Privacy Policy
Last updated: February 2026
1. Who We Are
Rates Goblin is operated by Aanil Kumar, a sole trader trading as Rates Goblin.
For the purposes of UK data protection law (the UK General Data Protection Regulation and the Data Protection Act 2018), the data controller is:
- Name: Aanil Kumar, trading as Rates Goblin
- Address: 6 Wheelwright Close, Bushey, WD23 4UE
- Email: hello@ratesgoblin.ai
- ICO registration number: ZC093609
2. What Data We Collect
We collect and process the following categories of personal data when you use Rates Goblin:
| Data Type | Examples | Purpose | Lawful Basis |
|---|---|---|---|
| Account information | Email address, full name, company name | Creating and managing your account | Contract performance |
| Authentication data | Hashed passwords, MFA secrets, session tokens | Securing your account and verifying your identity | Contract performance + legitimate interest (security) |
| Device information | Browser fingerprint, device name/type, IP address | Security monitoring, device management, preventing credential sharing | Legitimate interest (security, device management, preventing credential sharing) |
| Uploaded documents | PDF and Excel construction quotes, cost plans | Providing the core extraction and analysis service | Contract performance |
| Usage data | Feature usage, monthly quotas, extraction counts | Enforcing plan limits and improving the service | Contract performance + legitimate interest |
| AI processing data | Extracted text sent to OpenAI for analysis | AI-powered quote extraction, classification, and analysis | Consent (explicit AI consent required before any AI features are used) |
| Anonymised rate data (benchmarking) | Line item descriptions, unit rates, quantities, NRM codes, region, project type | Contributing to the Community Rate Benchmarking Database to improve industry-wide rate intelligence | Consent (separate, explicit opt-in required) |
| Organisation data | Team membership, roles, invitations | Managing team access and collaboration | Contract performance |
| Support chat messages | Messages sent via the in-app support chat | Providing customer support | Legitimate interest (customer support) |
| Email communications | Password reset emails, team invitations | Account management and transactional notifications | Contract performance |
3. How We Use AI
This section explains how artificial intelligence is used within Rates Goblin, what data is shared with our AI sub-processor, and your rights in relation to AI processing.
3.1 AI Processing Overview
Rates Goblin uses OpenAI GPT-4o to process uploaded construction quotes and cost plans. AI is used for extracting line items, classifying items against NRM categories, benchmarking rates, and answering your natural-language questions about your project data.
3.2 Data Sent to OpenAI
The following data is sent to OpenAI for processing:
- Extracted text from your uploaded documents (PDF and Excel)
- Line item descriptions, rates, and quantities
- Your natural language questions and prompts
3.3 Data NOT Sent to OpenAI
The following data is never sent to OpenAI:
- Your password
- Your email address
- Personal identity information
- Device fingerprints
3.4 International Transfer
OpenAI is a US-based sub-processor. Data transferred to OpenAI is protected under appropriate safeguards, specifically the UK Addendum to the EU Standard Contractual Clauses (SCCs). All data is encrypted in transit using HTTPS/TLS.
3.5 OpenAI Data Usage
Data sent via the OpenAI API is not used for model training, in accordance with OpenAI's API data usage policy. Your commercial data remains confidential and is not used to improve OpenAI's models.
3.6 Consent
You must give explicit consent before any AI processing occurs. No data will be sent to OpenAI until you have actively opted in. You can withdraw your consent at any time by navigating to Settings > AI within the application.
3.7 AI Transparency
All AI-generated outputs include confidence scores and are clearly labelled with AI disclosure badges, so you always know when information has been generated or processed by AI.
3.8 Support Chat AI
The in-app Support Chat uses GPT-4o Mini and processes only your chat messages. Your uploaded documents are not shared with the Support Chat AI model.
3A. Community Rate Benchmarking Database
Rates Goblin offers an optional Community Rate Benchmarking Database. If you choose to opt in, anonymised and aggregated rate data from your uploaded quotes may be contributed to a shared industry benchmarking pool. This section explains exactly what this means and how your data is used.
3A.1 What Is the Community Rate Benchmarking Database?
The Community Rate Benchmarking Database is a pool of anonymised construction rate data contributed voluntarily by Rates Goblin users. This data is used to:
- Build and improve industry-wide construction rate benchmarks
- Provide more accurate regional rate comparisons for all users
- Identify market trends and pricing patterns across the UK construction sector
- Enhance the accuracy of Rates Goblin's benchmarking features over time
3A.2 What Data Is Contributed?
If you opt in, the following data may be added to the benchmarking pool:
- Line item descriptions (e.g. "supply and fix plasterboard to ceilings")
- Unit rates, quantities, and units of measurement
- NRM element classifications
- General project region (e.g. "South East England") — not the specific project address
- Project type (e.g. "new build residential", "office refurbishment")
- Approximate project value band (e.g. "£500k–£1m")
3A.3 What Data Is NOT Contributed?
The following data is never included in the benchmarking pool:
- Your name, email address, or any personal information
- Your company name or your client's name
- Contractor names or subcontractor names
- Specific project names or addresses
- Any data that could identify you, your client, or any third party
- Full document content — only extracted, anonymised rate data
3A.4 Anonymisation Process
Before any rate data enters the benchmarking pool, it undergoes an anonymisation process that strips all identifying information. The anonymised data cannot be traced back to any individual user, company, project, or contractor. Once anonymised, the data is no longer personal data under UK GDPR.
3A.5 Consent — Separate and Explicit
Participation in the Community Rate Benchmarking Database is entirely voluntary and requires separate, explicit consent. This consent is:
- Separate from AI consent: You can use AI features without contributing to the benchmarking database, and vice versa.
- Clearly presented: You will be asked to opt in via a dedicated consent dialog that explains exactly what data will be contributed and how it will be used.
- Revocable at any time: You can withdraw your consent at any time by navigating to Settings > Data & Privacy > Benchmarking. Withdrawing consent means no further data will be contributed from your account going forward.
- Not a condition of service: You are not required to opt in to use Rates Goblin. Opting out has no effect on your access to features or service quality.
Important: Because data is anonymised before it enters the benchmarking pool, we cannot retrospectively remove data that has already been contributed and anonymised. However, no future data will be contributed once you withdraw consent.
3A.6 Lawful Basis
The lawful basis for processing rate data for the Community Rate Benchmarking Database is consent (Article 6(1)(a) UK GDPR). You must actively opt in before any data is contributed.
3A.7 How the Benchmarking Data Benefits You
Users who contribute to the benchmarking pool help build a stronger, more accurate rate database for the entire UK construction industry. In return, all Rates Goblin users (including those who do not contribute) benefit from improved benchmarking accuracy. We may, in the future, offer enhanced benchmarking features exclusively to contributing users.
4. Sub-Processors
We use the following third-party sub-processors to deliver Rates Goblin. Each sub-processor has been assessed for data protection compliance.
| Name | Purpose | Location |
|---|---|---|
| OpenAI | AI processing (extraction, classification, analysis) | United States |
| Google Workspace (Gmail SMTP) | Email delivery (password resets, invitations) | United States |
| Railway | Database and application hosting | United States |
5. International Data Transfers
Your data may be transferred to, and processed in, countries outside the United Kingdom. In particular, data is transferred to the United States for AI processing by OpenAI.
These transfers are protected by the UK Addendum to the EU Standard Contractual Clauses (SCCs), which ensure that your data receives an equivalent level of protection to that provided under UK GDPR.
All data is encrypted in transit using HTTPS/TLS.
6. Data Retention
We retain your data only for as long as necessary to fulfil the purposes described in this policy. The specific retention periods are:
| Data Type | Retention Period |
|---|---|
| Account data | Retained while your account is active, plus 30 days after account deletion |
| Uploaded documents & extracted data | Retained while your account is active; deleted upon account deletion |
| Audit logs | Retained for 2 years for compliance purposes (user ID anonymised if account is deleted) |
| Device fingerprints | Retained while the device is active; removed upon deregistration |
| Support chat messages | Retained for 90 days |
| Session data | Expires after 24 hours of inactivity |
7. Your Rights
Under the UK General Data Protection Regulation (UK GDPR), you have the following rights in relation to your personal data:
- Right of access — You can request a copy of the personal data we hold about you (Subject Access Request).
- Right to rectification — You can ask us to correct any inaccurate or incomplete personal data.
- Right to erasure — You can ask us to delete your personal data ("right to be forgotten"), subject to legal obligations.
- Right to restrict processing — You can ask us to limit the way we use your data in certain circumstances.
- Right to data portability — You can request your data in a structured, machine-readable format. A JSON export is available in Settings > Data & Privacy.
- Right to object — You can object to processing based on legitimate interests.
- Right to withdraw consent — Where processing is based on consent (e.g. AI processing), you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
- Right not to be subject to solely automated decisions — You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects.
How to Exercise Your Rights
You can exercise any of these rights by:
- Emailing us at hello@ratesgoblin.ai
- Using the self-service tools in Settings > Data & Privacy within the application
We will respond to your request within one calendar month of receiving it. If your request is complex or we receive a large number of requests, we may extend this period by up to two additional months, in which case we will inform you within the initial one-month period.
8. Cookies & Device Fingerprinting
For detailed information about the cookies we use, please refer to our Cookie Policy.
Rates Goblin uses session cookies that are strictly necessary for the operation of the service (e.g. maintaining your authenticated session). These cookies do not require consent as they are essential to provide the service you have requested.
We also use device fingerprinting for security purposes, including:
- Preventing credential sharing across unauthorised devices
- Managing registered devices on your account
- Detecting and preventing unauthorised access
Device fingerprinting is processed under our legitimate interest in maintaining the security of your account and the service.
9. Children
Rates Goblin is a professional service intended for use by construction industry professionals aged 18 and over. We do not knowingly collect or process personal data from children under the age of 18. If we become aware that we have collected personal data from a child, we will take steps to delete that data as soon as possible.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
Where we make material changes to this policy, we will notify all registered users by email before the changes take effect. The "Last updated" date at the top of this page will also be revised.
Your continued use of Rates Goblin after notification of changes constitutes your acceptance of the updated Privacy Policy.
11. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK supervisory authority:
- Information Commissioner's Office (ICO)
- Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Website: ico.org.uk
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first at hello@ratesgoblin.ai.