Privacy Policy

Last updated: March 2025 | DPDPA 2023 GDPR

Buildit ("we", "us", "our") is committed to protecting your personal data. This policy explains what we collect, why, and your rights under the Digital Personal Data Protection Act 2023 (India) and the GDPR (EU/UK).

1. Who We Are (Data Fiduciary / Controller)

Buildit
India
Email: privacy@aisoftwarefactory.in
DPO / Grievance Officer: dpo@aisoftwarefactory.in

2. What Personal Data We Collect

Data	Why we collect it	Legal basis (DPDPA / GDPR)
Name, email address	Account creation, login, invoices	Consent / Contract
Password (hashed — never plain text)	Authentication	Contract
Build prompts (text you type)	To generate your software	Contract
Payment details (processed by Razorpay)	Plan/token purchases, GST invoicing	Contract / Legal obligation
IP address, browser type	Security, fraud prevention	Legitimate interests (GDPR) / Legal obligation
Token usage, build history	Quota management, billing	Contract

We do not collect Aadhaar, PAN, health data, or biometric data.

3. How Long We Keep Your Data

Account data — until you delete your account
Build history and generated code — 90 days after last activity
GST invoices — 7 years (mandatory under Indian tax law)
Payment records — 7 years (legal obligation)
Server logs — 30 days

Note: Invoices and payment records are retained even after account deletion as required by Indian GST law (Section 36 of CGST Act).

4. Who We Share Data With

Razorpay — payment processing (Indian payments & international cards). They are an independent data processor with their own privacy policy.
Anthropic / Google Cloud — your build prompts are sent to AI models to generate code. We do not share your name or email with them.
No advertising networks. We do not sell or share your data with advertisers.

5. International Data Transfers

Our servers and database are hosted in India (Google Cloud asia-south1, Mumbai). AI model inference is processed via Google Cloud Vertex AI (asia-southeast1, Singapore) — only your build prompt text is sent, never your name, email, or payment details. If you are in the EU/UK, your data is transferred to India under appropriate safeguards including Standard Contractual Clauses (SCCs) where required under GDPR Article 46.

6. Cookies

Cookie	Purpose	Type	Duration
session	Keeps you logged in	Essential	30 days
aisf_cookie_consent	Remembers your cookie choice	Essential	1 year
Analytics (optional)	Understanding how users use the product	Non-essential (consent required)	Up to 2 years

You can change your cookie preferences anytime:

7. Your Rights

Under DPDPA 2023 and GDPR you have the right to:

Access — know what data we hold about you
Correction — fix inaccurate data
Erasure — delete your account and data (Right to be Forgotten)
Data Portability (GDPR) — receive your data in a machine-readable format
Object (GDPR) — object to processing based on legitimate interests
Restriction (GDPR) — request we pause processing your data
Withdraw consent — at any time, without affecting past processing
Lodge a complaint — with DPBI (India) or your local supervisory authority (EU)

To exercise any right: Email privacy@aisoftwarefactory.in or use the Delete Account option in the app (Settings → 🗑 Delete account). We respond within 30 days (DPDPA) / 30 days (GDPR).

To delete your account immediately: Log in → click the 🗑 icon next to your name → enter password → confirm. All your data (except legally required invoice records) is deleted immediately.

8. Security

We protect your data with: encrypted HTTPS connections, bcrypt-equivalent password hashing (passwords are never stored in plain text), access controls, and regular security reviews. In the event of a data breach affecting your rights, we will notify you within 72 hours as required by GDPR and DPDPA.

9. Grievance Redressal

Grievance Officer (India — DPDPA):
Email: dpo@aisoftwarefactory.in
Response within 30 days. If unsatisfied, you may escalate to the Data Protection Board of India (DPBI) once operational.

EU/UK Supervisory Authority:
You may lodge a complaint with your local Data Protection Authority. Find your authority at edpb.europa.eu.

10. Changes to This Policy

We may update this policy. Significant changes will be notified by email or a banner in the app. Continued use after 30 days of notification constitutes acceptance.