Buildberry

    Buildberry Privacy Policy

    Effective date: September 16, 2025

    Entity responsible ("we," "us," "our"): VISTA CROSS VENTURES LLC, 155 Willowbrook Blvd, Ste 110 #3811, Wayne, New Jersey 07470 US

    We built Buildberry to help you plan and manage construction and renovation projects. This Policy explains how we collect, use, disclose, protect, and store personal information, and the rights and choices you may have under applicable laws.

    If you do not agree with this Policy, please do not use the Service.

    1) Scope & Roles

    This Policy applies to our websites, mobile/desktop apps, browser extensions, APIs, and related services that link to it.

    For EU/UK/Swiss users, VISTA CROSS VENTURES LLC is the Data Controller for personal data we process; some vendors act as Processors.

    2) Information We Collect

    You provide:

    • Account data (name, email, password, phone).
    • Profile data (role, company, avatar).
    • Project data (property addresses, budgets, schedules, tasks, drawings, photos/videos, invoices, change orders, notes, materials, contractor/subcontractor contacts, permits).
    • Communications (support chats, emails, feedback, survey responses).
    • Payment data processed by Stripe, Inc. (billing address, last-4 of card, transaction metadata). We do not store full card numbers.

    Automatically collected:

    • Device & usage (IP, device IDs, app/browser type and version, language, time zone, pages/screens viewed, events, crash logs, diagnostics, referrers).
    • Approximate location (derived from IP) and—with permission—precise geolocation for features like site logging or contractor scheduling.
    • Cookies/SDKs/pixels for authentication, analytics, performance, and (if enabled) marketing/retargeting.

    From third parties:

    • Single Sign-On (e.g., Google, Apple, Microsoft) basic profile and email.
    • Integrations you connect (e.g., cloud storage, calendars, accounting tools).
    • Public or enterprise data about contractors/suppliers where you ask us to enrich contacts or verify credentials.

    Sensitive data (limited and optional):

    • Government IDs or license numbers only if you ask us to help verify contractors or for compliance checks.
    • Precise location (with your device permission).

    We do not intentionally collect special categories under GDPR (e.g., health, religion) or children's data (see "Children").

    3) How We Use Information (Purposes & Legal Bases)

    • Provide the Service (create accounts, authenticate users, operate features, customer support).
    • Process transactions via Stripe, Inc. and manage subscriptions.
    • Synchronize & integrate with third-party services at your direction.
    • Analytics & product improvement (e.g., debugging, usage metrics, A/B testing).
    • Security & fraud prevention (detect, prevent, and respond to abuse or security incidents).
    • Communications (service emails, feature updates; marketing only with appropriate consent/opt-out).
    • Compliance (tax, accounting, legal obligations).
    • AI-assisted features (e.g., document parsing, task suggestions, cost insights, image/text analysis) using models operated by us or vetted processors under contract.

    GDPR/UK GDPR legal bases: performance of a contract, legitimate interests (e.g., security, improvement), consent (e.g., cookies/marketing, precise location), and legal obligations.

    4) Cookies, SDKs & Similar Technologies

    We use:

    • Strictly Necessary: login sessions, security.
    • Functional: preferences, saved views.
    • Analytics/Performance: usage stats and diagnostics.
    • Advertising/Retargeting (if enabled): to show relevant ads and measure campaigns.

    You can manage cookies via your browser/device settings. Where required, we obtain consent via a banner. We recognize Global Privacy Control (GPC) signals for "sale/share" opt-outs where applicable.

    5) Sharing & Disclosure

    We do not sell personal information for money. We may "share" data for cross-context behavioral advertising as defined in some U.S. laws only if you enable marketing; you can opt out (see "Your Rights").

    • Service providers/Processors: hosting, analytics, error monitoring, email/SMS, support, payments, document processing, AI inference, KYC/verification.
    • At your direction: collaborators you invite, organizations you belong to, integrations you connect.
    • Legal & safety: to comply with law, enforce terms, protect rights, security, or safety.
    • Business transfers: in a merger, acquisition, or sale, subject to this Policy.

    We enter data processing agreements and (for EU/UK/Swiss transfers) Standard Contractual Clauses with recipients where required.

    6) International Data Transfers

    We operate globally. When transferring personal data internationally (including to the U.S.), we use appropriate safeguards such as EU/UK SCCs, UK IDTA/Addendum, and other legally recognized mechanisms. Details are available upon request.

    7) Data Retention

    We keep personal data while your account remains active and as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce agreements.

    • Project content: retained until you delete it or your organization's admin schedules deletion.
    • Backups: persist for [30–90] days.
    • Transaction records: retained per tax/accounting laws.

    You can request deletion (see "Your Rights").

    8) Security

    We use administrative, technical, and physical safeguards appropriate to the nature of the data, including encryption in transit and at rest, access controls, least-privilege, monitoring, and regular vulnerability management. No method of transmission or storage is 100% secure.

    9) Your Rights & Choices

    Your rights depend on your location and local laws. Subject to verification and exceptions, you may have the right to:

    EU/EEA/UK/Switzerland (GDPR/UK GDPR):

    access; rectification; erasure; restriction; portability; object (including to profiling based on legitimate interests); withdraw consent.

    United States state laws (e.g., CPRA/CCPA–CA, VCDPA–VA, CPA–CO, CTDPA–CT, UCPA–UT, others):

    • Know/access and portability; deletion; correction; opt-out of sale/share and targeted advertising; opt-out of profiling for decisions with legal/similar significant effects (where applicable).
    • We honor GPC signals for sale/share opt-outs.
    • Appeals: If we deny a rights request (where required, e.g., CO/CT/VA), you may appeal by submitting a support ticket with "Appeal" in the subject.

    Canada (PIPEDA), Brazil (LGPD), Australia, India (DPDP), Singapore (PDPA), South Africa (POPIA):

    similar rights to access, correction, deletion, and withdrawal of consent where applicable.

    How to exercise: submit a request by submitting a support ticket. We will verify your identity (and authority for agent requests) and respond within required timeframes. We will not discriminate for exercising your rights.

    • Marketing choices: unsubscribe via email footer or account settings.
    • Cookies/ads: adjust preferences via your browser/mobile settings.

    10) Children's Privacy

    Buildberry is not directed to children under 13 (or the age defined by local law). We do not knowingly collect personal data from children. If you believe a child has provided data, contact us by creating a support ticket to delete it.

    11) Automated Decision-Making & Profiling

    We may use analytics and optional AI features to suggest timelines, budgets, or task prioritization. These do not produce legal or similarly significant effects without human involvement.

    12) Organizational Accounts & Admin Controls

    If you use Buildberry under an organization:

    • Admins may control access, retention, and export of project data.
    • Your information may be visible to other members according to the org's settings and your role.

    13) Third-Party Links & Integrations

    The Service may link to or integrate with third-party services (e.g., Supabase, Lovable, Stripe, etc.). Their privacy practices are governed by their own policies. Review them before enabling integrations.

    14) Cross-Context Advertising & "Sale/Share" (U.S. States)

    If you enable marketing cookies/SDKs, we may disclose identifiers and usage data to advertising partners for cross-context behavioral advertising. Where defined by law, this may be considered a "sale" or "share."

    • Opt out anytime via [Do Not Sell or Share My Personal Information].
    • We honor GPC signals.

    15) Do Not Track

    Some browsers transmit "Do Not Track" signals. We currently respond to GPC instead of DNT.

    16) Legal Bases, Complaints & Contacts

    • Legal bases: contract; legitimate interests; consent; legal obligation.
    • EU/UK complaints: you may lodge a complaint with your local supervisory authority (e.g., ICO in the UK, or your EU DPA).
    • Primary contact: Support ticket via the app.

    17) International-Specific Disclosures (Summaries)

    • EU/EEA/UK/Swiss: transfer mechanisms (SCCs/IDTA), data subject rights, ePrivacy consent for non-essential cookies.
    • Canada (PIPEDA): contact us via submitting a support ticket via the app to access or correct personal information and to learn about cross-border processing.
    • Brazil (LGPD): legal bases include consent, contract, and legitimate interests; contact us via submitting a support ticket via the app.
    • Australia: overseas disclosures per APP 8; contact us for access/correction.
    • India (DPDP): consent and legitimate uses; grievance officer contact us via submitting a support ticket via the app.
    • Singapore (PDPA): contact us via submitting a support ticket via the app for access/correction.
    • South Africa (POPIA): responsible party VISTA CROSS VENTURES LLC; information officer contact us via submitting a support ticket via the app.

    18) Data Minimization & Accuracy

    We limit collection to what is necessary, use it only for stated purposes, and take reasonable steps to keep your information accurate and up to date.

    19) Changes to This Policy

    We may update this Policy from time to time. We will post changes here and update the "Effective date." Material changes will be notified via email or in-app notice. Your continued use of the Service after changes means you accept the updated Policy.

    20) How to Contact Us

    VISTA CROSS VENTURES LLC
    Contact us via submitting a support ticket via the app

    Annex A – Categories of Personal Information (CPRA Mapping)

    • Identifiers: name, email, IP, device IDs.
    • Customer records: billing details (partial), transaction metadata.
    • Protected classes: not collected intentionally.
    • Commercial information: subscription plan, purchase history.
    • Internet/Network: usage, logs, diagnostics.
    • Geolocation: approximate IP; precise only with permission.
    • Sensory: photos/videos you upload.
    • Professional/employment: role/title (if provided).
    • Inferences: feature usage segments for product improvement/marketing (opt-out available).
    • Sensitive personal information: limited to ID/licensing data (optional) and precise geolocation (opt-in); used only for the purposes described and not for inferring characteristics.