Brae Change — Variation Management for UK Contractors

1. Who we are

Brae Change is a variation management platform for UK construction contractors, operated by Brae Labs, part of BRAE Group. Our registered contact is support@braehq.co. References to “we”, “us”, or “Brae Change” in this policy refer to Brae Labs.

2. What data we collect

Account data — your email address and password (hashed), and the full name you provide at signup.
Company data — your company name and the organisation slug generated from it.
Project data — project names, client names, client email addresses, contract values, variation orders, line items, and associated financial figures you enter into the platform.
Usage data — standard server logs including IP addresses, browser type, and pages visited, retained for 30 days for security and debugging purposes.

3. How we use your data

We use your data to:

Provide and operate the Brae Change service.
Send transactional emails (approval notifications, team invitations, password resets).
Respond to support requests.
Maintain the security and integrity of the platform.
Comply with legal obligations where required by UK law.

We do not sell your data to third parties or use it for advertising.

4. How and where data is stored

All application data is stored in Supabase, a managed PostgreSQL service. Supabase stores data in the EU West (London, eu-west-2) region. Your data does not leave UK/EU infrastructure.

Data is encrypted at rest and in transit (TLS 1.2+). Access to the database is restricted to authenticated application processes and authorised Brae Labs personnel.

5. Third-party services

Resend

We use Resend to send transactional emails. Email addresses are transmitted to Resend solely for the purpose of delivering emails you have requested (e.g., approval links, team invitations). Resend's infrastructure operates under the EU data protection framework.

Railway

The Brae Change application is hosted on Railway. Railway processes request data as part of hosting the application. Deployments are configured to run in EU regions where possible.

6. Data retention

We retain your account and project data for as long as your account is active. If you close your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law (e.g., financial records for HMRC purposes, which may be retained for up to 6 years).

7. Your rights under UK GDPR

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights:

Right of access — to request a copy of the personal data we hold about you.
Right to rectification — to ask us to correct inaccurate or incomplete data.
Right to erasure — to request deletion of your data (“right to be forgotten”).
Right to restriction — to ask us to limit how we process your data.
Right to portability — to receive your data in a machine-readable format.
Right to object — to object to processing based on legitimate interests.

To exercise any of these rights, contact us at support@braehq.co. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Cookies

We use strictly necessary cookies only — specifically a session cookie to keep you logged in. We do not use advertising or tracking cookies. No cookie consent banner is required for strictly necessary cookies.

9. Changes to this policy

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top. Material changes will be notified to users by email.

10. Contact

For any privacy-related questions or to exercise your rights, please contact us at support@braehq.co.

Privacy Policy