Privacy Policy
How we collect, use, store, and protect your personal data, and the rights you have over it under UK data protection law.
Last updated: 31 May 2026
1. Who we are
This Privacy Policy explains how Bricks and Mortar Innovations Ltd ("we", "our", or "us") collects and uses your personal data when you use the Bricks & Mortar Renovations website and platform (the "Service"). The Service covers the whole of Bricks & Mortar Renovations, including our website at bamrenovate.co.uk and our application at dashboard.bamrenovate.co.uk, so this single Policy applies across all of them.
For the purposes of UK data protection law, we are the data controller. Our details are:
- Company: Bricks and Mortar Innovations Ltd
- Company number: 16343453, registered in England and Wales
- Registered address: College Lane Barn, College Lane, Ellisfield, Basingstoke, England, RG25 2QE
- Data protection contact: privacy@bamrenovate.co.uk. We have not appointed a Data Protection Officer.
- ICO registration:We are registered with the Information Commissioner's Office (ICO) under registration reference ZC027626.
This Policy is provided under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
2. The personal data we collect
We collect and process the following categories of data.
- Account data: information you provide when you create an account or contact us, such as your name, email address, and login credentials.
- Demo call requests: if you ask to book a demo call, you send us your name and contact details by email (to team@bamrenovate.co.uk) so we can arrange the call.
- Renovation content you upload: project details, notes, messages, and any documents or files you upload to the Service (which may contain personal data about you or others).
- AI inputs and outputs: the chat messages you send and the documents you submit to our AI features, and the responses generated for you.
- Usage and analytics data: information about how you use the site, such as pages viewed, interactions, device and browser information, approximate location derived from your IP address, and session-recording-style data (see the cookies and analytics section below). This is only collected after you consent to non-essential cookies.
- Payment data: if you subscribe to a paid plan, billing information is handled by our payment provider, Stripe, and we do not store your full card details.
3. How and why we use your data, and our lawful basis
We only process your personal data where we have a lawful basis to do so. The table below summarises each purpose and the relevant basis under Article 6 of the UK GDPR.
| Purpose | Data used | Lawful basis |
|---|---|---|
| Provide, operate and maintain the Service | Account data, uploaded content, AI inputs/outputs | Performance of a contract with you (Art. 6(1)(b)) |
| Arrange a demo call you request | Your name and contact details | Consent (Art. 6(1)(a)), or steps to enter into a contract at your request (Art. 6(1)(b)) |
| Analytics and understanding how the site is used | Usage and analytics data, cookies | Consent (Art. 6(1)(a)), given via the cookie banner |
| Marketing communications (where you opt in) | Email address | Consent (Art. 6(1)(a)) |
| Security, fraud prevention, and keeping the Service reliable | Account data, usage data | Legitimate interests in protecting our Service and users (Art. 6(1)(f)) |
| Responding to your enquiries and providing support | Account data, the content of your message | Legitimate interests, or performance of a contract (Art. 6(1)(b)/(f)) |
| Meeting legal and regulatory obligations | As required (for example billing records) | Legal obligation (Art. 6(1)(c)) |
Where we rely on your consent, you can withdraw it at any time (see your rights below). Withdrawing consent does not affect any processing carried out before you withdrew it.
4. AI features and how your content is processed
Some features of the Service use a third-party AI provider, Anthropic (the provider of the Claude models), to process the information you submit, namely your chat messages and any documents you upload, in order to generate responses for you.
Anthropic acts as a processor on our behalf for this purpose. When we send your content to the Anthropic API, that content is not used to train Anthropic's models. The data is processed under Anthropic's terms and our data processing arrangements with them. You can read more in Anthropic's privacy policy.
AI outputs are generated automatically and may contain errors. They are provided for general information only and are not a substitute for professional advice. See the AI guidance disclaimer in our Terms and Conditions.
5. Cookies and analytics
We use cookies and similar technologies. Strictly necessary cookies are needed for the site to function. Non-essential cookies, including analytics cookies, are only set after you give consent through our cookie banner, in line with PECR. The banner offers a genuine choice: you can Accept or Decline. If you decline, no analytics cookies or scripts are loaded. You can change your mind at any time by clearing the consent stored in your browser.
When you accept, we load the following analytics services, which set cookies and collect usage data.
Cookie and analytics table
| Service | Purpose | Category | Set before consent? |
|---|---|---|---|
| Cookie-consent preference (stored in your browser's local storage) | Remembers whether you accepted or declined non-essential cookies | Strictly necessary | Yes (essential, no consent required under PECR) |
| Google Analytics 4 (measurement ID G-QR8R9R2QF3) | Measures site usage and traffic, for example pages viewed and interactions | Analytics (non-essential) | No, loaded only after you accept |
| Hotjar (site ID 6420862) | Understands how visitors use the site through aggregated behaviour and session-recording-style data | Analytics (non-essential) | No, loaded only after you accept |
| Meta Pixel (pixel ID 919916350725946) | Measures the performance of our Meta (Facebook and Instagram) advertising and attributes conversions | Advertising (non-essential) | No, loaded only after you accept |
Google Analytics is provided by Google, Hotjar is provided by Hotjar Ltd, and the Meta Pixel is provided by Meta. Google Analytics and Hotjar are analytics cookies, while the Meta Pixel is an advertising cookie used to measure the performance of our Meta (Facebook and Instagram) ad campaigns. Each provider sets its own cookies and may process data outside the UK (see international transfers below). For more detail, see Google's privacy policy, Hotjar's privacy policy, and Meta's privacy policy. The main cookies are Google Analytics (the _ga and _ga_* identifiers, stored for up to 13 months), Hotjar (the _hjSessionUser_* identifier stored for up to 12 months and the _hjSession_* identifier stored for 30 minutes), and the Meta Pixel (the _fbp identifier, stored for up to 3 months). These are only set after you accept non-essential cookies.
6. Who we share your data with (recipients and processors)
We do not sell your personal data. We share it only with service providers who process it on our behalf, under contracts that require them to protect it and use it only on our instructions. Our main processors and sub-processors are:
| Provider | What they do | Location |
|---|---|---|
| Vercel | Website hosting and content delivery | United States / global edge network |
| Anthropic | AI processing of your chat messages and uploaded documents (not used to train its models) | United States |
| Google (Google Analytics) | Website analytics (after consent) | United States / global |
| Hotjar | Website analytics (after consent) | European Union (Malta), data hosted in the EU |
| Meta Platforms Ireland Limited | Advertising and conversion measurement via the Meta Pixel (only after you consent to cookies) | European Union and United States |
The providers listed above are our current sub-processors, and we put appropriate contractual data protection safeguards in place with each. We may also disclose data where required by law, to enforce our terms, or to protect our rights, users, or others.
7. International data transfers
Some of our providers are based in, or process data in, the United States or other countries outside the UK. Where we transfer personal data outside the UK, we put appropriate safeguards in place to protect it, which may include:
- the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses (SCCs);
- reliance on a UK adequacy decision, where one applies to the destination country; or
- another transfer mechanism permitted under UK GDPR, together with any necessary supplementary measures.
Where data is transferred outside the UK, we rely on a UK adequacy decision where one applies, or otherwise on the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses), so your data stays protected to UK standards. You can ask us for more information about these safeguards using the contact details above.
8. How long we keep your data
We keep personal data only for as long as we need it for the purposes set out in this Policy, or for as long as we are required to keep it by law.
When we no longer need your data, we delete it or anonymise it. As a guide:
- Account and project data: while your account is active, and for up to 6 years after it closes, to meet our legal, tax, and contractual record-keeping obligations.
- Documents you upload: while your account is active, and deleted within 30 days of account closure unless we are required to keep them longer.
- Demo call request emails: up to 12 months.
- Analytics data: up to 26 months (subject to each provider's own retention settings).
- Your cookie consent choice: up to 12 months, after which we ask again.
9. Your rights
Under UK data protection law, you have the following rights over your personal data:
- Access: to request a copy of the data we hold about you.
- Rectification: to have inaccurate or incomplete data corrected.
- Erasure: to ask us to delete your data in certain circumstances.
- Restriction: to ask us to limit how we use your data in certain circumstances.
- Portability: to receive certain data in a structured, machine-readable format, or to have it transferred to another controller.
- Objection: to object to processing based on our legitimate interests, and to object to direct marketing at any time.
- Withdraw consent: where we rely on consent, to withdraw it at any time.
To exercise any of these rights, please contact us at privacy@bamrenovate.co.uk. We aim to respond within one calendar month. We will not normally charge a fee, and we may need to verify your identity first.
10. Complaints and the ICO
We hope to resolve any concern you have about how we handle your data. If you are not satisfied, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk. We would, however, appreciate the chance to address your concerns first.
11. Security
We take appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction, including access controls and encryption in transit. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
12. Children
The Service is not intended for, or directed at, anyone under the age of 18, and we do not knowingly collect data from under-18s. If you believe a child has provided us with personal data, please contact us and we will delete it.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will update the "last updated" date above and, where the changes are significant, we will take reasonable steps to notify you. Your continued use of the Service after an update takes effect indicates your acceptance of the revised Policy.
14. Contact us
If you have any questions or requests about this Privacy Policy or your personal data, please contact us at privacy@bamrenovate.co.uk or by writing to us at College Lane Barn, College Lane, Ellisfield, Basingstoke, England, RG25 2QE.