Security note
Last updated 5 July 2026
Builders send us the drawings behind live jobs, so we treat every upload as commercially sensitive. This note explains, in plain English, what actually protects your data — each point below reflects how the product is built, not aspiration.
Where your data lives
- Storage and database — your projects, quotes and uploads are held on Supabase infrastructure (Postgres and object storage) in the UK: the production database runs in AWS London (eu-west-2). Supabase encrypts stored data at rest, and every connection to the site and API runs over TLS (HTTPS).
- Private file buckets — uploaded drawings are stored in private buckets with no public access. Files are only reachable by the backend, or through time-limited signed links that expire automatically.
Who can see what
- Row-level security — database access rules are enforced at the row level, so an account can only read its own projects, conversations and estimates.
- Invite-only accounts— sign-in is currently invite-only, and the app's workspace areas are authentication-gated before any page loads.
- Abuse limits — the anonymous quote-request flow is rate-limited to stop bulk scraping or spam submissions.
AI processing
Drawings are analysed using AI models accessed through their commercial APIs. Those API terms exclude using our inputs to train shared models — your drawings are processed to produce your estimate, and are never used to train models that others benefit from.
Deleting your data
You can delete a project — its drawings, conversation and estimate — from within the app. For anything beyond that, contact us via the details in our privacy policy and we will remove it.
Analytics
No analytics run until you opt in. Measurement tools (Google Analytics, Microsoft Clarity) stay inert unless you accept them through the cookie banner, and you can withdraw consent at any time via manage cookies.
Questions about any of this — or something you need in writing for a client — use the contact details in our privacy policy.