LetsBuild privacy policy

Last updated: September 01, 2019

LetsBuild Belgium SA (previously AproPlan SA) and LetsBuild Denmark ApS (previously Geniebelt ApS) are part of the LetsBuild Group (collectively with any subsidiaries and affiliates, “LetsBuild”, “Company”, “data controller”, “we”, “us”, and/or “our”). This Privacy Policy will explain how the Company uses and protects personal information belonging to account holders for any of our products, AproPlan or GenieBelt, or visitors to our website LetsBuild.com our any other websites on which this Privacy Policy appears, as well as users of the Company’s Services (“Services”), including any software, mobile applications, products, devices or other services offered by Letsbuild. Your personal data will only be used in accordance with this Privacy Policy, which is governed by the European General Data Protection Regulation (GDPR).

Our principles regarding user privacy and data protection:

We believe user privacy and data protection are human rights.
We take protecting your privacy seriously, and we recognise we have a duty of care to the people whose data we hold.
We will only collect and process data when it is absolutely necessary, and when we do, we will make it clear why we are doing so and how it will be used.
We will always strive to only provide you with content that is of interest to you, based on your choices or user patterns. And we will give you the option to unsubscribe from our emails wherever possible.

What is the role of LetsBuild?

LetsBuild is a leading provider of cloud-based construction management software. LetsBuild was formed following the merger of two companies: AproPlan SA based in Brussels, Belgium and GenieBelt ApS based in Copenhagen, Denmark. LetsBuild offers two Applications (AproPlan and GenieBelt) that complement each other into one end-to-end solution for the construction phase. LetsBuild is a Data Controller as we determine the purposes and means of processing of personal data. LetsBuild is a Data Processor as we process data on behalf of customers.

For more information, please visit our website LetsBuild.com where you can fill in the form to request a demo.

Which data do we collect?

LetsBuild collects information that personally identifies you and other information about you. This may include:

Name, email address, phone number, language or other contact details;
Profile pictures;
Company name, sector and job title;
Address, country, location and time zone;
Credit card or other financial account information in connection with your order to purchase the Services;
Project activities, communications, pictures and documents;
Hardware and software information (operating system, app version, device model, mobile device unique ID, available storage, memory consumption, …);
IP address, connection and internet information (browser version and type, referring/exit pages…)
Your activities on the Company websites and applications (actions, browsing patterns, duration and timestamp information,…);
Any information that you upload to our websites and applications;
Any other information you may provide to us voluntarily through your use of our websites, Applications or Services.

How do we collect data?

Information you provide to LetsBuild
On the LetsBuild website, in either of the Applications or in our Academy, you provide personal information when you request a call or a demo, purchase our Services or register as a user within an Application. You also provide us with personal information when you update your account profile or when you use our website, Applications and Services (support, academy,…).
It is of course your decision whether you want to provide this information. However, if you choose not to provide the requested information, you may not be able to use some or all of our features or services.
Information provided by other users of the Application
We may receive information about you from other sources, including your company, colleagues or third parties who are LetsBuild customers. We will combine this data with information we already have about you in order to update, expand and analyse our records.
If you provide us with information about others, or others provide us with your information, we will only use that information for the specific reason for which it was provided to us (invitation to the Application, etc).
Information we collect automatically
The website and Applications of LetsBuild collect a series of general data and information when you perform an action on the website or when our Applications are running on your devices.

How will we use your data?

We may use your personal information for the following purposes:

Running of the Applications: LetsBuild requires basic personal data such as name, email address, phone number, title, company, etc to establish physical persons as account holders on the LetsBuild software platforms. These data are for instance displayed in the Application to list participants of each project and to identify the author of each action. This and other information such as address, country, location and time zone are for instance used to display dates/time in a correct format and to generate reports within the Applications.

Questions, support and requests: if you contact us by email, chat, phone or otherwise, we will use the personal information you provide to answer your question or resolve your problem. Our supporters will also access all other information and statistics they could think useful to improve the quality of the answer.

Order Fulfilment: We may use personal information that you provide to fulfill any orders you may place for Services offered by LetsBuild.

Contacting you about Application updates, other products, services and events: LetsBuild may use your personal information to contact you with information about product updates, services and events that may be of interest to you. LetsBuild may periodically send promotional emails about new features, special offers or other information which LetsBuild thinks the account holder may find interesting, using the email address which the account holder has provided, if the account holder has agreed to receive such information.

Service Improvement: your personal data is also required in order to understand account holder needs and provide the account holder with better service. LetsBuild may use the information to improve our products and services.

Research and Data Analysis: From time to time, LetsBuild may also use the account holder’s information to contact the account holder for market research purposes, surveys, contests and other special offers. If you elect to participate in these services, you may need to provide certain personal information.

Provision and Monitoring of the Services: We will use your personal information to provide you with access to and to support your use of the Services and to monitor your use of the Services.

LetsBuild may also collect and store personal data from website visitors and persons that download resources from LetsBuild’s websites or similar. In general, LetsBuild will collect information on which pages you visit and when (your “electronic footprint”), which browser you are using and which IP-address you are using. LetsBuild may also ask you to provide your name, email address and other personal data to provide you with downloadable/viewable resources on the website or provide access to our newsletter list. This data is used to analyse LetsBuild’s website traffic and usage to improve the website experience for all our users.

LetsBuild will not use your personal data for other purposes than those listed when you provided your consent.

What are your data protection rights?

The GDPR grants individuals some rights over their personal data. This Privacy Policy will provide you with information about such rights and a method by which you can exercise them.

I. The right to be informed
With the below exceptions, LetsBuild will not sell, distribute or lease your personal information to third parties unless LetsBuild is required by law to do so. LetsBuild may use your personal information to send you promotional information about third parties which LetsBuild think you may find interesting if you consent to this in advance.
You may at any time request access to the following information about your personal data held by LetsBuild :

- the purposes of any data processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- where the personal data is not collected from the data subject, any available information as to its source;
- whether personal data is transferred to a third country or an international organisation. Where this is the case, you have the right to be informed of the appropriate safeguards relates to same transfer.

For any of the above requests, you may at any time contact LetsBuild by using the contact details provided in the “How to contact us” section below. LetsBuild will take action without undue delay.

II.The right of access

If you wish to access your personal information, you can do so at any time by contacting us using the contact details provided in the “How to contact us” section below. LetsBuild will promptly give you your requested information.

III. The right of rectification

If you wish to correct or update your personal information, you can always do so by changing the relevant settings in your profile account. You have the right to obtain from LetsBuild without undue delay the rectification of inaccurate personal data concerning your person. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed by providing supplementary information. If you believe that any information LetsBuild holds about you is incorrect or incomplete, please write to or email LetsBuild as soon as possible using the contact details provided in the “How to contact us” section below. LetsBuild will promptly correct any information found to be incorrect.

IV. The right of erasure

You have the right to request from LetsBuild the erasure of personal data concerning you without undue delay, and LetsBuild has the obligation to erase personal data without undue delay where one of the following grounds applies:

The personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed.
The data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
The personal data has been unlawfully processed.
The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

V. The right to restrict processing and to object

You may choose to restrict the collection or use of your personal information in the following ways:

Whenever you are asked to fill in a form on any of LetsBuild’s websites, we will clearly inform you for which purpose we are asking for your information and we will provide you with the option to opt in or out of different uses of your personal data.

You have the right to request restriction of processing of your personal data by LetsBuild as follows:

The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use instead.
The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
The data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

You have the right to withdraw consent given to the processing of your personal data by LetsBuild unless this is regulated by contract or other statutory law. If you have previously agreed to LetsBuild using your personal information for e.g. direct marketing purposes, and you no longer wish us to hold your data, you may change your mind at any time by clicking on the “unsubscribe” link in the marketing emails we send you.

VI. The right to contact the authorities

If you have any complaints about how we handle your personal data, please contact us so we can resolve the issue, where possible. If you need to go further, you have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority (for some of them, see “How to contact the appropriate authorities?” section below).

How do we secure your data?

LetsBuild is committed to ensuring that your information and other personal data collected is secure. In order to prevent unauthorised access or disclosure, LetsBuild has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information LetsBuild collects online.

LetsBuild analyses collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process.

I. Purpose of the security measures

The security measures are documented and will be updated if changes are made.

The technical and organisational measures are subject to future technical advancements and developments. For this purpose, data controllers are permitted to implement alternative, suitable measures which may not fall below the security level for the measures previously set out. Important changes must be documented.

The data processor will implement the following technical and organisational security measures to ensure a level of security appropriate to the processing operations agreed upon and which thus fulfil Article 32 of the General Data Protection Regulation.

The measures are determined according to the following considerations:

Technical feasibility
Implementation costs
The nature, scope, context and purpose of the processing
The consequences of a security breach
The risk associated with the processing operations, including the risk of
- destruction of data
- loss of data
- change of data
- unauthorised disclosure of data
- unauthorised access to data

The measures are implemented to avoid the personal data being:

destroyed, lost, altered or adversely affected,
made available to unauthorised persons or misused, or
otherwise processed in infringement of the law

II. General security measures

Data center

Currently, we host our data on MS AZURE and Amazon Web Services (AWS)
Our services are distributed across several separate physical data centers such they can scale with increased load and are resilient to data center outages such that services remain available and responsive.

Protection against loss of data

Account data is continuously mirrored and backed up on a daily basis on logical and physically separate servers (for instance: Amazon Web Services (AWS)).
There are always several copies of all the data. The data is replicated inside our main datacenter (Azure Europe-West), to a secondary datacenter (Azure Europe-North) and to another provider (Amazon Europe-West). The database is mirrored to the secondary datacenter. Regular backups are scheduled, and those backups are replicated to the other provider. Files are synchronously replicated to the second datacenter and replicated to the other provider.
AZURE guarantee 30 days of complete Roll-back possible.
Technically the RTO has been set to 3 days.

Security at Application level

Sensitive data – e.g. user passwords – are solely stored in encrypted form.
Specific password policy is in place for the Web app.
All traffic from clients to LetsBuild is SSL encrypted, including login pages.
Brute-force / DDOS prevention mechanisms are in place, including blocking login to accounts after repeated failed attempts.

Architectural security

The system is designed from the ground up with security in mind.
- The infrastructure is precisely documented; also, infrastructure specifications are stored in GitHub and are thus versioned and revision controlled.
- All systems are encapsulated in a VPN.
- Certain VPNs are peered to allow various subsystems to communicate. This traffic is thus private and can be precisely controlled.
- End-user access is only possible through HTTPS.
- Developer access is granted only on a by-need basis.
- Each environment only allows developer access via a single bastion host, from which the developer may access internal infrastructure, thus ingress to the system is only possible via HTTPS (as an end-user), and via SSH through the VPN to the bastion host.
- All secrets required by LetsBuild services (such as passwords for internal databases or external, third-party services such as emailing services) are stored using secured Vault (1Password tool for instance). Thus, developers are never in direct contact with passwords. Vault automatically revokes and recreates e.g. database passwords on a regular schedule.
We enforce the use of two-factor authentication for all developers to all services that can impact our production environment.
To aid in the proactive identification of software vulnerabilities, we have implemented a responsible disclosure program to encourage security researchers to perform independent external audits of LetsBuild.
The system automatically scales in response to increased load; monitoring systems are in place to detect anomalies and report them to relevant engineers.

Internal IT security

All members of staff receive instructions from the data processor with regards to protection of client data. The data processor has implemented internal guidelines for the protection of client data which are in compliance with the data protection regulation.

III. Authorisation and access control

All the data processor’s members of staff who have access to personal data have been authorised by the data processor. Authorisations describe the purpose of staff members’ access. Staff only have access to personal data for operational or technical purposes.

The data processor’s staff do not have access to personal data which are not covered by their authorisation. The data processor will keep the number of authorisations at a minimum.

The data processor verifies and updates authorisations on an ongoing basis. Authorisations are changed or revoked when a member of staff changes job title, area of responsibility or conditions of employment.

IV. Workplaces & workplaces at home

We have secured our offices in an efficient way. All employees have badges to unlock the doors if they are securely closed. Visitors have to check in when they come into the office.

The data processor’s processing of personal data is partly carried out via the use of workplaces at home. The data processor’s staff can access the Application from external locations featuring the same security measures as described in “External communications links”. All members of staff have been instructed in using only work computers with full encryption of the hard disk. As outlined above, access to servers for operational or technical purposes is only possible through encrypted remote access, SSH, when connected to the VPN.

V. External communication links & links to other websites

Our website may contain links to other websites of interest. However, once you use such links to leave our site, you should note that LetsBuild does not have any control over third party websites. Therefore, LetsBuild cannot be responsible for the protection and privacy of any information provided by you whilst visiting such sites. Also, third party sites are not governed by this privacy statement. You should exercise caution and study the privacy statement applicable to the website in question.

Communication between the user at the data controller and the LetsBuild Applications is encrypted both for web Application and mobile apps. The servers are configured to allow communication only via encrypted connections and promptly redirects the user to an encrypted connection in case the user attempts to create an insecure connection.

Ordinary mail and text communications to the data subject are not encrypted.

Who we share your personal information with?

LetsBuild uses third party data processors for the following purposes:

Analytics, analysis and dashboarding: website movements, page views tracking (IP address and website usage only), usage analysis, …
Marketing: We collect information provided by website visitors who consent to our use of same information for various specified purposes, including newsletters. (Name, email address, etc)
CRM/sales system: Collects information on LetsBuild account holders (name, email, telephone number, company name, password) that sign up to LetsBuild as users, and potential account holders (leads) that sign up for live demos, as well as other leads provided by external or internal sources.
In-app usage: Collects information on LetsBuild account holders (name, email, company name, telephone number, password) and their usage patterns.
Storage and document management: LetsBuild is a cloud-based Application and user data is stored on third party cloud servers.
Help center: answer customer’s questions on a reactive or proactive way.
Communication: via phone, chat emails or other ways of communication.
Onboarding: teach and onboard new our existing users.
Product management tools: management of project and improvement of products.

LetsBuild has secured Data Processing Agreements with all such third parties to ensure that LetsBuild user and visitor data is handled in accordance with this Privacy Policy. Some of these third party processors process and/or store data outside of the EU, mainly in the USA. LetsBuild has signed Data Processing Agreements with these parties to ensure the correct and lawful treatment of personal data.

How long do we keep your personal data?

LetsBuild shall process and store the personal data only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the controller is subject to. We will retain your information for as long as we have an ongoing business need to do so. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data is routinely blocked, de-identified or erased in accordance with legal requirements. If this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

What about the privacy of children?

We do not knowingly collect personal information from children under the age of 13. If we become aware that we have inadvertently received personal information from a child under the age of 13, we will delete such information from our records.

What happens if we change our Privacy Policy?

This policy may change from time to time. The latest effective date will be highlighted at the top of the policy information.

We will update this Privacy Policy when necessary to reflect customer feedback, changes in our program/projects and services or legal changes. When we post changes to this policy, we will revise the “Effective Date” at the top of the Privacy Policy.

If there are material changes to the Privacy Policy or in how LetsBuild will use your personal data, we will notify you either by prominently posting a notice of such changes before they take effect or by directly sending you a notification. We encourage you to periodically review this Privacy Policy to learn how LetsBuild is processing your information. Please print a copy of this Privacy Policy for your records.

How to contact us?

If you want to contact us (for instance, in the context of exercising any rights described above or if you are dissatisfied):

By email, using dpo@letsbuild.com
By post, using this address: Chaussée de Bruxelles 135A, 1310 La Hulpe, BELGIUM

How to contact the appropriate authorities?

If you want to reach the Belgian authorities, visit https://www.dataprotectionauthority.be/contact-us
If you want to reach the Danish authorities, visit https://www.datatilsynet.dk/english/contact-us/

Cookie	Duration	Description
__cfruid	session	This cookie is set by the provider Cloudflare. This cookie is used for load balancing and for identifying trusted web traffic.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cf_use_ob		This cookie is set by the provider Cloudflare content delivery network. This cookie is used for determining whether it should continue serving "Always Online" until the cookie expires.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
gdpr_status	6 months 2 days	This cookie is set by the provider Media.net. This cookie is used to check the status whether the user has accepted the cookie consent box. It also helps in not showing the cookie consent box upon re-entry to the website.
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
XSRF-TOKEN	2 hours	The cookie is set by Wix website building platform on Wix website. The cookie is used for security purposes.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie is set by CloudFlare. The cookie is used to support Cloudflare Bot Management.
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
_fs	16 years 7 months 14 days 10 hours	This cookie is provided by Google Tag Manager. This cookie is used for collecting information on user preferences and the behaviour with web campaign content. This is used by website owners for promoting products and events.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
_gat_UA-136886650-2	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_136886650_2	1 minute	This cookie is set by Google and is used to distinguish users.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.