How CMOps collects, uses and protects personal data. Last updated: 12 July 2026.
CMOps is a construction operations platform used to manage site access, permits, deliveries, inductions, health & safety observations and facilities. This notice explains how personal data is handled when you use the platform or submit information through one of its public forms or QR codes.
CMOps is provided as a white-label platform. Each construction company or project that operates a CMOps workspace is the data controller for the personal data held in that workspace and decides how it is used. CMOps, operated by CM Pro Construct, acts as the data processor, providing and hosting the platform on the controller's behalf under a data-processing agreement. For any request about your personal data, contact the site or company that collected it, or email privacy@cmops.org and we will route it to the relevant controller.
| Data | Purpose | Lawful basis (UK/EU GDPR) |
|---|---|---|
| Name, company, email, phone | Identify requesters, approvers and site personnel; contact you about a permit, induction or report | Legitimate interests; contract |
| Vehicle registration & details | Issue and verify vehicle access permits | Legitimate interests |
| Photographs (ID, vehicle, site condition) | Verify identity/access at the gate; evidence a hazard or its close-out | Legitimate interests |
| Induction records & certificates | Demonstrate that workers are inducted before site access | Legal obligation (health & safety); legitimate interests |
| Health & safety observations | Record, route and close out safety issues | Legal obligation (health & safety); legitimate interests |
| Account details (for platform users) | Authenticate users and control access | Contract |
We do not use your data for advertising, and we do not sell it.
Data is retained only as long as needed for the purpose it was collected, then personal fields are removed or the record is deleted under an enforced retention schedule. Typical windows are: captured ID/vehicle photographs 30 days; website enquiries 12 months; inductions 2 years after completion; health & safety records up to 5 years (safety records may be kept longer where the law requires, with personal contact details stripped); audit logs up to 7 years. Controllers may set shorter windows for their workspace.
We use a small number of trusted providers to run the service. They process data only on our instructions:
| Provider | Role | Location |
|---|---|---|
| Supabase | Database, authentication and file storage | European Union region |
| Resend | Transactional email delivery (permits, notifications) | United States (with appropriate safeguards) |
| Cloudflare | Content delivery, DDoS protection and DNS for public pages | Global edge network |
Where a provider processes data outside the UK/EEA, we rely on appropriate safeguards such as Standard Contractual Clauses. We do not share your data with any other third parties except where required by law.
Access to data is isolated per workspace and enforced at the database level, so one organisation cannot see another's data. Files are held in private storage and served only through short-lived signed links. Public forms and QR pages expose only the minimum information needed, and close-out links are single-purpose, time-limited and can be revoked and re-issued. All state changes are recorded in an audit trail. Traffic is encrypted in transit, and access is rate-limited to deter abuse.
Under UK/EU GDPR you have the right to access a copy of your data, to have inaccurate data corrected, to have your data erased, to restrict or object to processing, and to data portability. To exercise any of these, contact the controller (the site or company that collected your data) or email privacy@cmops.org. We will respond within one month. We provide controllers with built-in tools to export and erase an individual's data so requests can be actioned promptly. You also have the right to complain to your data protection authority (in the UK, the Information Commissioner's Office at ico.org.uk).
CMOps uses only strictly necessary storage to keep you signed in and remember your preferences on your device. It does not use advertising or third-party tracking cookies.
We may update this notice from time to time. Material changes will be reflected by the "last updated" date above.