Login Book a demo
Solution
Features
Who we help
Resources
Media types
Topics

Privacy Policy

C-LINK GLOBAL PRIVACY POLICY

Last amended: February 2026

Please read the following Privacy Policy carefully. By using C-Link’s services, you acknowledge that you have read the terms set out below.

Your privacy is important

Construction Link Limited (UK) (“C-Link”, “we”, “us”) together with its parent company EstimateOne Pty Ltd ACN 130 242 554 and other members of the EstimateOne group (the “E1 Group”), operates the C-Link platform, the Prosper platform (https://weallprosper.co.uk/), the QS AI environment (where available), and related websites provided by C-Link or the E1 Group from time to time (collectively the “Platforms”).

This Privacy Policy explains how we collect, use and manage Personal Data (defined below) in connection with your use of our Platforms.

C-Link respects your privacy and is committed to protecting your Personal Data. We adhere to applicable laws when processing your data.  This Privacy Policy sets out how we look after your Personal Data when you use our Platforms and tells you about your privacy rights and what to do if you have any concerns about your Personal Data.

C-Link may, from time to time, review and update this Privacy Policy to account for new laws and technology, changes to its operations and practices, and to ensure it remains appropriate for our business and online environment. Any changes to our policy will be published on our website (https://c-link.com/privacy-policy/). 

In addition, C-Link publishes an up-to-date list of its subprocessors in our Trust Centre (https://trust.estimateone.com). You must subscribe via the Trust Centre if you wish to receive notification of any additions or changes to the subprocessor list. If you do not subscribe, you should monitor the Trust Centre for updates. 

Your continued use of our Platforms or interactions with us will constitute your acceptance of the updated policy and changes to the Trust Centre. If you disagree with any changes to this Privacy Policy or changes published in the Trust Centre, you must not access or use our Platforms or interact with any other aspect of our business.

What kinds of Personal Data does C-Link collect and how does C-Link collect it?

C-Link primarily collects and holds Personal Data about users of our Platforms. “Personal Data” refers to any information or data relating to an individual who is either identified or can be reasonably identified, directly or indirectly. This includes any data that, either alone or in combination with other information, could be used to identify, contact, or locate an individual.  Personal Data includes various forms of data, such as names, contact details, identification numbers, online identifiers (e.g., IP addresses, device identifiers), and other details like gender, age, or location that, when combined, could lead to the identification of an individual.

Generally, Personal Data does not include company information that relates solely to a company, such as the company name, services offered, company contact details, company phone number, workforce size, contract size, regions served, company registration and tax IDs, and other similar details. 

Collecting Your Personal Data

If you are a C-Link Platform user, C-Link may collect your Personal Data in its capacity as a controller when you:

  • complete the registration process on any of our Platforms;
  • populate your user profile or other electronic forms on our Platforms;
  • produce, send, or manage tender information or procurement-related documentation via our Platforms or when you use or otherwise interact with our Platforms;
  • answer user or research surveys in relation to our Platforms;
  • enter into a business relationship with us;
  • use platform messaging functionality to communicate with others (including builders, subcontractors, suppliers or project team members); 
  • correspond with us (via email, phone, through our Platforms, through our chatbots, or otherwise); and
  • for other purposes related to the provision of our Platforms.

Where C-Link acts in its capacity as a controller, C-Link will only collect Personal Data about an individual directly from that individual, unless it is unreasonable or impracticable to do so.

C-Link generally acts as a data controller. In certain circumstances, such as where customers upload or provide Personal Data via our Platforms, C-Link acts as a data processor on behalf of those customers. In such cases, the customer remains the controller and our Data Processing Addendum applies.

What Personal Data does C-Link collect?

In the circumstances set out above, where such information can otherwise directly or indirectly identify an individual, the kinds of Personal Data that C-Link may collect and hold include:

  • names, addresses, email addresses, telephone numbers and other contact details;
  • login and activity details;
  • if you register for a paid service, financial information, including your bank account details and/or credit/debit card and billing information;
  • if you are a sole trader, small business owner, sole director or sole employee representative:
    • information related to your business profile, including a business name, email address, personal phone number, services offered, workforce size, contract size, regions served, preferred project types, project history, client history, business registration and tax IDs, information needed to verify your identity or integrate with our service providers; and
    • your professional details such as your primary and secondary trades, job, titles, tickets, skills certification, health and safety training certification, trade licences, trade qualifications or other accreditation, access levels at your employer, qualifications, career & educational documents;
    • insurance information, such as public liability or workers’ compensation insurance;
  • information and content submitted, shared, or created by a user of our Platforms including profile pictures, messages, comments, notes and tags made against user or company profiles, searches, photos, project details, project costs, project timelines, change orders, and invoices;
  • marketing and communication data – this includes your preferences in receiving marketing from us and our third parties and your communication preferences;
  • technical data, usage and website analytics information, which may include IP addresses, the types of devices used to access our Platforms, device attributes, browser type, language and operating system, access times, referring website address, your general geographic area based on your IP address and location data; 
  • data about how you use our Platforms, for example adding projects to watchlists on our Platforms, and/or the devices and networks you use to access our Platforms;
  • usage data – information about how and when you use our Platforms, which pages you access and information about your tastes and preferences; and
  • when you use platform messaging functionality to communicate with others, or correspond with us (via email, phone, through our Platforms, through our chatbots, or otherwise) we may record, monitor, collect, and use details about you and your communications (including metadata and activity logs).
  • accreditation or pre-qualification information received from CHAS (UK) or other accreditation bodies, including verification status, expiry dates and associated identifiers, where users have consented to such data being shared and displayed across the E1 Group, C-Link and Prosper platforms.

Sensitive Information 

C-Link will only collect Personal Data which is defined as ‘sensitive information’ or ‘special categories of Personal Data’ under applicable data protection laws:

  • where you consent and the collection is reasonably necessary for C-Link’s functions or activities (for example, where you enter such details into our Platforms); or
  • where the collection is authorised by law.

If you do not want sensitive information to be associated with your profile, you should not provide it to us.

Our services are designed for businesses and are not intended for use by children, including those under the age of digital consent in the UK and EEA.

Information from third parties

In addition, C-Link may obtain Personal Data about you from third parties.  Specifically, we may collect:

  • publicly available Personal Data – if you are a licensed professional or supplier we may collect and verify Personal Data about you from publicly available sources and where permitted by applicable law or, with your permission, make it available as part of your profile. For example, industry associations to which you belong or the details of any licence or accreditation you have using publicly available records;
  • your Personal Data provided by other Platform users (e.g. where you are a subcontractor, contact or business partner of a user, and the user syncs or uploads their ‘address book’ of subcontractors to the Platform, syncs their calendar or associates their contacts with member profiles);
  • Personal Data shared within the E1 Group (including EstimateOne Pty Ltd, C-Link and the Prosper platform) where necessary for the operation of the integrated C-Link, C-Link and Prosper services. This may involve transfers of Personal Data between the UK and Australia and vice versa, conducted in accordance with applicable transfer laws (including SCCs, the UK IDTA or Addendum, and required Transfer Risk Assessments).
  • your Personal Data (related to your business profile) from pre-qualification service providers in order to:
    • create profiles in C-Link’s directory services where they do not already exist; and 
    • display pre-qualification and other accreditation statuses in the C-Link directory services; or 

in order to assist you in promoting your business and winning new work, by allowing builder users (or other users with permissions to do so) to search for pre-qualified subcontractors to engage on their projects. 

If we receive Personal Data about you from another user, for example if you are a subcontractor of another user and they communicate with, or invite you to bid on a project via our Platforms, we will protect it as set out in this Privacy Policy. In these cases, we process your data where this is reasonably necessary for the third-party user to effectively use our Platforms or C-Link’s legitimate commercial interests, and on the basis that such use is necessary and that such use will not infringe on your other rights and freedoms.  If you then form a direct commercial relationship with us, we may determine the purposes and means of processing your Personal Data, including making decisions about how it is used and disclosed in accordance with our Privacy Policy.

If you are providing Personal Data about somebody else, you represent and warrant that you have such person’s consent or other appropriate legal basis to provide the Personal Data to us and to allow us to process it in accordance with this Privacy Policy.  

Dealing with us anonymously

You have the right to deal with us anonymously or using a pseudonym. However, in almost every circumstance it will not be practicable for us to deal with you or provide you with any services – except for responding to the most general enquiries – unless you identify yourself.  Where we need to collect your Personal Data, failure to provide it may mean that we are not able to provide you with the services or allow you to use core Platform features such as tenders or messaging. 

Anonymising Personal Data

We may anonymise the Personal Data we collect (so it can no longer identify you) and then combine it with other anonymous information so it becomes aggregated data.  Aggregated data helps us identify trends (e.g. what percentage of users responded to a specific survey) or how users interact with tender and procurement features across the Platform). Data protection law does not govern the use of aggregated data and the various rights described below do not apply to it.

Our Use of and Legal Grounds for Processing Your Personal Data

We will only process your Personal Data where we have a legal basis for doing so, and this will be determined by the purpose for which your Personal Data is processed. 

The table below sets out:

  • how we use your Personal Data; 
  • the purpose for using it in each case; and 
  • for individuals in the European Economic Area (EEA) and UK, the ‘lawful basis’ we rely on when we use your Personal Data. We collect and process information about you only where we have legal basis for doing so under applicable UK and EU laws. There are six legal justifications which organisations can rely on. The most relevant of these to us are where we use your Personal Data to:
    • Fulfil our contract with you;
    • Comply with legal obligations that we have;
    • Pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (e.g. your right to privacy); or
    • Do something for which you have given your consent.

If we intend to use your Personal Data for a new reason that is not listed in the table, we will update our privacy policy.  Where permitted by applicable law, we may use information for secondary purposes that are related (or, in the case of certain sensitive information, directly related) to the primary purpose and reasonably expected or to which you have consented.  

Lawful basisPurposes for using your Personal Data
ContractIn order to:administer or perform our contract with you;to allow you to use our Platforms and maintain an account with us, and to allow users you administer to maintain their accounts with us and set project access for those users;process your payment information in connection with any contract we have with you;deliver our services to you to enable the production, sending and management of tender information for projects, manage quotes, manage your team, manage your address book and expand your network, review subcontractors and increase quote coverage for your business, manage documentation, packages and letting schedules;provide directory services (“Directory Services”) via our Platforms including facilitating the use and display of your profile in the subcontractor directory tool (“Subcontractor Directory”) or builder directory tool (“Builder Directory”), including: where subcontractor users include Personal Data in their profile, publishing that into the Subcontractor Directory and allowing builders to access, use and retain that Personal Data, and allowing builders to invite you to tender via our Platforms and contact you either on or off our Platforms; andwhere Builders users include Personal Data in their profile, publishing that into the Builder Directory and allowing subcontractors and suppliers to access, use and retain that Personal Data to find who is working on projects relevant to them; proactively suggest connections and contact between subcontractors and suppliers based on relevant factors including the nature of the services and products of subcontractors and suppliers (“Connection Services”), including:where subcontractor users include Personal Data in their profile, publishing that via the Connection Services to supplier users;where supplier users include Personal Data in their profile, publishing that via the Connection Services to subcontractor users;prepare statistical analysis, insights and reporting; andsend you updates about services you have bought (e.g. confirmation of order, tax invoices).
Legal ObligationIf processing of your Personal Data is necessary to:record your preferences (e.g. marketing) to ensure that we comply with applicable data protection laws;send you information to comply with legal obligations (e.g. where we send you information about your legal rights);retain information to enable us to bring or defend legal claims; andassist government agencies, Courts, law enforcement agencies or regulators where we are required by law to do so.
Legitimate InterestsWhere using your information is necessary to pursue our legitimate business interests to:administer and perform our contract with your business or employer, including registering and maintaining your user account (and any users whose accounts you administer) and to verify your identity;ensure the proper functioning of, improve and optimise our Platform and other services;contact you, for example, to respond to your queries or complaints, or if we need to tell you something important;provide customer support and train our staff members to ensure that you receive the best possible customer service;perform accounting, billing and other administrative and operational functions;protect our business, our users and the public and to protect our/their rights and property;defend ourselves against legal claims;detect, prevent or address fraud or security issues and promote brand safety;optimise future marketing campaigns and marketing strategy;to directly market additional C-Link products, integrations or services that you do not currently receive;conduct internal administrative transfers within the E1 Group to support integrated C-Link, EstimateOne and Prosper services;monitor and enforce compliance with our Terms and Conditions, including dispute resolution; andcomply with internal risk controls, the terms of our access to payment processing, financial or banking services such as credit card disputes, fraud, billing errors, or any applicable law.Where we use your information for our legitimate interests, we have assessed whether such use is necessary and that such use will not infringe on your other rights and freedoms.
ConsentWhere you have provided your consent for us to receive your information or for allowing us to use or share your information:where we have made settings available to publish Personal Data which becomes accessible for use by other users, including: where subcontractor users publish their profile (including any Personal Data, contact details and project history) to the Subcontractor Directory – to allow builders to access, use and retain that Personal Data, add that information to their address book, and contact you either on or off our Platforms; where builders publish Personal Data including contact details into the Builder Directory listing – to allow subcontractors and suppliers to access, use and retain that Personal Data and contact you either on or off our Platforms; where subcontractor users  or supplier users  publish Personal Data including contact details and project history into their Subcontractor Directory listing or Supplier Profile respectively – to allow each other to use and retain that Personal Data via the Connection Services and contact the other either via, or outside of, our Platforms; where subcontractor or supplier users submit tender or project information to a builder – to allow builders to access, use and retain that Personal Data and contact you via, or outside of, our Platforms; andother publication functionality made available from time to time;to send you marketing materials. This includes making personalised suggestions and recommendations to you about services that may be of interest to you based on your Personal Data. This could be via email, or notifications & messages to your mobile device; andto ask you to submit a review across our review Platform and to produce testimonials for publication by us featuring your name and related corporate information and logos.

Automated decisions that may affect you

C-Link does not make solely automated decisions that have legal or similarly significant effects without human review. However, we do use automated processes to improve efficiency, reduce fraud, and help connect subcontractors, suppliers, and builders. 

The following are the types of automated processes used by C-Link:

  • Tender invitations and eligibility. Algorithms check whether a subcontractor’s profile, licences, and prior engagement meet the criteria a builder has set. This can determine whether you appear as eligible to be invited to tender.
  • Directory visibility and ranking. The order in which subcontractors, suppliers, or builders appear in searches may be automatically determined by relevance factors (e.g., location, trade type, accreditation, activity level).
  • Fraud, misuse, and security detection. Automated checks may restrict, suspend, or block accounts that display suspicious or prohibited behaviours (e.g., scraping, spam, repeated failed log-ins, or fraudulent submissions).

The following are the types of data used in those automated processes:

  • Profile and business data (e.g., trade, region, licences, insurance, workforce size).
  • Usage data (e.g., tender activity, responsiveness, quoting history).
  • Technical data (e.g., IP address, device/browser, login metadata).

Where a decision of this kind is made solely by automated means and could reasonably be expected to significantly affect you, you have the right to obtain human review, to express your point of view, and to contest the decision. You may exercise these rights by contacting us at privacy@c-link.com. 

The lawful basis for automated processes is either the performance of our contract with you (for example, to determine tender eligibility) or our legitimate interests (for example, fraud detection and directory ranking). C-Link does not make solely automated decisions with legal or similarly significant effects without human review.

Choices about publishing data 

You are responsible for familiarising yourself with the operations of the services, including directory services, connection services and network services, including which information fields will be shared, before entering any personal, confidential or sensitive information belonging to yourself or a third-party into such fields.

Where we have made settings available, we will honour the choices you make about who can see such information. 

Information on the Directory Services and Opting Out

You may choose to opt-out of the Subcontractor Directory listing through our Platforms, in which case your information will no longer be visible, but C-Link cannot remove or control your information already held by other users in their platform address books, or separately outside our Platforms. 

Please note: C-Link does not control, and is not responsible for, use and handling of your Personal Data by other users. We do not have control over any data that other users have saved outside our Platforms.

Information on the Connection Services and Opting Out 

You acknowledge that the connection services operate to proactively suggest connections and contact between subcontractors and suppliers based on relevant factors including the nature of the services and products of subcontractors and suppliers, where the Licensee has not otherwise opted out of this functionality.

You may choose to opt-out of the Connection Services (receiving suggestions to connect with subcontractors and suppliers) through our Platforms, in which C-Link will not use or disclose your information as part of this functionality.  

Please note: opting out of Connection Services functionality will not limit your appearance on the Directory Services. Your information will continue to be presented via the C-Link Directory Services unless you opt out from that separately.

While C-Link takes steps to limit the sharing of your information with only prospective suppliers if you are a subcontractor, and with only prospective subcontractors if you are a supplier (and not within the same cohort, i.e., so that supplier information isn’t shared with suppliers), C-Link cannot guarantee that such sharing will not or does not occur.

Internet Cookies

Cookies are small text files that we store on your browser, or the hard drive of your computer, if you agree. Cookies contain information that is transferred to your computer’s hard drive.

Our website and platform uses our own cookies, as well as (a) third party cookies of external partners we use to help us manage our Website such as session management, onboarding and bug identification and (b) third party cookies of other providers, including advertising platforms, with whom we have no relationship and over whom we have no control.

The following cookies are used on our Website:

  • Necessary cookies. These are cookies that are required for the operation of our website and platform. These essential cookies are always enabled because our website and platform won’t work properly without them. They include, for example, cookies that enable session functionality, the secure storage of customer credentials and other security functions;
  • Preference cookies. These enable us to recognise you when you return to our website and platform, to personalise our content for you and remember your preferences (for example, your choice of language or region);
  • Statistics cookies. These help us to understand how visitors interact with our website and platform. They include cookies that tell us why and when users experience bugs, how long people spend on our Website and the number of times they visit;  and
  • Marketing cookies. These are used to record your visit to the website and platform, to make our website and platform more relevant to your interests. We may also share this information with third parties for this purpose so that they can serve you with relevant advertising on their websites, where you have consented to this.

For users in the UK and EEA, non-essential cookies (such as preference, statistics, and marketing cookies) will only be used with your explicit prior consent, in accordance with the UK Privacy and Electronic Communications Regulations (PECR) and the EU ePrivacy Directive. You may withdraw consent at any time through our cookie banner or consent management platform.

Direct Marketing

C-Link may use your Personal Data in order to conduct direct marketing of C-Link services where:

  • you have provided that information; and
  • you have consented to direct marketing from us.

C-Link may use your Personal Data for directly marketing to you any additional C-Link products, integrations or services which you do not currently receive:

  • where you have consented to such marketing communications, particularly for electronic communications; or 
  • where such marketing is consistent with our legitimate interests, provided that these interests are not overridden by your rights and freedoms; 

in accordance with applicable law.  These products and services may be offered by C-Link, its related companies, its business partners, or its service providers.  However, we will not share your Personal Data with third parties for their direct marketing purposes without your explicit consent.

In each direct marketing communication, you will be given the option to opt out. You can also opt out at any time by contacting us.

Who we may disclose your Personal Data to and why

If you are a user of our Platforms, C-Link may disclose your Personal Data in accordance with the lawful bases and purposes set out above to:

  • the C-Link user who administers your account with us, for the purpose of assisting that administrator user with their support queries but only to the extent that your Personal Data is related to the provision of our Platforms;
  • E1 Group entities, including EstimateOne Pty Ltd, Construction Link Limited and Prosper (as a trading name of C-Link), for purposes connected to the operation of the integrated C-Link–EstimateOne–Prosper Platform, including cross-border data transfers between the UK and Australia conducted under appropriate safeguards;
  • professional and legal advisors;
  • third parties engaged in fraud prevention and detection;
  • law enforcement, Courts or other government organisations (e.g. to report a fraud or in response to a lawful request);
  • If you are a subcontractor of a C-Link user and are included in the Subcontractor Directory, to C-Link users and to third party service providers as noted in ‘Our Use of and Legal Grounds for Processing Your Personal Data’ above;
  • If you are a subcontractor of a C-Link user and are included in the subcontractor-supplier Connection Services, to suppliers and to third party service providers as noted in ‘Our Use of and Legal Grounds for Processing Your Personal Data’ above;
  • C-Link’s suppliers and service providers (e.g. companies that provide research and payment processing services as well as recipients who provide analytics or hosting services to C-Link), who may be based in the United States, Australia, United Kingdom, European Union, or other jurisdictions.  We ensure these organisations only have access to the information required to provide the support we use them for and have a contract with them that contains confidentiality and data protection obligations;
  • a potential buyer, in the event that C-Link sells any of its business assets or as part of a sale, merger or change in control, or in preparation for any of these events, in which case C-Link will make reasonable attempts to ensure the buyer will be bound by the terms of this Privacy Policy; and
  • third parties where we have your consent or are otherwise legally permitted to do so.

Management and security of Personal Data 

C-Link takes such steps as are reasonable in the circumstances to protect the Personal Data it holds from misuse, interference, loss, unauthorised access, modification or disclosure, including implementing appropriate technical and organisational measures as required by applicable privacy laws. Such measures include:

  • restricting access to Personal Data where practicable;
  • single user logins and keys;
  • access controls and user authentication (including multi-factor authentication);
  • internal IT and network security; 
  • the use of firewalls;
  • the pseudonymisation and encryption of Personal Data;
  • ensuring all payments are encrypted as per PCI-DSS requirements;
  • using industry-standard encryption to protect data in transit and at rest;
  • the use of secure databases;
  • conducting regular scans and penetration tests of our applications and networks to identify (and address) any potential vulnerabilities;
  • regular review of our security measures;
  • requiring all employees to comply with internal information security policies and keep information secure; 
  • business continuity and disaster recovery processes;
  • the restriction of physical access to our offices.

If there is an incident which has affected your Personal Data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law).  Where we act as the processor for the affected Personal Data, we notify the controller and support them with investigating and responding to the incident.

If you notice any unusual activity on our website or platform, please contact us at support@c-link.com.  

Your rights

You have specific legal rights in relation to your Personal Data, to be as follows:

● Access: You must be told if your Personal Data is being used and you can ask for a copy of your Personal Data as well as information about how we are using it to make sure we are abiding by the law.

● Correction: You can ask us to correct your Personal Data if it is inaccurate or incomplete. We might need to verify the new information before we make any changes. We will take reasonable steps to appropriately correct or update the information to ensure that, having regard to the purpose for which we hold it, the information is accurate, up-to-date, complete, relevant and not misleading. We will respond to correction requests as soon as reasonably possible.

● Deletion: You can ask us to delete or remove your Personal Data if there is no good reason for us continuing holding it or if you have asked us to stop using it (see below). If we think there is a good reason to keep the information you have asked us to delete (e.g. to comply with regulatory requirements), we will let you know and explain our decision.

● Restriction: If you’re a resident in the UK or EEA, You can ask us to restrict how we use your Personal Data and temporarily limit the way we use it.

● Objection: You can object to us using your Personal Data if you want us to stop using it. If we think there is a good reason for us to keep using the information, we will let you know and explain our decision.

● Portability: If you’re a resident in the UK or EEA, you can ask us to send you or another organisation an electronic copy of your Personal Data. If your request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act, as permitted by law (we will explain why and how to complain).

Please note that certain types of Personal Data access and correction requests may be exempt under applicable laws or where the information in question is legally privileged, would compromise the privacy or other legitimate rights of other persons, or where the information requested comprises proprietary business information. We can decide not to take any action in relation to a request where we have been unable to confirm your identity or if we feel the request is unfounded or excessive. We may charge a fee where we decide to proceed with a request that we believe is unfounded or excessive. If this happens we will always inform you in writing in advance.

To make any requests regarding your Personal Data, or if you have any questions or concerns regarding your Personal Data, please contact the Privacy Officer at privacy@c-link.com. You are also entitled to contact the UK Information Commissioner’s Office.

C-Link may require you to verify your identity and specify what information you require. There is no charge for requesting access or correcting your Personal Data, but C-Link may require you to meet its reasonable costs in providing you with access (such as costs for time and materials spent on retrieving and copying). If the information sought is extensive, C-Link will advise the cost in advance.

C-Link will respond to your requests in a reasonable time and will take all reasonable steps to ensure that the Personal Data it holds about you remains accurate, up to date, complete, relevant, and not misleading.

How long we keep your information: Retention Period

C-Link will keep your Personal Data for as long as it needs for the purposes set out under ‘Purposes for using your Personal Data’ above, and in line with our Terms of Use and applicable law. Our retention is subject to you exercising your lawful data subject rights, and further subject to any requirement for us to hold data for such period as may be required to establish, exercise or defend legal rights or ongoing legitimate business interests.  

To decide how long to keep Personal Data, we consider the volume, nature, and sensitivity of the Personal Data, the potential risk of harm to you if an incident were to happen, whether we require the Personal Data to achieve the purposes we have identified or whether we can achieve those purposes through other means (e.g. by using aggregated data instead), and any applicable legal requirements (e.g. minimum accounting records).

In practice, C-Link will retain your Personal Data within our Platforms indefinitely as you keep your account open or as needed to provide you services, and your account has not been otherwise suspended.  Even if you only use our services when looking at tender information every few years, we will retain your Personal Data and keep your profile open unless you close your account.   The exact retention period will vary depending on the nature of your interactions with C-Link and may vary by market in accordance with local laws.  

In some cases, we choose to retain certain information (e.g., insights about services use) in a depersonalised or aggregated form.

After you close your account, your data will be automatically deleted from our active database within 6 months and from our monthly backups within 6 months after that.

Data you have shared with others (for example, via tender submissions, messages or other exchanges you have made with other users on our Platforms) may still be visible even after you close your account or remove it from your profile.  

Sometimes, we may retain your personal data for longer periods as permitted or required by law, for example maintain records of exchanges you have made with other users on our Platforms, adhere to relevant regulatory requirements, resolve disputes, ensure the security of our platform, prevent fraud and misuse (for instance, if your account was restricted due to breaches of our policies), enforce our Terms of Use, or comply with your request to “unsubscribe” from further communications from us. 

We will periodically review dormant accounts (for example, those inactive for more than 3 years) and may delete or anonymise data that is no longer necessary. Retention periods may differ depending on the type of data (e.g. financial records, contracts, recruitment records).

We will update our retention practices as required to comply with future developments under UK, EU, and Australian data protection law, including any retention-related obligations emerging under the EU Data Act or subsequent UK reforms.

Where we store your Personal Data

We process Personal Data in multiple countries. Where we transfer Personal Data internationally, we will do so only where permitted under applicable data protection laws and with appropriate safeguards in place. If Personal Data is  transferred, we will comply with applicable laws in doing so.  

For residents in Australia, the UK or EEA, your Personal Data is transferred directly to EstimateOne Pty Ltd in Australia. We store most information about you in computer systems and databases operated by either C-Link or its external service providers. Some information about you may be recorded in paper files that we store securely. 

Recipients of your Personal Data are likely to be located in Australia, the United Kingdom (including Construction Link Limited (C-Link)), Ireland, United States of America per our Trust Centre, and other countries or jurisdictions depending on the nature of the services provided to the E1 Group (including the Prosper platform)..  

Personal Data may also be transferred between members of the E1 Group (including C-Link Australia, C-Link in the UK, and the Prosper platform) where this is necessary for the operation of the integrated C-Link, C-Link and Prosper services.

Where applicable, Personal Data relating to accreditation or pre-qualification status may be transferred from CHAS (UK) to C-Link Pty Ltd in Australia following user authentication and consent, solely for the purposes described in this Privacy Policy.

You may contact C-Link for an explanation of the basis on which it has transferred your Personal Data and, where relevant, to request a copy of the legal safeguards which C-Link has put in place.

If C-Link engages a third party to process Personal Data on its behalf, C-Link contractually requires them to handle your Personal Data appropriately.

For transfers from the UK and EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) or Addendum, and, where applicable, the EU–US Data Privacy Framework. We also conduct Transfer Risk Assessments (TRAs) or Transfer Impact Assessments (TIAs) to ensure adequate protection. Copies of these safeguards can be requested.

We will update our international transfer mechanisms as required to comply with future developments under UK, EU and Australian data protection law, including any changes arising from the UK DPDI Bill or the EU Data Act.

Enquiries and privacy complaints

If you would like further information about the way C-Link manages the Personal Data it holds, or if you have any concerns or complaints, or if you think there has been a breach of privacy, please contact the Privacy Officer  at privacy@c-link.com, or call +44 203 4686 430  (United Kingdom).

If you are not satisfied with our response, you can refer your complaint to, as applicable, to the Office of the Australian Information Commissioner (www.oaic.gov.au), or the UK Information Commissioner’s Office.

Pursuant to Article 27 of the EU General Data protection Regulation (GDPR) and Article 27 of the UK General Data Protection Regulation (UK GDPR), Verasafe has been appointed as our representative in the European Union and the United Kingdom for data protection matters. If you are in the EEA or the UK, VeraSafe can be contacted in addition to the Privacy Officer, only on matters related to the processing of Personal Data. To make an enquiry, please contact VeraSafe using this form: https://verasafe.com/public-resources/contact-data-protection-representative

Alternatively, you can contact Verasafe at:

EEA

Address:                  

VeraSafe Ireland Ltd.

Unit 3D North Point House

North Point Business Park

New Mallow Road

Cork T23AT2P

Ireland

Telephone: +420 228 881 031

United Kingdom

Address:                   

VeraSafe United Kingdom Ltd.

37 Albert Embankment

London SC-Link 7TL

United Kingdom

Telephone: +44 (20) 4532 2003

If you are based in the EEA, you may also contact your local Data Protection Authority in addition to VeraSafe.

If you are based in the UK, you may also contact the Information Commissioner’s Office (ICO) directly, in addition to VeraSafe. Further details are available at www.ico.org.uk.

This Privacy Policy was last amended in February 2026. If you have queries about the changes please contact C-Link on +44 203 4686 430 (United Kingdom) or email privacy@c-link.com.