Legal · Privacy Statement

Privacy Statement

Last updated: 24 May 2026

This statement explains how Base PM handles personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. About this statement

Base PM ("Base PM", "we", "us") is an Australian-operated software-as-a-service platform for construction project management, estimation and AI-assisted document analysis. We are committed to handling personal information openly and responsibly.

This Privacy Statement applies to personal information we collect through the Base PM web application, marketing site, support channels and any related services. By using Base PM, you consent to the practices described in this statement.

2. The kinds of information we collect

The categories of personal information we collect depend on how you use the Service. They typically include:

Category	Examples
Account information	Name, business name, email address, password hash, role, profile photo.
Billing information	Stripe customer ID, plan, last four digits of payment card, billing address, GST/ABN. Full card numbers are stored by Stripe, not by us.
Project & CRM data	Names and contact details of clients, leads, contacts, suppliers, subcontractors and crew that you choose to enter.
Documents	PDFs, drawings, specifications, scopes, invoices, receipts, photos and other files you upload.
AI prompts & outputs	The chat messages you send to AI assistants, files you ask them to analyse, and the responses generated.
Integration data	Tokens and metadata from Microsoft Outlook, Google services and other connected accounts you authorise.
Usage & device data	IP address, browser type, pages viewed, feature events, timestamps and approximate location derived from IP.
Support information	Messages and attachments you send to support, and any feedback you provide.
Cookies	Authentication cookies (Supabase), preference cookies and minimal analytics cookies.

We do not knowingly collect "sensitive information" (as defined in the Privacy Act) such as health, racial or political information. Please do not upload sensitive information to Base PM.

3. How we collect personal information

From you directly — when you sign up, configure your account, upload documents, send a chat message to an AI assistant, or contact us.
From your team — when an administrator invites you to a workspace or assigns you to a project.
From third-party integrations you authorise — such as Microsoft Outlook or Google Workspace, when you connect those services.
Automatically — through cookies, logs and analytics events when you use the Service.

Sometimes you may give us personal information about other people (e.g. a client's contact details). You must have a reasonable basis for sharing that information with us and, where required, you must inform the individual that their information will be handled in accordance with this statement.

4. Why we collect, hold, use and disclose personal information

We use personal information to:

Create and operate your account and provide the Service;
Process AI assistant requests, including reading and summarising the documents you upload, and producing estimates and other outputs you ask for;
Bill subscriptions and process payments;
Provide customer support and respond to enquiries;
Send service notifications (e.g. billing receipts, security alerts, important changes to the Service);
Send product updates and marketing where you have opted in (you can opt out at any time);
Monitor for abuse, fraud, security incidents and to comply with our legal obligations; and
Improve and develop the Service, in particular by using aggregated and de-identified usage metrics.

5. AI processing

Base PM uses third-party large language model providers (currently Anthropic) to power its AI Features. When you send a chat message, ask the assistant to analyse a document, or run an automation:

The prompt, relevant Customer Data (such as a PDF you reference), and necessary context are sent to the model provider over an encrypted connection.
The model provider processes the request and returns a response.
We store the prompt and the response in your workspace so you can revisit it.
Your Customer Data is not used to train foundation models. We have configured our model providers under their zero-retention / no-training settings (or equivalent), subject to short-term abuse-monitoring retention required by the provider.

AI outputs may be inaccurate. You must review them before relying on them. We do not make automated decisions that produce legal or similarly significant effects on individuals.

6. Who we share information with

We do not sell personal information. We share it only with service providers that help us operate the Service and with parties you direct us to share it with.

Recipient	Purpose	Location
Supabase	Authentication, database and file storage.	Australia / United States
Anthropic	Powers the AI assistant and document analysis.	United States
Stripe	Subscription billing and payment processing.	Australia / United States
Microsoft (Outlook)	Where you connect Outlook for email/calendar integration.	Global
Google (Workspace)	Where you connect Gmail / Calendar / Drive integrations.	Global
Hosting & CDN providers	Application hosting, content delivery, logging and monitoring.	Australia / United States
Professional advisers, auditors, regulators	Where reasonably required for legal, accounting or compliance purposes.	Australia

We may also disclose personal information where required or authorised by law, in connection with a sale or restructure of our business (subject to confidentiality protections), or with your consent.

7. Overseas disclosure

Some of our service providers store and process data outside Australia, principally in the United States. Where personal information is disclosed overseas, we take reasonable steps to ensure the recipient handles it in a way consistent with the APPs, including through contractual data protection terms and reliance on industry-standard certifications.

8. How we hold and secure information

We hold personal information in encrypted cloud databases and object storage. We implement administrative, technical and physical safeguards including:

Transport encryption (TLS) for data in transit and encryption at rest in our database and storage layers;
Row-level security and role-based access controls so that workspace data is segregated between tenants;
Application-layer authentication backed by Supabase, including support for multi-factor authentication;
Logging, monitoring and alerting on access to production systems;
Periodic review of vendors and integration scopes; and
Background checks and confidentiality obligations for personnel with access to production data.

Despite these measures, no method of transmission or storage is completely secure. You can help protect your information by using a strong, unique password, enabling multi-factor authentication, and reporting any suspicious activity to us promptly.

9. How long we keep personal information

We retain personal information for as long as your account is active and for a reasonable period afterwards to meet legal, tax and accounting obligations, to resolve disputes and to enforce our agreements.

Active workspaces: while your subscription is in effect.
After termination: Customer Data remains available for at least 30 days so you can export it.
Billing records: at least 7 years, in line with Australian taxation requirements.
Backups and logs: rotated on a rolling basis, typically within 90 days.

When we no longer need personal information, we will take reasonable steps to delete or de-identify it.

10. Your rights

Under the Privacy Act and APPs, you have rights to:

Request access to personal information we hold about you;
Request correction of inaccurate or out-of-date personal information;
Opt out of marketing communications at any time using the unsubscribe link or by contacting us;
Request deletion of your account and personal information, subject to retention obligations described above; and
Make a privacy complaint (see below).

To exercise a right, email support@base-pm.com. We will respond within a reasonable period (usually within 30 days). We may need to verify your identity before acting on your request. If you ask us to delete information we are required to keep (for example, tax records), we will explain why and what remains.

11. Cookies and analytics

We use a small number of cookies and similar technologies that are necessary for the Service to function (such as authentication and session cookies set by Supabase), to remember your preferences, and to measure basic usage analytics. Our analytics does not build profiles for targeted advertising. You can disable non-essential cookies through your browser settings, although some features may not work correctly.

12. Data breach notification

If a data breach occurs that is likely to result in serious harm to affected individuals, we will assess and notify you and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme.

13. Children

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

14. Changes to this statement

We may update this Privacy Statement from time to time. The "last updated" date at the top of the page reflects the latest revision. Where changes are material, we will notify you by email or by an in-app notice before they take effect.

15. Contact us & complaints

If you have a question, request, or complaint about how we handle personal information, please email support@base-pm.com. We will acknowledge your complaint within 7 business days and aim to resolve it within 30 days.

If you are not satisfied with our response, you can refer your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by phone on 1300 363 992.