Privacy Policy

1. Data Controller & Contact

The data controller responsible for your personal data is:

• Entity: build-agent.ai
• Address: [INSERT BUSINESS ADDRESS]
• Email: [email protected]
• Data Protection Officer: [INSERT DPO NAME/CONTACT]

If you are located in the European Union and we are established outside the EU, our EU representative is: [INSERT EU REPRESENTATIVE].

2. Information We Collect

2.1 Information You Provide Directly

We collect personal data that you voluntarily submit through our website:

• Registration of interest: name, work email, company name, and course selection
• Team contact form: name, work email, company name, team size, and message
• Course enrollment (via Stripe checkout): name, email, and payment information (processed directly by Stripe; we do not store card details on our servers)

Our contact and registration forms include a hidden field for automated bot detection. This field is not visible to users, is not stored, and serves solely to prevent spam submissions.

2.2 Information Collected Automatically

Our website is served through Cloudflare's content delivery network. Cloudflare may automatically collect:

• IP address
• Timezone (via Cloudflare edge detection)
• Browser type and version
• HTTP request headers and server logs

This data is processed by Cloudflare for security and performance purposes (e.g., DDoS protection, web application firewall).

Your detected timezone may also be returned to your browser to display session times in your local timezone. This is derived from Cloudflare's edge detection and is not stored on our servers.

2.3 Local Storage (Client-Side Only)

Our website stores the following preferences in your browser's localStorage:

• Theme preference: light or dark mode selection
• Timezone preference: your selected display timezone

This data remains entirely on your device, is never transmitted to our servers, and can be cleared at any time through your browser settings.

2.4 What We Do NOT Collect

We want to be transparent about what we do not do:

• We do not use cookies (neither first-party nor third-party)
• We do not use analytics trackers (no Google Analytics, no Plausible, no Fathom)
• We do not use advertising pixels or retargeting (no Meta Pixel, no Google Ads)
• We do not sell, rent, or trade your personal data to third parties
• We do not engage in cross-site tracking of any kind

3. Legal Basis for Processing

Under the GDPR (Article 6(1)), we process your personal data on the following legal bases:

• Consent (Art. 6(1)(a)): When you submit a contact or registration-of-interest form, you provide affirmative consent for us to process your data for the stated purpose.
• Performance of a contract (Art. 6(1)(b)): When you enroll in a course, we process your data as necessary to fulfill the enrollment, deliver course access, and process payment.
• Legitimate interest (Art. 6(1)(f)): We rely on legitimate interest for security measures provided by Cloudflare (protection against DDoS attacks, bot mitigation, and web application firewall).
• Legal obligation (Art. 6(1)(c)): We retain certain transaction records as required by applicable tax and accounting laws.

4. How We Use Your Information

We use the personal data we collect for the following purposes:

• To process course enrollments and deliver course content
• To respond to team training inquiries and registration-of-interest submissions
• To process payments securely through Stripe
• To maintain the security, integrity, and performance of our website
• To comply with legal obligations (e.g., tax record-keeping)

We do not use your data for profiling, automated decision-making, or any purpose other than those listed above.

5. Third-Party Service Providers

We share your personal data only with the following service providers, each bound by data processing agreements (DPAs):

Stripe

Stripe processes all payment transactions. Payment card data is handled entirely by Stripe and never touches our servers. Stripe is PCI DSS Level 1 certified. See Stripe's Privacy Policy.

Resend

Resend handles transactional email delivery (e.g., forwarding contact form submissions and registration-of-interest notifications to our team). Data shared: email address, name, and form content (when provided). Resend may retain email metadata (recipient address, delivery status) in accordance with their own data retention policies. See Resend's Privacy Policy.

Cloudflare

Cloudflare provides CDN, DNS, DDoS protection, and web application firewall services. Cloudflare processes access logs (IP, headers) as part of its security services. See Cloudflare's Privacy Policy.

We do not share your personal data with any other third parties.

6. International Data Transfers

Our third-party service providers (Stripe, Resend, Cloudflare) are based in the United States. When your data is transferred outside the European Economic Area (EEA), these transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The EU-U.S. Data Privacy Framework (where applicable)
• Additional supplementary measures as required by the Schrems II decision

You may request a copy of the applicable safeguards by contacting us at [email protected].

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Course enrollment records: 7 years (to comply with tax and accounting obligations)
• Contact and registration form submissions: 2 years from the date of submission
• Transactional email metadata (via Resend): subject to Resend's data retention policy
• Cloudflare server logs: up to 30 days (managed by Cloudflare)

When your data is no longer needed, it is securely deleted or anonymized.

8. Your Privacy Rights

8.1 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR:

• Right of access (Art. 15): Obtain a copy of your personal data and information about how it is processed.
• Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18): Restrict processing of your personal data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time (without affecting the lawfulness of prior processing).
• Right to lodge a complaint (Art. 77): File a complaint with your local data protection authority.

8.2 California, United States (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

• Right to know: What personal information we collect, use, disclose, and sell.
• Right to delete: Request deletion of your personal information.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising, so this right is not applicable.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

We do not sell personal information as defined by the CCPA. We do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA.

8.3 Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws may have similar rights to access, correct, delete, and opt out. We honor these rights in the same manner as described above.

8.4 Canada (PIPEDA)

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) gives you the right to access, correct, and challenge the handling of your personal information. You may also withdraw consent, subject to legal or contractual restrictions.

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within:

• 30 days for GDPR requests
• 45 days for CCPA/CPRA requests (extendable by an additional 45 days with notice)
• 30 days for PIPEDA requests

We may need to verify your identity before processing your request.

9. Cookies and Local Storage

We do not use cookies. Our website does not set any first-party or third-party cookies. No cookie consent banner is needed or shown.

We use browser localStorage exclusively for functional purposes (theme and timezone preferences). Under the ePrivacy Directive, localStorage used strictly for user-requested functionality does not require consent. This data is never transmitted to any server.

10. Children's Privacy

Our services are designed for professionals and are not directed to individuals under the age of 16 (EU/EEA, per GDPR Article 8) or under the age of 13 (United States, per COPPA). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will promptly delete it. If you believe a child has provided us with personal data, please contact us at [email protected].

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit: All data transmitted to and from our website is encrypted using TLS 1.3.
• Web application firewall: Cloudflare WAF protects against common web vulnerabilities and attacks.
• Payment security: Stripe is PCI DSS Level 1 certified — the highest level of payment data security certification.
• Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.

While we take reasonable measures to safeguard your data, no method of transmission over the internet or electronic storage is 100% secure. We encourage you to use strong passwords and protect your account credentials.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

For material changes that affect how we process your data, we will make reasonable efforts to notify you (e.g., via email or a prominent notice on our website) before the changes take effect.

13. Do Not Track Signals

Our website does not track users across third-party websites and therefore does not respond to Do Not Track (DNT) signals. However, since we do not use any tracking technologies (no cookies, no analytics, no pixels), your browsing on our site is inherently not tracked regardless of your DNT settings.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you can reach us at:

• Email: [email protected]
• Address: [INSERT BUSINESS ADDRESS]

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority:

• EU/EEA: Find your local Data Protection Authority
• UK: Information Commissioner's Office (ICO)
• California: California Attorney General — Privacy
• Canada: Office of the Privacy Commissioner of Canada