GDPR Compliance

Last updated: February 28, 2026

1. Data Controller

ElkConstruct, Inc. ("ElkConstruct," "we," "us," or "our"), a subsidiary of LayerLogix, is the data controller for personal data collected directly through our platform, including account registration information, usage data, and communication data. As the data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that such processing complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.

For customer-uploaded project data, including construction estimates, bid documents, project specifications, and other business content, ElkConstruct acts as the data processor on behalf of the customer, who remains the data controller. In this capacity, we process such data solely in accordance with the customer's instructions and the terms of our Data Processing Agreement (DPA), which is available upon request and is provided to all Enterprise plan customers.

Our registered address for GDPR purposes is: ElkConstruct, Inc., 1200 NW Everett St, Suite 800, Portland, OR 97209, United States of America.

2. Legal Basis for Processing

Under the GDPR, we must have a valid legal basis for processing your personal data. We rely on the following legal bases, depending on the specific processing activity:

2.1 Contractual Necessity (Article 6(1)(b))

We process personal data that is necessary for the performance of our contract with you, including: providing and maintaining the ElkConstruct platform and its features, processing your construction estimates and managing bids, facilitating team collaboration and document sharing, managing your subscription and processing payments, providing customer support and technical assistance, and sending transactional communications related to your account and projects.

2.2 Legitimate Interests (Article 6(1)(f))

We process certain personal data based on our legitimate interests, where those interests are not overridden by your fundamental rights and freedoms. These legitimate interests include: improving and optimizing the performance and functionality of our platform, ensuring the security and integrity of our systems and data, analyzing anonymized and aggregated usage patterns to enhance the user experience, detecting and preventing fraudulent activity and unauthorized access, and conducting internal research and development to improve our services.

2.3 Consent (Article 6(1)(a))

For certain processing activities, we rely on your explicit consent, which you may withdraw at any time. These activities include: sending marketing emails, newsletters, and promotional content about our products and services, placing non-essential cookies (functional and analytics cookies) on your device, and optional participation in analytics programs that help us understand how users interact with our platform. You may withdraw your consent at any time by updating your notification preferences, managing your cookie settings, or contacting us at [email protected].

2.4 Legal Obligation (Article 6(1)(c))

We process personal data when necessary to comply with our legal obligations, including: maintaining tax records and financial reporting as required by applicable tax authorities, responding to lawful requests from regulatory bodies and law enforcement agencies, fulfilling our obligations under employment, anti-money laundering, and other applicable regulations, and maintaining records as required by data protection laws themselves.

3. Data We Process

We process the following categories of personal data in connection with the Service:

• Account Data: Full name, email address, company name, phone number, job title, professional credentials, and password (stored as a salted hash). Legal basis: contractual necessity.
• Usage Data: Feature usage patterns, session duration, pages visited, actions performed within the platform, search queries, and workflow sequences. Legal basis: legitimate interests (platform improvement).
• Project Data: Construction estimates, line items, cost breakdowns, bid documents, project specifications, blueprints, and related project files. Processed as data processor on behalf of the customer (data controller). Legal basis: contractual necessity.
• Payment Data: Billing address, payment method type, and limited card information (last four digits). Full payment processing is handled by Stripe, Inc. as a sub-processor. Legal basis: contractual necessity.
• Communication Data: Support tickets, feedback submissions, survey responses, and in-platform messages. Legal basis: contractual necessity and legitimate interests.
• Technical Data: IP address, browser type and version, operating system, device type, screen resolution, and approximate geographic location. Legal basis: legitimate interests (security and analytics).

4. International Data Transfers

ElkConstruct is headquartered in the United States, and your personal data is primarily stored and processed in the United States using Amazon Web Services (AWS) infrastructure. We recognize that transferring personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States requires appropriate safeguards under the GDPR.

We have implemented the following safeguards to ensure that your personal data receives an adequate level of protection when transferred internationally:

• Standard Contractual Clauses (SCCs): We have executed the European Commission's Standard Contractual Clauses (as updated in June 2021) with all sub-processors that process personal data of EEA residents. These clauses provide contractual guarantees that your data will be treated in accordance with GDPR standards regardless of where it is processed.
• Supplementary Technical Measures: In addition to contractual safeguards, we implement robust technical measures including: AES-256 encryption for data at rest, TLS 1.3 encryption for data in transit, strict access controls with role-based permissions and multi-factor authentication, network segmentation and firewall protections, and regular security assessments and penetration testing.
• Transfer Impact Assessments: We conduct regular transfer impact assessments (TIAs) to evaluate the legal framework in the destination country and ensure that our technical and organizational measures effectively protect your data against potential government surveillance or access requests.

Our sub-processors and their locations are detailed in Section 8 below. We notify customers at least 30 days in advance before engaging any new sub-processor that will process personal data of EEA residents.

5. Data Subject Rights

Under the GDPR, you have the following rights with respect to your personal data. We are committed to facilitating the exercise of these rights in a timely and transparent manner:

• Right of Access (Article 15): You have the right to request confirmation as to whether we are processing your personal data and, if so, to obtain access to that data along with information about the purposes of processing, the categories of data concerned, and the recipients to whom the data has been disclosed.
• Right to Rectification (Article 16): You have the right to request the correction of inaccurate personal data and to have incomplete personal data completed. You can also update most of your information directly through your account settings.
• Right to Erasure (Article 17): You have the right to request the deletion of your personal data ("right to be forgotten") under certain circumstances, including when the data is no longer necessary for the purposes for which it was collected, when you withdraw your consent, or when the data has been unlawfully processed.
• Right to Restrict Processing (Article 18): You have the right to request the restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful but you oppose erasure.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format. ElkConstruct supports data export in CSV, Excel, and PDF formats through the platform's built-in export functionality.
• Right to Object (Article 21): You have the right to object to the processing of your personal data based on our legitimate interests. Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. Our AI-powered estimating tools provide recommendations and suggestions but do not make binding decisions without human oversight.

How to Exercise Your Rights

To exercise any of the rights described above, please submit a request to our Data Protection Officer at [email protected]. We will acknowledge your request within 72 hours and provide a substantive response within 30 days. In certain complex cases, we may extend this period by an additional 60 days, in which case we will notify you of the extension and the reasons for the delay. We will verify your identity before processing your request to protect against unauthorized access to your data.

6. Data Protection Officer

ElkConstruct has appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with the GDPR and other applicable data protection laws. The DPO operates independently and reports directly to senior management.

7. Cookies

Our use of cookies on the ElkConstruct platform is governed by the GDPR and the ePrivacy Directive. We use a cookie consent banner to obtain your consent before placing non-essential cookies on your device.

Types of Cookies

• Essential Cookies: These cookies are strictly necessary for the operation of our platform, including session management, authentication tokens, and CSRF protection. These cookies do not require consent under the ePrivacy Directive as they are essential for the service you have requested.
• Functional Cookies: These cookies remember your preferences, such as language settings, theme preferences, and dashboard layout. They enhance your experience but are not strictly necessary. We obtain your consent before placing these cookies.
• Analytics Cookies: These cookies collect anonymized and aggregated data about how users interact with our platform. All analytics data is processed in a way that does not identify individual users. An opt-out option is available through our cookie settings.

Third-Party Cookies: The only third-party cookies used on our platform are those placed by Stripe for payment processing functionality. We do not use any third-party advertising cookies or tracking pixels.

You can manage your cookie preferences at any time through the cookie settings accessible from the footer of our website or by adjusting your browser settings.

8. Sub-Processors

We engage the following sub-processors to assist in providing the Service. All sub-processors are contractually bound to process personal data only in accordance with our instructions and to maintain appropriate technical and organizational security measures.

All sub-processors maintain appropriate safeguards for the protection of personal data, including encryption, access controls, and compliance with applicable data protection regulations. We execute Data Processing Agreements (DPAs) with all sub-processors that include Standard Contractual Clauses where required.

We will provide at least 30 days' advance notice before engaging any new sub-processor that will process personal data of EEA, UK, or Swiss residents. Customers may object to the use of a new sub-processor within this notice period. If we cannot reasonably accommodate the objection, the customer may terminate the affected services.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with the data minimization principle under Article 5(1)(e) of the GDPR. Our retention periods are as follows:

• Active Accounts: Personal data associated with active accounts is retained for the duration the account remains active and in good standing. Users can request deletion of specific data points at any time.
• Terminated Accounts: Upon account termination or deletion request, personal data is removed from our active production systems within 30 days. Users have a 30-day window to export their data before deletion begins.
• Backup Data: Automated backups containing personal data are purged within 90 days following the deletion from production systems. Backups are encrypted and access-controlled during this retention period.
• Legal Holds: Certain data may be retained for longer periods when required by applicable law, regulation, or legal proceedings. This includes financial records required for tax compliance, data subject to litigation holds, and records required by regulatory authorities.
• Anonymized and Aggregated Data: Data that has been fully anonymized or aggregated in a way that cannot be used to identify any individual may be retained indefinitely for statistical analysis, product improvement, and research purposes. This data is not considered personal data under the GDPR.

10. Data Breach Notification

In the event of a personal data breach, ElkConstruct has established the following procedures in compliance with Articles 33 and 34 of the GDPR:

• Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
• Data Subject Notification: Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay. The notification will describe the nature of the breach in clear and plain language, provide the name and contact details of our DPO, describe the likely consequences of the breach, and outline the measures taken or proposed to mitigate the effects.
• Incident Response: Our incident response team is activated immediately upon detection of a potential breach. The team follows a documented incident response plan that includes containment, investigation, remediation, and communication procedures.
• Post-Breach Review: Following any breach, we conduct a thorough post-incident review to identify the root cause, assess the effectiveness of our response, and implement improvements to prevent similar incidents in the future. A summary of findings and remediation actions is made available to affected customers upon request.

11. Contact and Complaints

If you have any questions, concerns, or requests regarding this GDPR Compliance Policy or the processing of your personal data, please contact our Data Protection Officer:

Right to Lodge a Complaint: If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with your local supervisory authority. A list of EU/EEA supervisory authorities is available on the European Data Protection Board's website. While we encourage you to contact us first so we can address your concerns directly, we fully respect your right to escalate matters to the appropriate regulatory authority.

For more information about our general privacy practices, please refer to our Privacy Policy. For information about our security measures, please visit our Security page.