This Privacy & Security Policy describes how Construction Runner collects, uses, protects, and retains your data. Your data is collected solely for the purposes of site access, safety compliance, induction, RAMS acceptance, and legal health & safety obligations. It is not used for marketing or profiling.
1. What data we collect
Personal details: name, email, phone, address (optional if required by contractor)
National Insurance Number (optional)
Emergency contact details
Right to work documents (passport/visa expiry and file; passport number not stored)
Medical information (optional; allergies, medication, medical certificates)
Certifications and training records
RAMS acceptance records
Induction and site access records
2. Why we collect it
Data is used solely for site access management, safety compliance, pre-induction and site induction, RAMS acceptance tracking, and legal health & safety obligations. We do not use your data for marketing or profiling.
3. Who can see your data
Access is limited to: your employer (subcontractor or main contractor), site supervisors and main contractor admins for compliance purposes, and authorised administrators. Sensitive fields (NI number, medical notes, passport-related data) are restricted to yourself and admins only.
4. How long we keep your data
Induction records: 3 years
RAMS acceptance: 6 years
Training records: 3 years
Accident/incident records: 6 years
Pre-Induction Profile: 3 years after last activity
Deleted user accounts: purged after 90 days
5. Your rights
Right to Access: Download a copy of your data from Profile → Privacy & Data.
Right to Rectification: Edit name, phone, address, emergency contact in your profile.
Right to Erasure: Request account deletion. Legally required H&S records will be retained.
Right to Restrict Processing: Toggle "Restrict non-essential processing" so only admins can view sensitive fields.
6. How to request deletion
Log in → Dashboard → Profile → Privacy & Data tab → "Delete My Account". You can also contact your Data Protection Officer. Deletion will anonymise your account; induction, RAMS and training records are retained for legal compliance.
7. How we secure your data
HTTPS: All traffic is encrypted in transit.
Access control: Supabase RLS and server-side validation enforce role-based access.
Validation: Server-side validation on all APIs.
Audit logging: Verification actions, overrides, document uploads, and sensitive data access are logged.
Session security: Auto logout after 12 hours of inactivity.
File restrictions: Pre-Induction uploads limited to jpg, png, pdf; max 10MB.
8. Contact — Data Protection
For privacy or security queries, contact your company's data protection officer or the Construction Runner administrator. Include your email and a description of your request.