Legal

Privacy Policy

How we collect, use, disclose, and protect your personal information. Beta — pending counsel ratification.

BizBuilder — Privacy Policy

Last updated: 2026-06-04 · Effective date: [TBD] · Status: Beta

This Privacy Policy describes how BizBuilder, Inc. ("BizBuilder", "we", "us", "our") collects, uses, discloses, and protects personal information when you use the BizBuilder service (the "Service"). Capitalized terms not defined here have the meanings given in our Terms of Service.

Live sub-processor list at bizbuilderai.com/legal/subprocessors, subscribable for change notification.

Data Processing Addendum (DPA) available on request for business customers; email privacy@bizbuilderai.com and we will deliver within 7 business days.

By using the Service, you consent to the practices described here.

1. Information we collect

Account information — your email, a system-generated identifier, your brand-voice samples, notification preferences, billing-related identifiers from our payment processor (no card data), and any third-party API tokens you choose to connect.

Service inputs — URLs you submit, brand-voice samples, calibration responses, and explicit preferences.

Service outputs — analytical readings we generate for you, including audience analyses, content drafts, performance summaries, and recommendations, along with an audit log of meaningful actions taken in connection with your use of the Service.

Operational telemetry — system events from our internal modules. We design our telemetry to minimize the inclusion of sensitive identifiers.

Aggregated cohort data — anonymized cross-user patterns derived from telemetry; see §3 for the de-identification rule.

What we do not run on the Service. We do not use session-replay tools, screen-recording software, third-party chat widgets, or third-party advertising or retargeting trackers on the Service. Our public marketing site (pre-login) uses first-party analytics for traffic measurement.

2. How we use information

We process personal information for the following purposes, with the indicated GDPR Article 6 legal basis where GDPR applies:

(a) Providing the Service (contract — Art 6(1)(b)): running analyses, generating AI outputs, observing the performance of campaigns you operate on your own advertising-platform accounts, computing recommendations, transactional email, billing.

(b) Improving our prompts and configuration (legitimate interest — Art 6(1)(f)): we maintain versioned prompts and may analyze patterns to refine them. We do not knowingly contribute your inputs to AI-provider model training.

(c) Cohort intelligence aggregation (legitimate interest — Art 6(1)(f)): we derive anonymized cross-user patterns subject to the de-identification rule in §3. You may opt out in Settings → Privacy; opting out is bidirectional.

(d) Security, fraud prevention, and legal compliance (legal obligation and legitimate interest — Art 6(1)(c) and (f)): protecting the Service and other users, responding to lawful requests, complying with tax and audit requirements.

(e) Communications (contract — Art 6(1)(b)): transactional email, security alerts, account recovery, billing notifications. Marketing emails require separate consent.

3. Cohort intelligence (de-identification rule)

In short: We learn from patterns across users. We do not share your raw data with other users. Aggregated patterns are de-identified to prevent re-identification.

Our cohort intelligence is intended to satisfy GDPR Recital 26 / Article 17(3)(d) statistical-research carve-out and CCPA de-identified-data exclusion. Specifically:

(a) We do not expose one user's raw data (URLs you submitted, your scout outputs, your analytical readings, or any other content tied to your identity) to another user.

(b) Cohort patterns are aggregated across multiple users before being surfaced. We apply a minimum cohort size sufficient to prevent re-identification of any individual user.

(c) We do not attempt to re-identify individual users from cohort aggregates.

(d) The de-identification rule keeps you the controller of your data and any data you derive from your customers. BizBuilder acts as processor with respect to your data and does not become controller of end-customer data through cohort aggregation.

If you connect a payment-processor API key for revenue attribution, customer-level data we read from your account remains your data; we use it for attribution and do not aggregate it into cohort intelligence.

4. AI processing

In short: Our AI provider (currently Anthropic) processes inputs for content generation. We don't let our AI provider train on your data; we hedge against future policy changes.

We use third-party AI providers (currently Anthropic Claude) for content generation and analysis. BizBuilder is the Data Controller for your personal data; our AI provider acts as a Data Processor for inputs and outputs we send through their API.

(a) No training on your inputs. We do not knowingly contribute your inputs to AI-provider model training. Our agreement with our AI provider, as currently in effect, also prohibits such use. We will notify you of material changes to this posture via our change log.

(b) Retention. We retain AI-provider interactions only as needed to provide the Service.

(c) AUP flow-down. Your use of AI-generated outputs is subject to our AI provider's published Acceptable Use Policy.

(d) Accuracy notice. AI-generated content may contain factual inaccuracies; you should not rely on it as a sole source of truth or as a substitute for professional advice in regulated domains.

5. Sub-processors

We rely on third-party sub-processors for infrastructure (database, hosting, content delivery, error monitoring, durable workflows, rate-limiting, transactional email, URL fetching), AI generation, and payment processing.

Each sub-processor is bound by a Data Processing Addendum consistent with GDPR Article 28 and applicable cross-border transfer mechanisms. The complete live list, with each processor named, role, data categories, region, and DPA link, is at bizbuilderai.com/legal/subprocessors and is subscribable; subscribed users receive at least 30 days' notice of material additions or changes.

We do not collect or hold ad-media funds. The Service interacts with advertising platforms in two modes (described in Terms §4): in mode (a), BizBuilder runs limited signal-extraction experiments on BizBuilder's own advertising-platform accounts (in this mode the advertising platforms act as sub-processors of the limited campaign-execution data involved); in mode (b), you operate your own advertising accounts and are the direct contractual counterparty of each advertising platform (in this mode those platforms are not our sub-processors).

6. Automated decision-making

In short: Our analytical readings are automated decision-support based on observed signals. You approve every meaningful action. You can request human review of any reading.

Our analytical readings (including the Kill / Pivot / Double Down summaries the Service produces from your venture data) constitute automated decision-making for purposes of GDPR Article 22, Australia ADM 2026, and analogous frameworks.

(a) Decision-support, not autonomous decision. Your approval at each meaningful juncture constitutes the human review required by GDPR Article 22(2)(c), EU AI Act Article 50, and similar provisions. We do not pause, kill, or scale any campaign without your confirmation.

(b) Logic disclosure. The readings are computed from observed signals including campaign outcomes, cohort signals, and calibration state.

(c) Right to human review. You may request qualified human review of any specific reading at privacy@bizbuilderai.com. We will respond within the timeframes required by applicable law.

(d) Right to contest. You may contest any reading via the in-product override mechanism or by email.

7. Your privacy rights

In short: See what we have, correct it, get a copy, delete it, opt out of automated decisions. We follow regulatory timelines. We honor Global Privacy Control browser signals with a visible confirmation.

Where applicable law grants you rights, you may exercise them by emailing privacy@bizbuilderai.com or via Settings → Privacy in-app. We respond within the timeframes required by applicable law. We may request reasonable identity verification before fulfilling requests.

General rights (GDPR and similar): access, rectification, erasure, restriction of processing, data portability (in a structured, commonly-used, machine-readable format), objection to processing based on legitimate interest, withdrawal of consent for marketing.

Right regarding automated decision-making: see §6.

Notice to California residents

This section provides additional disclosures required by the California Privacy Rights Act (CPRA).

Categories of personal information we collect:

  • Identifiers (email, hashed user identifier, billing references)
  • Commercial information (subscription state)
  • Internet activity (system telemetry, audit log)
  • Inferences (cohort patterns)

Sources of personal information:

  • Directly from you (account information, Service inputs)
  • From your activity on the Service (telemetry)
  • From third-party platforms you connect (revenue-attribution data)

Categories of third parties with whom we disclose:

  • Service providers (infrastructure, AI, payment processing — see /legal/subprocessors)
  • Legal and regulatory authorities when required

Business purposes: providing the Service, security and fraud prevention, legal compliance, internal product improvement.

Your CPRA rights:

  • Right to know what categories of personal information we collect, sources, purposes, and categories of third parties with whom we disclose.
  • Right to delete personal information we collected from you, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to portability in a structured, commonly-used, machine-readable format.
  • Right to opt-out of sale or share. BizBuilder does not sell your personal information for money. We do not knowingly share your personal information for cross-context behavioral advertising as defined under the CPRA. The "Do Not Sell or Share My Personal Information" link is provided as required.
  • Right to limit the use of sensitive personal information. The "Limit the Use of My Sensitive Personal Information" link is provided as required.
  • Right to non-discrimination. We will not deny service, charge different prices, or provide a different level of quality because you exercised your privacy rights.

Authorized agents. You may designate an authorized agent to make CPRA requests on your behalf. We will verify the agent's authority by requesting a signed written authorization from you or a notarized power of attorney before processing the request.

Global Privacy Control (GPC). When your browser sends a GPC signal, we treat it as a binding opt-out request for non-essential cookies and analytics. We display a visible confirmation within the same browsing session that the opt-out was processed.

To exercise CPRA rights, email privacy@bizbuilderai.com.

Response timeline: 30 days for individual requests under GDPR (up to 45 days for unusually complex or voluminous requests, with notice). Up to 45 days for CPRA bulk requests.

Right to lodge a complaint: California users with the California Privacy Protection Agency. Users in other US states with their state attorney general or relevant supervisory authority. EU users (to the extent they use the Service) with their national Data Protection Authority. UK users with the Information Commissioner's Office.

8. Cookies and tracking

  • Strictly necessary (no consent required): session, CSRF protection, authentication.
  • Analytics (consent required for EU/UK visitors): first-party analytics on the public marketing site.
  • No advertising or retargeting trackers on logged-in surfaces.
  • No session-replay or screen-recording tools anywhere on the Service.

GPC honored as described in §7.

9. Data retention

We retain personal information for as long as your account is active and as needed to provide the Service. After account deletion, we delete identifying personal information within a reasonable period (typically thirty days), subject to:

  • Operational logs retained for a limited period (typically up to ninety days) in pseudonymized form for security and operational purposes.
  • Billing records retained as required by tax and audit obligations (typically seven years).
  • Anonymized aggregate patterns persist as described in §3, with no identifiable linkage retained.

10. International data transfers and security

Our sub-processors are primarily located in the United States. For transfers from the European Economic Area, United Kingdom, or Switzerland to the United States, BizBuilder relies on Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914) and supplementary measures consistent with Schrems II requirements. Where applicable and to the extent BizBuilder or a sub-processor self-certifies, transfers may also be covered by the EU-U.S. Data Privacy Framework.

We employ industry-standard administrative, technical, and physical safeguards to protect personal information against unauthorized access, alteration, disclosure, and destruction.

Material security incidents affecting your personal data are disclosed in the timeframes required by applicable law. Report security issues to security@bizbuilderai.com.

11. Children

The Service is not directed to individuals under 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a person under 18, we will delete it as soon as reasonably possible. To report such collection, email privacy@bizbuilderai.com.

12. Geographic scope

BizBuilder is provided by a US-based company and is primarily directed to users in the United States. We do not actively market or target the Service to users in the European Economic Area, the United Kingdom, or other regions with comprehensive data-protection regimes.

We do not currently maintain a designated GDPR Article 27 EU Representative, a UK Representative, or a Data Protection Officer. As our presence in any region grows, we will appoint representatives and update this Policy accordingly.

Users outside the United States who choose to use the Service do so at their own discretion and acknowledge that their personal data will be processed in the United States. The protections described in this Policy apply to all users regardless of location.

13. Changes, contact, and material changes definition

We may modify this Privacy Policy from time to time. Material changes include: addition of new processing purposes, change in legal basis, addition of new categories of sub-processors, change in retention periods, change in jurisdictions where data is processed, or change in the rights you have under this Privacy Policy. Material changes will be notified by email at least thirty days in advance.

Non-material changes (clarifications, formatting, typo corrections) are reflected in the "Last updated" date at the top.

Contact.

  • Privacy / data-subject requests: privacy@bizbuilderai.com
  • Security disclosures: security@bizbuilderai.com
  • General: support@bizbuilderai.com

BizBuilder, Inc. · Delaware C-corporation · 131 Continental Drive, Suite 305, Newark, DE 19713