Privacy notice

Privacy notice

How CMOps collects, uses and protects personal data. Last updated: 12 July 2026.

CMOps is a construction operations platform used to manage site access, permits, deliveries, inductions, health & safety observations and facilities. This notice explains how personal data is handled when you use the platform or submit information through one of its public forms or QR codes.

1. Who is responsible for your data

CMOps is provided as a white-label platform. Each construction company or project that operates a CMOps workspace is the data controller for the personal data held in that workspace and decides how it is used. CMOps, operated by CM Pro Construct, acts as the data processor, providing and hosting the platform on the controller's behalf under a data-processing agreement. For any request about your personal data, contact the site or company that collected it, or email privacy@cmops.org and we will route it to the relevant controller.

2. What we collect and why

DataPurposeLawful basis (UK/EU GDPR)
Name, company, email, phoneIdentify requesters, approvers and site personnel; contact you about a permit, induction or reportLegitimate interests; contract
Vehicle registration & detailsIssue and verify vehicle access permitsLegitimate interests
Photographs (ID, vehicle, site condition)Verify identity/access at the gate; evidence a hazard or its close-outLegitimate interests
Induction records & certificatesDemonstrate that workers are inducted before site accessLegal obligation (health & safety); legitimate interests
Health & safety observationsRecord, route and close out safety issuesLegal obligation (health & safety); legitimate interests
Account details (for platform users)Authenticate users and control accessContract

We do not use your data for advertising, and we do not sell it.

3. How long we keep it

Data is retained only as long as needed for the purpose it was collected, then personal fields are removed or the record is deleted under an enforced retention schedule. Typical windows are: captured ID/vehicle photographs 30 days; website enquiries 12 months; inductions 2 years after completion; health & safety records up to 5 years (safety records may be kept longer where the law requires, with personal contact details stripped); audit logs up to 7 years. Controllers may set shorter windows for their workspace.

4. Who we share it with (sub-processors)

We use a small number of trusted providers to run the service. They process data only on our instructions:

ProviderRoleLocation
SupabaseDatabase, authentication and file storageEuropean Union region
ResendTransactional email delivery (permits, notifications)United States (with appropriate safeguards)
CloudflareContent delivery, DDoS protection and DNS for public pagesGlobal edge network

Where a provider processes data outside the UK/EEA, we rely on appropriate safeguards such as Standard Contractual Clauses. We do not share your data with any other third parties except where required by law.

5. How we protect it

Access to data is isolated per workspace and enforced at the database level, so one organisation cannot see another's data. Files are held in private storage and served only through short-lived signed links. Public forms and QR pages expose only the minimum information needed, and close-out links are single-purpose, time-limited and can be revoked and re-issued. All state changes are recorded in an audit trail. Traffic is encrypted in transit, and access is rate-limited to deter abuse.

6. Your rights

Under UK/EU GDPR you have the right to access a copy of your data, to have inaccurate data corrected, to have your data erased, to restrict or object to processing, and to data portability. To exercise any of these, contact the controller (the site or company that collected your data) or email privacy@cmops.org. We will respond within one month. We provide controllers with built-in tools to export and erase an individual's data so requests can be actioned promptly. You also have the right to complain to your data protection authority (in the UK, the Information Commissioner's Office at ico.org.uk).

7. Cookies

CMOps uses only strictly necessary storage to keep you signed in and remember your preferences on your device. It does not use advertising or third-party tracking cookies.

8. Changes to this notice

We may update this notice from time to time. Material changes will be reflected by the "last updated" date above.

Questions about your data? Email privacy@cmops.org or use the contact form.
CMOps · Operational Excellence