Privacy Policy

Effective date: 11 March 2026

HonestHome (“we”, “us”, or “our”) is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, and the rights you have over your data when you use the HonestHome platform, including our website, applications, and related services (the “Service”).

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Portuguese data protection legislation.

1. Data Controller

The data controller responsible for your personal data is HonestHome. For any privacy-related enquiries, please contact us via our contact form.

2. Personal Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Full name (first name, middle name, and last name);
  • Email address;
  • Password (stored in hashed form — we never store plain-text passwords);
  • Preferred language (English or Portuguese).

If you register or sign in using a third-party provider (Google, LinkedIn, or Apple), we receive your name and email address from that provider. We do not receive or store your third-party password.

2.2 Project and Construction Data

When you use the Service to manage a construction project, we process:

  • Project name and physical location;
  • Builder company name and contact email;
  • Bill of Quantities (BoQ) spreadsheets you upload (Excel, CSV, or ODS files);
  • Builder invoices you upload for each billing period;
  • Extracted line items including codes, descriptions, quantities, and prices;
  • Construction schedules and payment milestones.

2.3 Site Notes and Photographs

When you document site visits, we may collect:

  • Note titles and descriptions;
  • Photographs you upload;
  • Geolocation coordinates (latitude and longitude) if you choose to attach location data;
  • Photo capture timestamps.

Geolocation data is optional. You can create site notes without providing location information.

2.4 Digital Signature Data

When you or another party signs a dossier through the Service, we collect:

  • Full legal name of the signatory;
  • NIF (Número de Identificação Fiscal / Tax Identification Number);
  • Signature timestamp;
  • Certificate information from the Chave Móvel Digital (CMD) service.

2.5 Audit Logs

We automatically log significant actions performed on the platform, including the action type, the user who performed it, the affected entity, a timestamp, and relevant metadata. Audit logs are maintained to ensure transparency and accountability in the construction auditing process.

3. How We Use Your Data

We process your personal data for the following purposes:

  • Providing the Service — to create and manage your account, process your uploaded documents, perform AI-assisted reconciliation, generate dossiers, and facilitate digital signatures;
  • Communication — to send you important information about your account, service updates, and responses to your enquiries;
  • Security and fraud prevention — to protect the Service, detect unauthorised access, and maintain audit trails;
  • Legal compliance — to comply with applicable laws and regulations, including responding to lawful requests from authorities;
  • Improvement of the Service — to analyse usage patterns and improve the platform’s functionality and user experience.

4. Legal Bases for Processing

We process your personal data based on the following legal grounds:

  • Performance of a contract (Article 6(1)(b) GDPR) — processing necessary to provide the Service you requested;
  • Legitimate interests (Article 6(1)(f) GDPR) — processing for security, fraud prevention, service improvement, and maintaining audit trails;
  • Legal obligation (Article 6(1)(c) GDPR) — processing required to comply with applicable laws;
  • Consent (Article 6(1)(a) GDPR) — where applicable, such as for optional geolocation data collection. You may withdraw consent at any time.

5. Third-Party Services and Data Processors

We share your data with the following third parties only as necessary to provide the Service:

  • Convex — our backend infrastructure provider that hosts the database and file storage. All uploaded documents, photographs, and generated PDFs are stored on Convex infrastructure;
  • Chave Móvel Digital (CMD) — the Portuguese government digital signature service. When you sign a dossier using CMD, your name, NIF, and the document hash are transmitted to CMD for signature validation;
  • OAuth providers (Google, LinkedIn, Apple) — if you choose to sign in with a third-party account, authentication data is exchanged with that provider;
  • AI processing services — we may use third-party AI services to assist with document reconciliation and translation. When used, only construction item descriptions are transmitted — never your personal identity data.

We do not sell your personal data to third parties. We do not use your data for advertising purposes.

6. International Data Transfers

Your data may be processed outside the European Economic Area (EEA) by our infrastructure providers. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or other legally recognised transfer mechanisms.

7. Data Retention

  • Account data — retained for as long as your account is active. After account deletion, your data is soft-deleted and permanently removed within 90 days, unless longer retention is required by law;
  • Project data — retained for the duration of the project. Deleted projects follow the same 90-day permanent deletion cycle;
  • Audit logs — retained for the lifetime of the associated project to maintain the integrity of the audit trail, and may be retained longer if required by law;
  • Digital signature data — retained as part of the signed dossier for the legally required period.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you;
  • Right to rectification — request correction of inaccurate or incomplete personal data;
  • Right to erasure — request deletion of your personal data, subject to legal retention requirements;
  • Right to restrict processing — request that we limit how we use your data in certain circumstances;
  • Right to data portability — request your data in a structured, commonly used, and machine-readable format;
  • Right to object — object to processing based on legitimate interests;
  • Right to withdraw consent — withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us via our contact form. We will respond within 30 days.

You also have the right to lodge a complaint with the Portuguese data protection authority, the Comissão Nacional de Proteção de Dados (CNPD), at www.cnpd.pt.

9. Cookies and Tracking

The Service uses only essential cookies necessary for authentication and session management. We do not use advertising cookies, analytics trackers, or any third-party tracking scripts.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS);
  • Hashed password storage;
  • Role-based access controls within projects;
  • Authenticated file download endpoints;
  • Complete audit logging of all significant actions.

No system is perfectly secure. If you become aware of any security vulnerability or breach, please notify us immediately via our contact form.

11. Children’s Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. The “Effective date” at the top of this page indicates the date of the most recent revision.

13. Contact

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at:

Contact form