BuildConsult
PrivacyTerms

Last updated: 17 May 2026

Privacy Policy

This Privacy Policy explains how Haraka Consulting (Pty) Ltd ("Haraka", "we", "us") collects, uses, and protects personal information processed through the BuildConsult service. It is written to comply with the Protection of Personal Information Act, 2013 ("POPIA") of South Africa.

BuildConsult is a conversational diagnostic tool for South African construction SMEs. By signing in you become a data subjectwhose personal information is processed by Haraka as the responsible party.

1. What we collect

Profile information you provide at onboarding:

  • Full name
  • Company name
  • Sub-sector of the construction industry
  • CIDB grade (optional)
  • Annual turnover band (categorical, not a precise figure)
  • Staff count band (categorical, not a precise figure)
  • Province in which you operate

Account information: your email address, used for sign-in via magic link.

Session content: the messages you send and the responses from the BuildConsult AI advisor, any files you upload to a session, and the diagnostic reports generated at the end of a session.

Consent records: a timestamped log of whether you have granted, withdrawn, or reactivated consent for data use under section 3.

We do not collect special personal information (e.g. health, religion, biometric data). We do not place tracking cookies or advertising pixels.

2. Why we collect it

  • To deliver the service. Your profile lets the AI advisor tailor questions and benchmarks to your sub-sector and scale. Your sessions and reports are stored so you can return to them later.
  • To authenticate you. Your email is the basis of your sign-in.
  • To improve the product, where you have consented.With your explicit, separately captured consent (see section 3), we use anonymised and aggregated insights from session content to develop SA construction benchmarks and improve the AI advisor. Individual conversations are never shared with other users.

3. Your consent — POPIA

At onboarding you are presented with two separate consent options, neither pre-ticked:

  • Data use consent — required to continue. Authorises BuildConsult to use your session content in anonymised, aggregated form for product improvement and benchmarking.
  • Marketing consent — optional. Authorises occasional product updates and industry insights via email.

You may withdraw either consent at any time from your account settings. Future sessions will then not contribute to product-improvement data sets. Data already anonymised and aggregated before withdrawal cannot be reversed, as it can no longer be linked back to you. Withdrawing consent does not affect your ability to use the service.

4. Where your data is stored

Personal information is stored on the following sub-processors. All sub-processors used by BuildConsult host data in jurisdictions with comparable data-protection regimes (EU GDPR), which POPIA recognises as adequate for cross-border transfer.

  • Supabase — primary database and file storage. Hosted in the EU.
  • Vercel — application hosting and request delivery. Edge-deployed; primary application data is not stored at Vercel.
  • Anthropic — processes the content of your session messages to generate AI responses. Anthropic processes data under its commercial terms and data-processing addendum, which prohibit training on customer content. Hosted in the United States.
  • Resend — transactional email delivery (magic links). Hosted in the EU.

5. How long we keep it

  • Account, profile, sessions, reports: retained for as long as your account is active. Deleted within 30 days of you deleting your account.
  • Anonymised, aggregated insights: retained indefinitely as part of our benchmarking data set, with no link back to your identity.

6. Your rights under POPIA

  • Right to access: you can view your profile and your session history at any time inside the app.
  • Right to correction: you can update any profile field from your account settings.
  • Right to deletion: you can permanently delete your account from your account settings. This removes your profile, all sessions, messages, attachments, and reports.
  • Right to withdraw consent: see section 3.
  • Right to complain to a regulator: you may lodge a complaint with the South African Information Regulator at inforegulator.org.za.

7. How we keep your data secure

Data is encrypted in transit (TLS) and at rest. Database access is restricted by row-level security so that each user can only access their own data. The AI advisor never receives system-prompt content client-side, and our service key is server-side only. We retain only what is required to deliver the service.

Notwithstanding our safeguards, no internet service can be guaranteed 100% secure. In the unlikely event of a personal-data breach affecting your information, we will notify you and the Information Regulator without undue delay.

8. Contact us

For any privacy questions, requests, or to exercise your POPIA rights beyond what the app exposes, contact:

Haraka Consulting (Pty) Ltd
Email: auth@harakaconsult.com

9. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email to active users with at least 14 days' notice. The current version is always available at harakaconsult.com/privacy.

This document is a working draft. It will be reviewed by a South African attorney with privacy practice before BuildConsult is made available beyond design partners.