SiteBooks

SiteBooks Privacy Policy

Last updated: 21 February 2026

1. Introduction

SiteBooks ("we", "our", "us") is a construction finance application operated by GCB Software. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the SiteBooks web application, mobile application (iOS and Android), and related services (collectively, the "Service").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By using SiteBooks, you acknowledge that you have read and understood this Privacy Policy.

Contact us:

Email: sitebooks@gcbgroup.ae

2. Data Controller

GCB Software is the data controller responsible for your personal data. If you have questions about how your data is processed, contact us at sitebooks@gcbgroup.ae.

3. Information We Collect

3.1 Account & Authentication Data

  • Email address
  • Password (stored in hashed form; we never store plain-text passwords)
  • Email verification status
  • Profile image (optional)

    • 3.2 Business Profile Data

  • Business name
  • Business type (Sole Trader or Limited Company)
  • VAT registration status, VAT number (VRN), and VAT scheme
  • CIS (Construction Industry Scheme) role and status
  • Unique Taxpayer Reference (UTR)
  • National Insurance Number (NINO) — only when connecting to HMRC
  • Company logo
  • Invoice footer text

    • 3.3 Financial & Transactional Data

  • Invoices (amounts, dates, line items, VAT calculations, CIS deductions, payment status)
  • Quotes and quotations
  • Expenses (amounts, categories, dates, descriptions, receipt images)
  • CIS records (suffered and deducted amounts)
  • Jobs and projects
  • Tax calculations and estimates
  • Client/customer records (name, email, phone number, address)

    • 3.4 HMRC Data

  • HMRC OAuth access tokens and refresh tokens
  • VAT Registration Number (VRN)
  • National Insurance Number (NINO)
  • HMRC Business ID
  • VAT return submission data
  • Self-assessment submission data

    • 3.5 Subscription & Payment Data

  • Subscription plan and status (trial, active, expired, cancelled)
  • Subscription expiry dates
  • RevenueCat app user ID (for mobile subscriptions)
  • Stripe processes payment card details directly — we do not store your card information on our servers

    • 3.6 Activity & Usage Data

  • Activity logs (invoice creation, payments received, expense additions, CIS record additions, HMRC submissions)
  • Timestamps of actions performed within the Service

    • 3.7 Device & Technical Data

  • Device type and operating system (mobile app)
  • Network connectivity status

    • 3.8 Receipt Images

    When you use the receipt scanning feature, we collect photographs of receipts. These images are processed using AI to extract financial information (date, supplier, description, amount, VAT, category) and are stored securely.

    4. How We Use Your Information

    We use your data for the following purposes:

    | Purpose | Legal Basis (UK GDPR) |
    |---|---|
    | Providing and operating the Service | Performance of a contract (Art. 6(1)(b)) |
    | Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
    | Generating invoices, quotes, and financial reports | Performance of a contract (Art. 6(1)(b)) |
    | Processing payments via Stripe | Performance of a contract (Art. 6(1)(b)) |
    | Scanning receipts and extracting expense data | Performance of a contract (Art. 6(1)(b)) |
    | Submitting VAT returns and self-assessment data to HMRC | Performance of a contract (Art. 6(1)(b)) |
    | Sending transactional emails (invoices, quotes, notifications) | Performance of a contract (Art. 6(1)(b)) |
    | Managing your subscription | Performance of a contract (Art. 6(1)(b)) |
    | Maintaining activity logs for your audit trail | Legitimate interest (Art. 6(1)(f)) |
    | Ensuring security and preventing fraud | Legitimate interest (Art. 6(1)(f)) |
    | Complying with legal and tax obligations | Legal obligation (Art. 6(1)(c)) |

    5. Third-Party Services

    We share your data with the following third-party service providers who process data on our behalf:

    5.1 Convex (Backend & Database)

  • **Purpose:** Hosting our application backend, database, authentication, and file storage
  • **Data shared:** All account, business, financial, and file data
  • **Server location:** EU-West-1 (Ireland)
  • **Privacy policy:** https://www.convex.dev/legal/privacy

    • 5.2 Stripe (Payment Processing)

  • **Purpose:** Processing invoice payments via Stripe Connect
  • **Data shared:** Invoice amounts, payer details, payment card information (processed directly by Stripe)
  • **Note:** We do not store payment card details on our servers. All card data is handled directly by Stripe in compliance with PCI-DSS.
  • **Privacy policy:** https://stripe.com/privacy

    • 5.3 RevenueCat (Subscription Management)

  • **Purpose:** Managing in-app subscriptions on iOS and Android
  • **Data shared:** App user ID, subscription status, purchase events
  • **Privacy policy:** https://www.revenuecat.com/privacy

    • 5.4 Resend (Email Delivery)

  • **Purpose:** Sending transactional emails (invoices, quotes, verification emails)
  • **Data shared:** Recipient email addresses, email content (invoice/quote details)
  • **Emails sent from:** invoices@gcbgroup.ae
  • **Privacy policy:** https://resend.com/legal/privacy-policy

    • 5.5 OpenAI (Receipt Scanning)

  • **Purpose:** Extracting financial data from receipt images using AI vision
  • **Data shared:** Receipt images are sent to OpenAI's API for processing
  • **Data extracted:** Date, supplier name, description, amount, VAT, and expense category
  • **Note:** OpenAI's API data usage policy applies. We use the API (not ChatGPT), and data sent via the API is not used to train OpenAI's models.
  • **Privacy policy:** https://openai.com/privacy

    • 5.6 HMRC (Government Tax Authority)

  • **Purpose:** Submitting VAT returns and self-assessment data on your behalf
  • **Data shared:** VAT return figures, self-assessment data, VRN, NINO, UTR
  • **Authentication:** OAuth 2.0 — you authorise access directly with HMRC
  • **Note:** HMRC is a data controller in its own right. Their handling of your data is governed by HMRC's own privacy notice.
  • **Privacy policy:** https://www.gov.uk/government/publications/data-protection-act-dpa-information-hm-revenue-and-customs-hold-about-you

    • 5.7 Expo / EAS (Mobile App Distribution)

  • **Purpose:** Building and distributing the mobile application
  • **Data shared:** Minimal technical data required for app builds
  • **Privacy policy:** https://expo.dev/privacy

    • 5.8 Future Integration: Xero

  • **Purpose:** Exporting financial data to Xero accounting software (planned feature)
  • **Data shared:** Invoices, expenses, and CIS records when you choose to export
  • **Note:** This integration will require your explicit authorisation before any data is shared

    • 6. Mobile App Permissions

    The SiteBooks mobile app requests the following device permissions:

    | Permission | Purpose | When Requested |
    |---|---|---|
    | Camera | Scanning receipts for expense tracking | When you tap "Scan Receipt" |
    | Photo Library | Selecting existing receipt images from your device | When you choose an image from your gallery |
    | Secure Storage | Storing authentication tokens securely on your device | Automatically on sign-in |
    | File System | Downloading and saving PDF invoices and quotes | When you download a PDF |
    | Network Access | Communicating with our servers | Automatically |
    | Web Browser | Opening external authentication flows (HMRC, Stripe) | When connecting to HMRC or Stripe |

    We do not request access to your location, contacts, microphone, or push notifications.

    7. Data Storage & Security

    7.1 Where Your Data Is Stored

  • **Primary database:** Convex cloud infrastructure, hosted in the **EU-West-1 (Ireland)** region
  • **File storage:** Receipt images and generated PDFs are stored in Convex's file storage (EU-West-1)
  • **Mobile local storage:** Authentication tokens are stored in your device's secure storage (iOS Keychain / Android Keystore)

    • 7.2 Security Measures

  • Passwords are cryptographically hashed — we never store or have access to your plain-text password
  • HMRC OAuth tokens are stored securely in our database
  • All data transmitted between your device and our servers is encrypted in transit (TLS/HTTPS)
  • Stripe webhook signatures are verified to prevent tampering
  • RevenueCat webhook authentication is enforced
  • Server-side API keys are never exposed to client applications
  • Financial amounts are stored as integer pence to prevent rounding errors

    • 7.3 Data Retention

    We retain your data for as long as your account is active and as needed to provide the Service. Financial records may be retained for up to 7 years after account closure to comply with UK tax record-keeping obligations (as required by HMRC).

    When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.

    8. International Data Transfers

    Your data is primarily stored within the European Economic Area (EU-West-1, Ireland). Where data is transferred to third-party processors outside the UK/EEA (such as OpenAI and Stripe, which are US-based), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO)
  • The service provider's adherence to recognised data protection frameworks

    • 9. Your Rights Under UK GDPR

    You have the following rights regarding your personal data:

  • **Right of access** — Request a copy of the personal data we hold about you
  • **Right to rectification** — Request correction of inaccurate or incomplete data
  • **Right to erasure** ("right to be forgotten") — Request deletion of your personal data, subject to legal retention requirements
  • **Right to restrict processing** — Request that we limit how we use your data
  • **Right to data portability** — Request your data in a structured, commonly used, machine-readable format
  • **Right to object** — Object to processing based on legitimate interests
  • **Right to withdraw consent** — Where processing is based on consent, withdraw at any time
  • **Rights related to automated decision-making** — The receipt scanning feature uses AI to extract data, but all extracted information is presented for your review and editing before use. No solely automated decisions with legal or significant effects are made.

    • To exercise any of these rights, contact us at sitebooks@gcbgroup.ae. We will respond within one month.

    10. Children's Privacy

    SiteBooks is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

    11. Cookies & Tracking

    The SiteBooks web application uses essential cookies required for authentication and session management. We do not use advertising cookies, marketing trackers, or third-party analytics cookies.

    12. Changes to This Privacy Policy

    We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a notice within the Service. The "Last updated" date at the top of this policy indicates when it was last revised.

    Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.

    13. Complaints

    If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

  • **Website:** https://ico.org.uk
  • **Telephone:** 0303 123 1113

    • 14. Contact Us

    If you have any questions about this Privacy Policy or our data practices, please contact us:

    Email: sitebooks@gcbgroup.ae