Our Privacy Policy

1) Scope & roles

This policy covers our websites and web app (the “Services”).

• For Customer Content you or your team upload or generate (e.g., datasets, files, prompts, outputs), we act as your processor and follow your instructions (see DPA below).

• For website, account, billing, support and marketing data, we act as a controller.

2) What we collect

• Identity & contact: name, business email/phone, company, role, addresses.

• Account & profile: username, team/org membership, settings.

• Financial & transaction: subscription status, invoices and payments (processed via our payment provider).

• Technical: IP address, device/browser, OS, time zone, app and API logs.

• Usage: feature interactions, telemetry, diagnostics, crash reports.

• Marketing & comms: preferences and newsletter settings.

• Customer Content (processor role): files, datasets, instructions and outputs you submit; typically business data. (Please avoid special-category or sensitive personal data unless agreed in writing.)

We do not intentionally collect special-category data.

3) How we collect data

• Directly from you: sign-up, checkout, support, sales calls.

• Automatically: cookies/SDKs for essential operations and (with consent) analytics/ads.

• From third parties/public sources (B2B context): analytics platforms, ad networks (e.g., LinkedIn), payment processors, business data tools, and public registries (e.g., Companies House) to verify business details.

4) Why we use your data (legal bases)

• Provide/support the Services (set up accounts, run features, billing, support).
  Legal bases: Contract; Legitimate Interests (operate/secure our platform).

• Execute workflows you request (e.g., comps, market research, AI summaries).
  Legal bases: Contract; Legitimate Interests.

• Security/monitoring/improvement (troubleshooting, preventing abuse, service analytics).
  Legal bases: Legitimate Interests; Legal obligation (where applicable).

• Service communications (security, changes, outages).
  Legal bases: Contract/Legal obligation.

• Marketing (updates/newsletters) only if you opt in; opt out anytime.
  Legal bases: Consent (and soft-opt-in for existing customers where permitted).

We do not make solely automated decisions with legal or similarly significant effects.

5) Sharing your data

We share personal data with trusted service providers under contracts that require confidentiality and security. Typical categories: cloud hosting & storage, email/workspace, analytics, CRM/support, security & fraud prevention, payments, sales/data enrichment. We also share with professional advisers and public authorities where required by law. We do not sell personal data.

6) International transfers

We are UK-based and may process/store data in the UK, EEA, and other countries.

• For UK personal data leaving the UK, we use approved safeguards such as the UK IDTA or the UK Addendum to the EU SCCs, with transfer risk assessments where needed.

• For UAE-origin personal data, we follow PDPL transfer conditions (e.g., adequate protection, contractual safeguards, or another PDPL basis such as consent or necessity for contract).

7) Retention

We will retain your personal information only for as long as is necessary for the purposes set out in this Privacy Policy or as required by law. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it.

8) Security

We apply appropriate technical and organisational measures, including encryption in transit/at rest, least-privilege access, vendor due diligence, quarterly access reviews, and periodic security testing (independent pen-test in progress). Access to Customer Content is restricted to authorised personnel on a need-to-know basis.

9) Cookies, analytics & ads

• We use essential cookies to operate the site.

• Optional analytics/advertising cookies (e.g., GA4, Plausible, LinkedIn/other ad pixels) may be used in future and will be off by default until you consent via our cookie banner/settings. You can change your choices anytime.

• We honour your selections and do not set non-essential cookies or use ad pixels without consent.

10) AI providers & data handling

We may use third-party AI services (e.g., OpenAI) and, at our discretion, other reputable providers to deliver requested workflows. We do not permit model providers to use Customer Content for training by default. Providers act under contractual and security safeguards; we can share the current provider categories and regions on request.

11) Accounts & authentication

Sign-in is via email/password (SSO options may be added). 2FA will be available soon (workspace admins can set organisation requirements). You are responsible for keeping credentials secure and for your organisation’s access policies.

12) Your rights

Depending on where you live and applicable laws, you may have certain rights regarding your personal data. These may include:

• Access and Correction: You have the right to request access to or correction of your personal data.

• Deletion: You can request the deletion of your personal information, subject to certain exceptions.

• Data Portability: You may have the right to request a copy of your personal information in a commonly used format.

To exercise your rights, please contact us. We will respond to your request in accordance with applicable law.

Where UK GDPR applies

You can access, rectify, erase, restrict or object to processing, port your data, and withdraw consent for marketing at any time. You may also complain to the UK Information Commissioner’s Office.

Where UAE PDPL applies

You may request access, correction, erasure, restriction/cessation, portability/transfer, and objection to automated processing within the scope of the PDPL.

How to exercise your rights: email hello@runbuildable.com. We may need to verify your identity. We aim to respond within one month (or as required by law).

13) Children

Our Services are for professional/business use and not directed to children. We do not knowingly collect children’s personal data.

14) Changes to this notice

We will update this policy when needed and post the latest version here. We will notify you of material changes.

Data Processing Addendum (Short Form)

This DPA forms part of the agreement between the customer (“Customer”) and Buildable AI Limited (“Buildable”). It applies when Buildable processes Customer Personal Data in Customer Content on behalf of Customer.

1) Roles & scope

• Customer is Controller; Buildable is Processor.

• Subject matter: provision of the Services.

• Duration: term of the agreement plus deletion period.

• Nature & purpose: processing Customer Content to deliver requested workflows (e.g., analytics, market research, AI outputs).

• Data subjects & types: Customer’s business contacts, staff or end-users as determined by Customer; typically B2B identifiers (names, business emails/phones) and any other personal data Customer chooses to include. No special-category data is intended; if required, the parties will agree safeguards in writing.

2) Processor obligations

Buildable will:
a) process Customer Personal Data only on documented instructions from Customer;
b) ensure personnel are bound by confidentiality;
c) implement appropriate technical and organisational measures (see Annex 2);
d) assist Customer with data subject requests and security obligations (arts. 32–36 UK GDPR) to the extent reasonably possible;
e) notify without undue delay after becoming aware of a personal data breach;
f) delete or return Customer Personal Data at Customer’s choice on contract end, and delete existing copies within 30 days, unless law requires retention;
g) make available information necessary to demonstrate compliance and allow reasonable audits once per year (on at least 30 days’ notice, during business hours, without disrupting services; confidentiality and cost-recovery apply).

3) Sub-processors

Customer authorises Buildable to use sub-processors for hosting, storage, analytics, support, security, communications, payments, AI model/runtime providers and similar. Buildable will impose data protection terms no less protective than this DPA and will remain responsible for sub-processors. Buildable will provide an up-to-date list of categories/regions on request and will notify Customer of material changes, allowing objection on reasonable grounds.

4) International transfers

For transfers of UK personal data to countries without adequacy, the parties incorporate the UK IDTA or UK Addendum to EU SCCs as applicable. For UAE-origin personal data, the parties will comply with UAE PDPL transfer requirements.

5) Customer obligations

Customer will ensure it has a lawful basis and provides required notices to data subjects, and will not instruct Buildable to process unlawful or excessive data.

6) Liability & precedence

Liability caps and exclusions in the main agreement apply to this DPA. If there is a conflict, this DPA prevails over the privacy policy and ancillary documents.

Annex 1 – Processing details

• Controller: Customer

• Processor: Buildable AI Limited

• Subject matter, nature, purpose, duration, data types, data subjects: as described in Sections 1–2 above.

Annex 2 – Security measures (summary)

• Encryption in transit and at rest;

• Logical separation by tenant; least-privilege access; MFA for internal admin tools;

• Secure software development lifecycle; vulnerability management;

• Logging/monitoring; quarterly access reviews;

• Vendor due diligence and contractual safeguards;

• Incident response and breach notification;

• Regular backups with rolling 35-day retention;

• Independent security testing/pen-test in progress.

Annex 3 – Sub-processor categories & regions

• Cloud hosting & storage (UK/EU primary; with international access as needed)

• Email/workspace & support (UK/EU/US)

• Analytics (enabled only with consent)

• Payments (UK/EU/US)

• Security & logging (UK/EU/US)

• Sales/data enrichment & ad platforms (used for B2B outreach/measurement with consent)

• AI runtime/model providers (UK/EU/US; no training on Customer Content by default)