Privacy Policy

The National Building Intelligence Platform ("NBIP", "we", "us", "our") is operated as a trading name of a sole trader based in the United Kingdom. NBIP is not a registered limited company.

NBIP is the data controller for personal data collected through the Platform at nbip.uk.

For any privacy-related queries, contact us at: contact@nbip.uk

Account and Access Request Data

When you submit a request for platform access or are activated as a subscriber, we collect:

• —Full name
• —Email address
• —Company or organisation name
• —Phone number (if provided)
• —Engagement scope and access level
• —Invoice details (invoice number, date, amount) — held for accounting purposes

Authentication and Session Data

NBIP uses email magic links (one-time login links) for authentication. We do not store passwords. Each login generates a secure, time-limited link sent to your registered email address. Sessions persist for up to 7 days.

Our authentication provider (Supabase) automatically records your last sign-in timestamp and account creation date as part of its standard auth infrastructure. We do not actively query or display this data in our application.

Export Audit Log

Each time you download a data export from the Platform, we record: the date and time of the export, the number of records downloaded, and the filters applied. This audit log is stored against your subscriber record and is accessible to NBIP administrators.

Communications Data

• —Emails you send to contact@nbip.uk
• —Support enquiries or feedback you submit

NBIP is a building intelligence platform. The property intelligence records made available through the Platform ("Building Intelligence Data") are derived exclusively from publicly available UK government and authoritative public datasets — including the Energy Performance of Buildings Register (MHCLG), the Valuation Office Agency, Historic England, the Environment Agency, and other national data sources.

Building Intelligence Data relates to non-domestic properties, not directly to individuals. However, where outputs include addresses that may be associated with identifiable individuals, NBIP acts as a data controller under UK GDPR and processes that data under the lawful basis of legitimate interests — specifically, supporting evidence-led asset management, decarbonisation planning, and regulatory compliance across the built environment.

Subscribers who use Building Intelligence Data in communications with third parties act as independent data controllers in their own right and are responsible for their own compliance with UK GDPR, the Data Protection Act 2018, and all applicable law. NBIP's Terms and Conditions (clause 9.3) set out this responsibility explicitly.

NBIP does not collect building data submitted by users. The Platform is read-only for Subscribers — it surfaces and fuses publicly available data; it does not ingest user-provided building records.

We collect data:

• —Directly from you when you submit an access request, use the Platform, or contact us
• —Automatically when you authenticate — your sign-in triggers a session cookie and is recorded by our auth provider
• —Automatically when you download a data export — we log the event as described in Section 2
• —From third-party public data sources (EPC Register, national energy datasets, ONS, OS) — this is building and property data, not personal data about you as a user

When retention periods expire, data is securely deleted or anonymised.

We do not sell your personal data. We share data only in the following circumstances:

Service providers. We use trusted third-party providers to operate the Platform, including: Supabase (database and authentication infrastructure, EU region) and Vercel (hosting and deployment infrastructure). All providers are contractually bound to process your data only on our instructions and in accordance with UK GDPR.

Legal requirements. We may disclose your data where required by law, court order, or regulatory authority.

Business transfers. In the event of a merger, acquisition, or sale of NBIP, your data may be transferred to the acquiring entity. We will notify you in advance.

Aggregated data. We may share anonymised, aggregated data that does not identify any individual user.

We do not use analytics cookies, advertising cookies, or any third-party tracking technologies. We do not use cookies to store your filter preferences — these are held in temporary browser memory for the duration of your session only.

Essential cookies are required for the Platform to function and do not require consent under UK PECR. We will update this section if any non-essential cookies are introduced in future.

NBIP administrators may revoke your active session at any time, for example upon account suspension. This immediately invalidates your session cookie.

To exercise any of these rights, contact us at contact@nbip.uk. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk | 0303 123 1113.

We implement appropriate technical and organisational measures to protect your personal data, including:

• —Encrypted data storage and transmission (HTTPS/TLS) via Supabase (EU region) and Vercel
• —Role-based access controls — only authorised NBIP administrators can access subscriber account data
• —Session management with 7-day persistence and administrator revocation capability
• —Export audit logging — every data export is recorded with subscriber identity, date, record count, and filters applied
• —Invite-only access — no self-registration; all accounts are manually activated by an NBIP administrator

No system is entirely immune from risk. In the event of a data breach likely to result in risk to your rights and freedoms, we will notify you and the ICO in accordance with our legal obligations.

We aim to store and process all personal data within the UK or the EEA. Our authentication and database infrastructure is provided by Supabase, hosted in the EU region. Our hosting infrastructure is provided by Vercel, using EU edge nodes where possible.

Where any data is transferred outside these regions by a third-party provider, we ensure appropriate safeguards are in place in accordance with UK GDPR, including Standard Contractual Clauses or equivalent transfer mechanisms.

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those sites and recommend you review their privacy policies before submitting any personal data to them.

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data to us, please contact us at contact@nbip.uk and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a notice on the Platform. The version date shown in the header will always reflect the most recent version.

For questions about this Privacy Policy or how we handle your data: contact@nbip.uk — subject line "Privacy".

For a formal data subject access request: contact@nbip.uk — subject line "Data Request". We will respond within 30 days.

To report a security concern: contact@nbip.uk — subject line "Security".