Skip to main content
Building Certifiers Hub

Privacy Policy

Last updated: March 2026

1. About This Policy

This privacy policy explains how Building Certifiers Hub (“we”, “us”, “our”) collects, uses, discloses, and protects your personal information in accordance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Privacy Act reforms effective June 2025.

We are committed to handling your personal information responsibly. This policy applies to all personal information collected through our website, including enquiry forms, reviews, certifier accounts, and automated data collection.

2. Information We Collect

2.1 Information You Provide Directly

  • Enquiry forms: When you submit an enquiry to a building certifier through our platform, we collect your name, email address, phone number (if provided), and your message content. This information is forwarded to the relevant certifier.
  • Reviews: If you submit a review of a building certifier, we collect your name, email address, star rating, and the review text. Your name and review content are published publicly on the certifier's profile.
  • Certifier accounts: Licensed building certifiers who claim their profile provide their business email address and create account credentials. Claimed certifiers may also provide additional business details including logos, service descriptions, operating hours, languages spoken, and service areas.

2.2 Information Collected Automatically

  • Analytics data: We use Google Analytics 4 (GA4) to collect anonymised usage data including pages visited, session duration, referral sources, device type, and general geographic region. GA4 uses first-party cookies and does not collect personally identifiable information. Google's privacy policy applies to this data processing.
  • Cookies: We use essential cookies for website functionality (authentication sessions, security tokens) and analytics cookies for usage measurement. See Section 10 for details.
  • Server logs: Our hosting provider (Vercel) collects standard server logs including IP addresses, browser user agents, and request timestamps. These logs are retained for operational and security purposes.

2.3 Information From Public Sources

Building certifier profiles on this website are compiled from publicly available sources. This data includes business names, Australian Business Numbers (ABNs), licence numbers, business addresses, and contact details. Sources include:

  • The state building practitioner registers (licence status and certifier names)
  • The Australian Business Register via ABN Lookup (business entity details)
  • Google Places (publicly listed business addresses, phone numbers, and operating hours)
  • Certifier websites (publicly available service descriptions and contact information)

This publicly available data is not “personal information” as defined under the Privacy Act where it relates to commercial business entities. However, where sole trader certifiers are identifiable individuals, we treat their data with the same protections outlined in this policy.

3. How We Use Your Information

We collect and use personal information only for the purposes described below, consistent with APP 6 (use or disclosure of personal information):

  • Forward enquiries to the relevant building certifier via email notification
  • Send email confirmations to users who submit enquiries
  • Verify and publish reviews on certifier profiles
  • Create and manage certifier accounts, including profile editing and lead management
  • Process subscription payments for certifier listing upgrades
  • Send transactional emails related to account activity (lead notifications, review alerts, billing confirmations)
  • Analyse website usage to improve the service (aggregated, anonymised data only)
  • Comply with legal obligations and enforce our terms of service

4. Automated Decision-Making

Our platform uses automated processes to determine how building certifier profiles are ranked and displayed in search results. No automated decisions are made that have a legal or similarly significant effect on individuals.

4.1 Search Ranking Algorithm

When you search for building certifiers, results are ordered using a combination of the following factors:

  • Listing tier: Certifiers with paid listing upgrades (Premium or Featured) may appear higher in results than those on the free tier.
  • Relevance: Text-based relevance scoring matches your search terms against certifier names, services, locations, and descriptions.
  • Rating: Average review ratings contribute to ranking where reviews are available.

This ranking is applied uniformly and does not use personal information about the person performing the search. You can contact us if you have questions about how results are ordered.

5. Third-Party Services and Data Processing

We use the following third-party service providers to operate our platform. Each processes data on our behalf and is bound by their own privacy policies:

  • Supabase (database and authentication): Stores user accounts, certifier profiles, reviews, and enquiry data. Data is hosted in the Sydney, Australia region (ap-southeast-2). Supabase's infrastructure is built on Amazon Web Services.
  • Vercel (website hosting): Serves the website and processes server-side requests. Edge functions may execute in multiple regions, but persistent data is stored in Australia via Supabase.
  • Stripe (payment processing): Processes subscription payments for certifier listing upgrades. Stripe collects payment card details directly — we do not store card numbers. Stripe is PCI DSS Level 1 certified.
  • Resend (transactional email): Sends email notifications for enquiries, lead alerts, review notifications, and billing confirmations. Resend processes recipient email addresses and message content.
  • Google Analytics 4 (usage analytics): Collects anonymised website usage data using first-party cookies. No personally identifiable information is shared with Google through our implementation.
  • Sentry (error monitoring): Collects error and performance data to help us identify and fix technical issues. Sentry may process IP addresses and browser metadata in error reports, which are retained for 90 days.

6. Disclosure of Information

We may disclose personal information to:

  • Building certifiers: When you submit an enquiry, your name, email address, phone number, and message are forwarded to the certifier you contacted. Certifiers with claimed profiles can view and manage leads through their dashboard.
  • Service providers: The third-party services listed in Section 5, which process data on our behalf for the purposes described in this policy.
  • Legal requirements: Where required or authorised by Australian law, including to comply with a court order, subpoena, or regulatory request.

We do not sell, rent, or trade personal information to third parties for marketing purposes.

7. Overseas Disclosure

In accordance with APP 8, we disclose that some of our third-party service providers operate infrastructure outside Australia. Specifically:

  • Stripe processes payment data in the United States.
  • Resend processes email data in the United States.
  • Google Analytics processes analytics data in the United States.
  • Sentry processes error monitoring data in the United States.
  • Vercel may process server requests through edge locations globally, though persistent data remains in Australia via Supabase.

We take reasonable steps to ensure that overseas recipients of personal information comply with the APPs or are subject to substantially similar privacy protections.

8. Data Security

Consistent with APP 11, we take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

  • Encryption in transit (TLS/HTTPS on all connections)
  • Encryption at rest (AES-256 for stored data via Supabase)
  • Row-level security policies in the database to restrict data access
  • Authentication via secure, httpOnly session cookies
  • Content Security Policy headers to mitigate cross-site scripting
  • Stripe handles all payment card data — we never store card numbers

9. Data Breach Notification

In compliance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if we become aware of a data breach that is likely to result in serious harm.

Notification will be made as soon as practicable after becoming aware of an eligible data breach, and will include the nature of the breach, the types of information involved, and recommended steps individuals can take in response.

10. Cookies

Our website uses the following cookies:

  • Essential cookies: Required for the website to function. These include Supabase authentication session cookies (sb-*-auth-token) and security tokens (e.g., CSRF). These cannot be disabled without breaking core functionality.
  • Analytics cookies: Google Analytics 4 sets first-party cookies (_ga, _ga_*) to distinguish unique visitors and track sessions. These collect anonymised data and can be blocked via your browser settings.
  • Preference cookies: We store your cookie notice dismissal preference in your browser's local storage so the notice does not reappear on subsequent visits.

We do not use advertising cookies or third-party tracking cookies. Under Australian law, we are required to inform you about the use of cookies that collect personal information. You can manage cookies through your browser settings at any time.

11. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes described in this policy. When personal information is no longer needed, we take reasonable steps to destroy or de-identify it, consistent with APP 11.2.

  • Enquiry data: Retained for 12 months from submission, then deleted. Enquiry metadata visible in certifier dashboards is de-identified after this period.
  • Reviews: Retained for the life of the platform unless removal is requested by the reviewer. Published reviews (name and content) remain visible on certifier profiles.
  • Certifier accounts: Retained while the account is active. Account data is deleted within 30 days of an account closure request, except where retention is required for legal or financial record-keeping.
  • Authentication data: Session tokens are short-lived and expire automatically. Password hashes are deleted with the account.
  • Analytics data: Google Analytics retains data according to their data retention settings (default 14 months). Sentry error data is retained for 90 days.
  • Server logs: Retained by Vercel for up to 30 days.
  • Rate-limiting data: IP-based rate limit counters stored in Redis expire automatically within 24 hours.

12. Your Rights Under the APPs

Under the Australian Privacy Principles, you have the right to:

  • Access: Request access to the personal information we hold about you (APP 12). We will respond within 30 days.
  • Correction: Request correction of personal information that is inaccurate, out of date, incomplete, or misleading (APP 13).
  • Deletion: Request deletion of your personal information where we no longer need it for the purposes described in this policy.
  • Complaint: If you believe your privacy has been breached, you may lodge a complaint with us directly. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

13. Building Certifier Data

Building certifier profiles are compiled from publicly available government registers and business listings. This data includes business names, ABNs, licence numbers, and business contact details. This information is publicly available and generally relates to commercial entities rather than individuals.

Licensed building certifiers may claim their profile through our platform and update their business information at any time. If you are a licensed building certifier and wish to modify, correct, or remove your listing, contact us at the address below.

14. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. The updated policy will be posted on this page with a revised “last updated” date. Material changes will be noted at the top of the policy.

15. Contact Us

For privacy enquiries, access requests, correction requests, or complaints, contact us at:

Email: privacy@buildingcertifiershub.com.au

We aim to respond to all privacy-related requests within 30 days.