Privacy Policy
Last updated: 7 June 2026
1. Introduction
This privacy policy explains how The Rams Agency LTD (trading as SiteVoice, "we", "us", or "our") collects, uses, stores, and protects personal data when you use our voice-powered inspection platform at sitevoice.app (the "Service").
SiteVoice enables site managers and inspectors in UK construction to record voice observations during inspections, which are processed by AI to extract defect items, categorise them by trade, and generate reports to assist with Building Safety Act 2022 record-keeping. Site managers can also invite contractors (trade leads) to action assigned work, and those contractors can in turn create accounts for their own operatives.
We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our role under UK GDPR depends on the type of data:
- Data controller — we act as data controller for account data (name, email, role), authentication events, billing data, error logs, and activity logs.
- Data processor — we act as data processor on behalf of your Company Account for the inspection Content you upload or generate through the Service (audio recordings, transcriptions, extracted defect items, photos). The customer company for which you work is the data controller for that Content.
Our Data Processing Addendum, available at sitevoice.app/dpa, sets out the processor obligations we accept in relation to Content.
2. Geographic Scope
SiteVoice is intended for organisations operating in the United Kingdom. The Service is designed around UK construction regulations (Building Safety Act 2022, Building Regulations 2010), UK data protection law (UK GDPR, DPA 2018), and UK business practices. We do not offer the Service to data subjects outside the UK, and we do not provide localised versions for other jurisdictions.
If you are located outside the UK, please do not register for or use the Service.
3. Information We Collect
3.1 Account Information
When you register for an account, we collect:
- Full name and email address
- Password (stored as a bcrypt hash with 12 salt rounds — we never store your plaintext password)
- Company name and details
- Your role within your organisation (for example site manager, contractor/trade lead, or operative)
- An optional profile picture (avatar) you choose to upload
- For contractors, the name of your firm or organisation
3.2 Inspection Data (Content)
When you use the Service to conduct inspections, we collect and process:
- Audio recordings of voice observations
- AI-generated transcriptions of your recordings
- Extracted defect items, including descriptions, locations, and severity
- Trade categories assigned to each defect
- Site and plot information you provide
- Inspection status and progress data
We process this inspection data as a data processor on behalf of your Company Account. The customer company you work for is the data controller. See our Data Processing Addendumfor full details of our processor obligations.
3.3 Photos and Media
You may upload photos to attach to inspections or individual defect items. These are stored securely in our cloud storage infrastructure (Cloudflare R2). Photos may incidentally show individuals on site; you are responsible for ensuring you have the right to capture and upload such images.
3.4 Shared Report Links
You may choose to create public share links for inspection reports (for example, to send a report to a client or contractor). When you create a share link, we generate a random token; anyone with the link can view the report without logging in. You can disable or delete share links at any time. Please take care when sharing these links — treat them like any other sensitive URL.
3.5 Payment and Billing Information
Payment processing is handled entirely by Stripe. We do not store your full card number, expiry date, or CVC on our servers. From Stripe we receive and store: a Stripe customer identifier, subscription status, billing cycle information, billing address, country, and the last four digits plus brand of the card used (for display purposes in your billing history). Full card details remain with Stripe.
3.6 Team, Contractor and Operative Accounts
When an administrator invites a team member or contractor to a Company Account, we collect and transmit the invitee's name, email address, and assigned role. Invitation emails are sent via Resend.
Contractors (trade leads) may create accounts for their own operatives. Where a contractor works for more than one Company Account on the Service, an operative account they create is mirrored across each of those companies so the operative can see the work assigned to them in one place. Each company remains the data controller for its own Content; a contractor or operative only ever sees data scoped to the specific sites, trades, and items assigned to them, and never the wider data of any company they work with.
3.7 Usage Data
We collect operational data to maintain and improve the Service:
- Activity logs (e.g., inspection created, item added, status changed) for audit compliance
- Login timestamps and authentication events
- Error logs for diagnosing technical issues
3.8 Technical Data
We use essential cookies and tokens for authentication and security purposes (described in Section 9). We do not use analytics cookies, third-party tracking technologies, or advertising trackers.
4. How We Use Your Information
We use the information we collect to:
- Provide the Service — process audio recordings, generate transcriptions, extract defect items, categorise by trade, and produce inspection reports
- Authenticate and secure accounts — manage login sessions, issue and rotate JWT tokens, enforce account lockout after failed attempts, and validate CSRF tokens
- Process payments — manage subscriptions, track usage against quotas, and handle billing through Stripe
- Facilitate communications — send team invitation emails, shared report notifications, and essential service communications via Resend
- Maintain compliance and audit trails — log activities as required for Building Safety Act 2022 compliance, enabling your organisation to demonstrate inspection diligence
- Improve the Service — diagnose errors, monitor service health, and identify areas for improvement through internal analysis
5. Legal Basis for Processing
Under UK GDPR Article 6, we process your personal data on the following legal bases:
- Performance of a contract (Article 6(1)(b)) — Processing necessary to deliver the Service you have subscribed to, including audio transcription, defect extraction, report generation, and account management.
- Legitimate interests (Article 6(1)(f)) — Processing for security purposes (fraud prevention, account protection, rate limiting), service improvement (error diagnostics, performance monitoring), and essential business operations. We balance these interests against your rights and freedoms.
- Legal obligation (Article 6(1)(c)) — Maintaining activity logs and audit trails as required for Building Safety Act 2022 compliance and other regulatory obligations.
- Consent (Article 6(1)(a)) — Where applicable, such as for optional communications. You may withdraw consent at any time.
6. AI and Automated Processing
SiteVoice uses artificial intelligence to process your inspection data. We believe in transparency about how AI is used:
6.1 Audio Transcription
Your audio recordings are sent to OpenAI for transcription using their speech-to-text models. For users on Safari or Firefox browsers, we may use Deepgram as a fallback transcription provider. Audio is transmitted securely over HTTPS and processed shortly after upload via a queued processing pipeline (typically within seconds, though not strictly real-time).
6.2 Defect Extraction
Once transcribed, the text is processed by OpenAI's language models to extract individual defect items, assign trade categories (from the custom trade list your company configures, seeded with around 24 UK construction presets), and structure the data for your inspection reports.
6.3 How AI Outputs Are Used
AI-generated outputs (transcriptions, defect items, trade categories) are presented to you within the Service. You can review, edit, and correct any AI-generated content. AI outputs are used to structure your inspection data — they do not replace your professional judgement.
6.4 No Other AI Providers Receive Your Data
We do not send customer inspection data, account data, or any other personal data to any AI provider beyond OpenAI and Deepgram. SiteVoice uses other third-party AI services (including Google's Gemini API) only for internal purposes such as generating marketing blog content — never for processing data that belongs to you or your Company Account.
6.5 No Automated Decision-Making with Legal Effects
We do not use AI or automated processing to make decisions that produce legal effects or similarly significantly affect you. All AI outputs are tools to assist your inspection workflow, not autonomous decisions.
7. Data Sharing and Subprocessors
We share your personal data only with the following subprocessors, each of which processes data on our behalf in order to deliver the Service:
- OpenAI (United States) — Audio transcription and defect item extraction from inspection recordings
- Deepgram (United States) — Speech-to-text fallback for browser compatibility
- Stripe (United States) — Payment processing, subscription management, and billing
- Resend (United States) — Transactional email delivery (team invitations, report sharing, service notifications)
- Cloudflare (Global) — File storage (R2) for inspection photos and media
- Google Fonts (Global) — Font delivery for the application interface
- Replit (United States) — Application hosting and infrastructure
- Replit (United States) — PostgreSQL database hosting
Each subprocessor is bound by their own privacy policies and data processing agreements. We have selected providers that maintain appropriate security standards. Details of transfer safeguards and data categories are set out in our Data Processing Addendum, Annex 2.
We do not sell your personal data to third parties. We do not share your data with advertisers, data brokers, or any parties beyond the subprocessors listed above.
8. International Data Transfers
Several of our subprocessors (OpenAI, Deepgram, Stripe, Resend, Replit) are based in the United States. This means your data may be transferred from the United Kingdom to the United States for processing.
These transfers are protected by appropriate safeguards in accordance with UK GDPR, including:
- Standard Contractual Clauses (SCCs) with the UK International Data Transfer Addendum (IDTA) where applicable
- Providers certified under recognised frameworks and maintaining appropriate technical and organisational security measures
Full details of transfer safeguards for each subprocessor are set out in our Data Processing Addendum, Annex 2. You may also request more information by contacting us at the address in Section 16.
9. Cookies and Similar Technologies
We use only essential cookies and storage mechanisms required for the Service to function. We do not use analytics cookies, advertising cookies, or third-party tracking technologies. Full details are set out in our Cookie Policy. A summary follows:
9.1 Cookies We Use
| Name | Purpose | Type | Expiry |
|---|---|---|---|
| refreshToken | Maintains your login session securely | httpOnly, Secure cookie | 7–30 days |
| csrfToken | Protects against cross-site request forgery attacks | Readable cookie | 24 hours |
9.2 Local Storage
We use your browser's local storage to save user preferences. This data never leaves your device and is never transmitted to our servers or shared with third parties. The keys we use are:
sitevoice-theme— your light/dark mode preferencesitevoice_currency— your currency display preference (GBP or USD)sidebar-expanded— whether the app sidebar is expanded or collapsedsitevoice-recent-searches— up to five of your most recent search queries for quick accessreport-summary-collapsed— whether the executive summary on public report pages is collapsedactiveCompanyId— for users who belong to more than one company, remembers which company workspace you last had activesitevoice-cookie-consent— remembers whether you accepted or rejected analytics cookies
9.3 Analytics
With your consent, we use Google Analytics 4 to understand how visitors use our site so we can improve it. Analytics cookies are only set if you click "Accept" on our cookie banner; if you decline, no analytics data is collected. See our Cookie Policy for details. We do not use Facebook Pixel or any advertising trackers, and we do not serve targeted advertisements.
10. Data Retention
We retain different categories of data for different periods, based on operational, legal, and regulatory requirements:
| Data type | Retention period |
|---|---|
| Account data (name, email, company) | Retained while your account is active. Upon account closure, we aim to delete personal account data within 90 days, subject to legal retention obligations. |
| Inspection data (audio, transcriptions, defect items, photos) | Retained while your Company Account is active. Upon closure, retained for 90 days for recovery purposes, then deleted unless you have requested export or your Company Account requires extended retention for Building Safety Act 2022 compliance. |
| Activity logs (audit trail) | Retained for a minimum of 6 years to support Building Safety Act 2022 record-keeping obligations. |
| Error logs (technical diagnostics) | Retained for diagnostic purposes. We are implementing automated cleanup of error logs older than 90 days. |
| Refresh tokens | Automatically expire after 7 days (30 days if you select "Remember Me") |
| Password reset tokens | Expire after 1 hour |
| Stripe billing records | Stripe retains billing records in line with UK HMRC requirements (7 years for VAT-registered businesses). We retain references indefinitely while your Company Account is active. |
| Database backups | Rolling backups maintained by our database host, typically with a retention window of 30 days before being overwritten. |
You may request deletion of your data at any time by contacting us (see Section 16). Deletion requests will be fulfilled within 30 days, subject to any legal retention obligations above. We are currently developing a self-serve "delete my account" feature in the account settings; once available, this will be the preferred method for requesting deletion.
11. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — Request a copy of the personal data we hold about you
- Right to rectification — Request correction of inaccurate or incomplete data
- Right to erasure — Request deletion of your personal data (subject to legal retention requirements)
- Right to restriction — Request that we limit how we process your data
- Right to data portability — Receive your data in a structured, commonly used, machine-readable format
- Right to object — Object to processing based on legitimate interests
- Right to withdraw consent — Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing
To exercise any of these rights, please contact us at hello@sitevoice.app. We will respond to your request within one month.
If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
12. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit — All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
- Password security — Passwords are hashed using bcrypt with 12 salt rounds; we never store plaintext passwords
- Token security — JWT access tokens are short-lived (15 minutes) and rotated on refresh; refresh tokens are stored in httpOnly cookies
- Account protection — Accounts are locked after 5 failed login attempts with a 15-minute lockout period
- CSRF protection — All state-changing requests require a valid CSRF token
- Multi-tenant data isolation — Each company's data is logically separated to prevent cross-tenant access
- Content Security Policy — HTTP security headers are configured to prevent common web attacks
- Rate limiting — Authentication endpoints are rate-limited to prevent brute-force attacks
13. Children's Privacy
SiteVoice is a professional tool designed for use in the UK construction industry. The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately and we will take steps to delete such information.
14. Breach Notification
In the event of a personal data breach, we will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects.
Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, in accordance with Article 34 of the UK GDPR. Notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures we have taken or propose to take.
Where we act as a data processor for Content on behalf of your Company Account, we will notify your Company Account's administrators of any breach affecting that Content within 48 hours of becoming aware of it, enabling the Company Account (as data controller) to meet its own notification obligations.
15. Changes to This Policy
We may update this privacy policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page.
For significant changes that affect how we process your personal data, we will notify you through the Service or by email before the changes take effect. We encourage you to review this policy periodically.
16. Contact Us
If you have any questions about this privacy policy, your personal data, or wish to exercise your data protection rights, please contact us:
- Company: The Rams Agency LTD (trading as SiteVoice)
- Companies House number: 15099138
- Registered office: 1 Chartley Drive, Littleover, Derby, England, DE23 3BG
- Email: hello@sitevoice.app
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113