Constroma Pty Ltd ("Constroma", "we", "us", or "our") is committed to protecting your personal information. This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and what rights you have in relation to it. By using the Constroma platform (the "Service"), you agree to the practices described in this policy. If you do not agree, please discontinue use of the Service.
1. Introduction
This Privacy Policy applies to all users of the Constroma platform, including visitors to our website, registered account holders, and any individual whose personal data is processed in the course of providing the Service.
We act as the data controller for personal information collected directly through the Service. Where we process personal data on behalf of our customers (for example, information contained within project schedules or delay records), we act as a data processor and our customers remain the data controllers for that information.
This policy should be read alongside our Terms of Service, which governs your use of the platform. Where there is any conflict between the two documents, the Terms of Service will take precedence except in matters relating specifically to the processing of personal data.
2. Information We Collect
We collect information in three categories depending on how you interact with the Service:
Account Information
When you register for an account or update your profile, we collect personal information you provide directly, including:
- Full name
- Email address
- Company or organisation name
- Job title or role
- Password (stored as a cryptographic hash; we never store plaintext passwords)
- If you authenticate via a third-party provider (Google, LinkedIn, or Apple), we receive your name and email address from that provider in accordance with your authorisation
Project Data
To provide the delay analysis Service, we process the project data you upload or create within the platform, which may include:
- XER files and Primavera P6 schedule exports containing activity data, resource assignments, and calendar definitions
- Baseline and as-built programme schedules
- Delay event records, fragnet descriptions, responsibility attributions, and associated documentation
- Project metadata such as project name, contract dates, and analysis window definitions
This project data may incidentally contain personal information about third parties (for example, the names of contract administrators or site personnel appearing in schedule fields). You are responsible for ensuring you have the appropriate authority to upload such data and that doing so is consistent with your own data protection obligations.
Usage Data
We automatically collect certain technical and behavioural data when you use the Service, including:
- Login timestamps and session duration
- Features accessed and actions taken within the platform
- Browser type, operating system, and device type
- IP address and approximate geographic location (country/city level)
- Error logs and crash reports
- API request logs, including endpoints called and response times
Usage data is collected to operate, secure, and improve the Service. It is not used to build advertising profiles and is not shared with advertising networks.
3. How We Use Your Information
We use the information we collect for the following purposes, each grounded in a lawful basis under applicable data protection law:
To Provide the Service
Account information and project data are used to authenticate you, manage your subscription, process your schedules through our analysis engine, and deliver results. This is necessary for the performance of the contract between you and Constroma.
To Improve the Platform
Usage data and aggregated, anonymised analytics help us understand how the platform is used, identify performance bottlenecks, prioritise feature development, and fix defects. We do not use identifiable project data to train machine learning models without your explicit consent. This processing is based on our legitimate interest in operating and improving a reliable, high-quality service.
To Send Important Account Notifications
We use your email address to send transactional messages that are essential to your use of the Service, including:
- Account registration confirmation and email verification
- Password reset and security alerts
- Subscription billing receipts and renewal reminders
- Material changes to these Terms or this Privacy Policy
- Service status notifications for planned maintenance or outages
We may also send optional product updates and feature announcements. You can opt out of non-essential communications at any time via your account preferences or by clicking the unsubscribe link in any marketing email. Transactional messages cannot be opted out of while your account remains active.
To Meet Legal Obligations
We may process personal data where required to comply with a legal obligation, respond to lawful requests from government authorities, or protect the rights, property, or safety of Constroma, our users, or the public.
4. Data Storage and Security
Your data is stored on infrastructure provided by Supabase, built on PostgreSQL, hosted within the European Union (EU West region). We have chosen EU-based servers to support compliance with the General Data Protection Regulation (GDPR) and to provide strong data protection standards for all users regardless of their location.
We implement the following technical and organisational security measures:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: Database storage is encrypted at rest using AES-256. Uploaded files (XER schedules and associated documents) are stored in encrypted object storage.
- Access controls: Row-level security policies in PostgreSQL ensure that users can only access their own data. Administrative access to production systems is restricted to a small number of authorised personnel and requires multi-factor authentication.
- Authentication: Passwords are hashed using bcrypt. We support and encourage the use of third-party OAuth providers (Google, LinkedIn, Apple) which provide additional authentication security.
- Audit logging: All privileged access to production data is logged and reviewed periodically.
While we take reasonable and industry-standard precautions to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security and you use the Service at your own risk in this regard.
In the event of a data breach that is likely to result in a risk to your rights or freedoms, we will notify you and any applicable supervisory authority within the timeframes required by law.
5. Data Sharing
We do not sell, rent, or trade your personal information to any third party. We do not share your data with advertising networks, data brokers, or analytics companies for commercial purposes.
We share data only with the following sub-processors, strictly as necessary to operate the Service:
| Sub-processor | Purpose | Data transferred |
|---|---|---|
| Supabase | Database and file storage | All account and project data |
| Stripe | Payment processing | Name, email, billing address, payment method |
Each sub-processor is contractually required to process data only on our instructions, implement appropriate security measures, and comply with applicable data protection law. We do not allow sub-processors to use your data for their own purposes.
We may also disclose personal information if required to do so by law or in response to a valid legal request (such as a court order or regulatory inquiry), or where we believe disclosure is necessary to prevent fraud, protect our legal rights, or protect the safety of any person.
In the event that Constroma undergoes a merger, acquisition, or sale of all or part of its assets, your personal information may be transferred as part of that transaction. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.
6. Your Rights
Depending on your location and applicable law, you may have the following rights in relation to your personal data:
- Access: You have the right to request a copy of the personal information we hold about you.
- Correction: You have the right to request that we correct any inaccurate or incomplete personal information. You can update most account information directly in your profile settings.
- Export: You have the right to receive your personal data and project data in a structured, commonly used, machine-readable format (data portability). You can export your project data from the platform at any time via your account settings, or by contacting us.
- Deletion: You have the right to request deletion of your personal data. We will action deletion requests in accordance with Section 8 (Data Retention) and subject to any legal obligations that require us to retain certain information.
- Restriction: You have the right to request that we restrict processing of your personal data in certain circumstances, for example while a correction request is being assessed.
- Objection: Where we process your data based on our legitimate interests, you have the right to object to that processing. We will consider your objection and cease processing unless we have compelling legitimate grounds that override your interests.
- Withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at privacy@constroma.com. We will respond within 30 days of receiving your request. We may need to verify your identity before processing your request.
If you are located in the European Economic Area (EEA) or United Kingdom, you also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your personal data in accordance with applicable law.
7. Cookies
Constroma uses cookies and similar browser storage technologies (such as localStorage) solely to operate essential platform functionality. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
The cookies we use are:
| Cookie | Purpose | Duration |
|---|---|---|
| sb-access-token | Authentication session token (Supabase) | 1 hour (auto-refreshed) |
| sb-refresh-token | Session refresh token (Supabase) | 60 days |
| constroma-prefs | Stores UI preferences (e.g. theme, table column widths) | 1 year |
These cookies are strictly necessary for the Service to function. Blocking them through your browser settings will prevent you from logging in or using authenticated features. Because we only use essential cookies, we do not display a cookie consent banner — there are no optional cookies to accept or decline.
If we introduce non-essential cookies in the future (for example, for analytics), we will update this policy and, where required by law, seek your consent before setting them.
8. Data Retention
We retain personal data for as long as it is necessary to fulfil the purposes described in this policy or as required by applicable law.
- Active accounts: Your account information and project data are retained for the duration of your account. Project data associated with active or recently completed analyses is retained to allow you to access and re-export your results.
- Account closure: When you close your account or request deletion, we will retain your data for a period of 30 days. During this window you may reactivate your account or request a final data export. After 30 days, your account information and project data will be permanently and irreversibly deleted from our systems, including backups, unless we are required by law to retain it.
- Billing records: Invoices and payment records are retained for 7 years to comply with financial and tax reporting obligations. These records contain only your name, email, and billing amounts — not your project data.
- Usage logs: Server and access logs are retained for up to 90 days for security and operational purposes, then deleted on a rolling basis.
- Anonymised analytics: Aggregated and fully anonymised usage statistics (from which no individual can be identified) may be retained indefinitely for product research purposes.
9. Children's Privacy
The Constroma Service is a professional platform intended solely for use by individuals who are 18 years of age or older. We do not knowingly collect, solicit, or process personal information from children under the age of 18.
If you are under 18, please do not use the Service or provide any information through it. If we become aware that we have inadvertently collected personal information from a person under 18, we will take prompt steps to delete that information from our systems.
If you believe that a child under 18 has provided us with personal information, please contact us immediately at privacy@constroma.com so that we can take appropriate action.
10. Contact
If you have any questions, requests, or concerns regarding this Privacy Policy or the way we handle your personal data, please contact our privacy team:
For general support enquiries, please use support@constroma.com. Privacy-specific requests (access, deletion, correction) should be directed to the privacy address above to ensure they are routed to the appropriate team and handled within the required timeframes.
We aim to acknowledge all privacy-related requests within 5 business days and resolve them within 30 days. Complex or multi-subject requests may take longer; we will inform you of any expected delay.