Last updated: April 2026 · SiteHQ, operated by Thornton Capital (UK)
SiteHQ is a cloud-based construction management platform operated by Thornton Capital, a UK-based company. SiteHQ acts as the data controller for personal data processed through the platform.
We are registered with the Information Commissioner's Office (ICO) under UK data protection law. Our ICO registration number is available on request at privacy@site-hq.ai.
Name, email address, company name, and role. Collected when you sign up via Google OAuth.
Project details, site addresses, client names, scope of works, quotes, programmes, and H&S documents that you create within SiteHQ.
PDFs, drawings, DOCX files, and images you upload for AI processing (take-offs, document generation, knowledge base).
With your explicit authorisation, SiteHQ reads email threads to link them to CRM contacts and projects. We do not store email attachments. We do not use email content to train AI models. You can disconnect Gmail at any time.
With your explicit authorisation, SiteHQ reads invoice and payment data from Xero solely to display it within your SiteHQ portal. Xero data is never used for AI training, platform learning, or any purpose other than display.
With your authorisation, SiteHQ may post updates to your LinkedIn profile or Google Business Profile on your behalf. We do not store social media content beyond what is needed to confirm successful posting.
Pages visited, features used, and error logs. Used to improve the platform and diagnose issues.
Payment card details are processed by Stripe and are never stored on SiteHQ servers.
Contract performance: Processing your account, project, and document data to deliver the service you have subscribed to.
Legitimate interests: Usage analytics, error logging, and platform improvement — balanced against your privacy interests.
Consent: Gmail integration, Xero integration, LinkedIn/GMB posting, and AI platform learning. You can withdraw consent at any time in Settings.
Legal obligation: Retaining billing records as required by UK financial regulations.
OpenAI: Document generation, quote estimation, and quantity take-offs. Project data is sent to OpenAI's API under a data processing agreement. OpenAI does not train on API data by default.
Vercel: Hosting and serverless functions (US-based). Certified under EU-US Data Privacy Framework.
Supabase: Database and file storage (EU region). SOC 2 Type II certified.
Stripe: Payment processing. PCI-DSS compliant. Card data never touches SiteHQ servers.
Google: Authentication (OAuth), Gmail sync, and Google Business Profile integration. Subject to Google's privacy policy.
LinkedIn: Social posting integration (optional). Subject to LinkedIn's privacy policy.
Xero: Accounting integration (optional). Subject to Xero's privacy policy. Xero data is used for display only.
SiteHQ uses a platform intelligence system that learns from anonymised data across all consenting tenants to improve AI output quality over time — particularly for quote accuracy, H&S risk identification, and quantity take-off precision.
What is and isn't shared:
Platform learning is opt-out — it is enabled by default as it directly improves the quality of AI outputs for your account. You can disable it at any time in Settings → Company → Platform Intelligence. Disabling it prevents your data contributing to platform improvements but does not affect your personal AI memory or document generation quality.
We retain your data for as long as your account is active, plus 2 years after cancellation (to allow reactivation and comply with legal obligations). Billing records are retained for 7 years per UK financial regulations. You can request earlier deletion — see Section 8.
Under UK GDPR, you have the right to:
To exercise any right, email privacy@site-hq.ai. We will respond within 30 days. If you are unsatisfied with our response, you may complain to the ICO at ico.org.uk.
For privacy enquiries: privacy@site-hq.ai
SiteHQ · Operated by Thornton Capital · United Kingdom