Privacy Policy

Buildynx Ltd. ("we", "us", or "our") is a Software-as-a-Service (SaaS) platform provider committed to protecting your privacy and complying with applicable data protection laws, including:

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our SaaS platform, including any AI-powered features. By using our services, you consent to the data practices described herein.

We collect and process personal data necessary to provide, improve, and secure our SaaS platform. This includes:

Category	Examples	Purpose & Legal Basis
Account Information	Name, email, job title, company, password (hashed)	Contract performance (Art. 6(1)(b) GDPR / Sec. 6 PDPL)
Usage Data	Feature usage, session duration, IP address, device info	Legitimate interests: service improvement, security (Art. 6(1)(f))
Content You Upload	Documents, prompts, datasets processed via our platform	Contract performance; processed per your instructions
AI Interaction Data	Prompts, AI-generated outputs, feedback on AI responses	Service delivery; model improvement (with consent/opt-out)
Communication Data	Support tickets, emails, chat logs	Legitimate interests: customer support, contract obligations
Payment Information	Billing address, payment method (processed by PCI-compliant third parties)	Contract performance; legal obligation (tax/compliance)

Special Category Data

We do not intentionally collect special category data (e.g., racial origin, health data, biometrics) under GDPR Article 9 or sensitive personal data under UAE PDPL. If you submit such data via our platform, you warrant you have lawful authority to do so, and we process it solely per your instructions as a data processor.

AI Processing Activities

• Real-time AI Assistance: When you use AI features, your input (e.g., prompts, uploaded files) is processed by our AI models to generate responses. This processing occurs in secure, encrypted environments.
• Model Training & Improvement: By default, we do not use your personal data or confidential content to train our foundational AI models. If you opt into our "Contribute to Improvement" program, anonymized and aggregated interaction data may be used to enhance model performance. You may opt out anytime in Settings → Privacy.
• Automated Decision-Making: Our AI may provide recommendations or draft content, but no fully automated decisions with legal or significant effects are made about you without human review, in compliance with GDPR Article 22 and UAE PDPL safeguards.
• Third-Party AI Services: We may integrate with external AI providers (e.g., for specialized language models). All such providers are bound by Data Processing Agreements (DPAs) and undergo security assessments. Data transfers outside the UK/EU/UAE use approved safeguards (SCCs, adequacy decisions, or UAE-approved mechanisms).

AI-Specific Safeguards

• Data minimization: Only necessary data is sent to AI systems
• Encryption: Data in transit and at rest using industry-standard protocols
• Access controls: Strict role-based access to AI processing environments
• Human oversight: Critical outputs are reviewable; you retain final control
• Bias monitoring: Regular audits of AI outputs for fairness and accuracy

For details on specific AI features and their data flows, see our Trust Center or contact our Data Protection Officer.

Under GDPR and UAE PDPL, we process personal data only when we have a valid legal basis. Our processing activities and corresponding legal bases include:

📋 Contractual Necessity (Art. 6(1)(b) GDPR / Sec. 6 PDPL)

Processing required to deliver our SaaS services under your subscription agreement, including account management, feature access, billing, and support.

⚖️ Legitimate Interests (Art. 6(1)(f) GDPR / Sec. 6(2) PDPL)

Processing necessary for our legitimate business interests, provided your rights do not override them. Examples:

• Platform security, fraud prevention, and system integrity
• Service improvement, analytics, and product development
• Communicating updates, security notices, and administrative messages

You may object to processing based on legitimate interests by contacting privacy@buildynx.com. We will assess your request per applicable law.

✅ Consent (Art. 6(1)(a) GDPR / Sec. 5 PDPL)

For optional processing activities, such as:

• Marketing communications (you may unsubscribe anytime)
• Optional AI model improvement contributions
• Non-essential cookies and tracking technologies

Consent is freely given, specific, informed, and unambiguous. You may withdraw consent at any time via your account settings or by contacting us.

📜 Legal Obligation (Art. 6(1)(c) GDPR / Sec. 6 PDPL)

Processing required to comply with UK, EU, or UAE legal obligations, including tax reporting, regulatory audits, or lawful law enforcement requests.

We do not sell your personal data. We may share data only in the following circumstances:

🔧 Service Providers (Data Processors)

Trusted third parties who process data on our behalf under strict Data Processing Agreements (DPAs) compliant with GDPR Article 28 and UAE PDPL requirements:

• Cloud Infrastructure: AWS, Google Cloud (data centers in EU/UK/UAE regions)
• Payment Processing: Stripe, PayPal (PCI-DSS compliant)
• Customer Support: Intercom, Zendesk
• Analytics & Monitoring: Plausible (privacy-focused), Sentry (error tracking)
• AI Model Providers: [List specific vendors, e.g., Anthropic, Mistral] with SCCs or equivalent safeguards

🌍 International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction. We ensure adequate protection through:

• UK/EU → Third Countries: UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs), supplemented by technical measures
• UAE → International: UAE PDPL-approved transfer mechanisms, including adequacy decisions or contractual safeguards
• Transparency: View our Subprocessor List for current vendors and locations

⚖️ Legal Requirements & Business Transfers

We may disclose data if required by law, court order, or governmental request. In the event of a merger, acquisition, or asset sale, we will notify you of any change in data handling practices and your choices.

We retain personal data only as long as necessary for the purposes outlined in this policy, considering legal obligations and legitimate business needs:

Data Category	Retention Period	Rationale
Account Information	Duration of active subscription + 30 days	Service delivery; post-termination support window
Usage & Analytics Data	24 months from collection	Product improvement; aggregated/anonymized thereafter
AI Interaction Logs	90 days (unless opted into improvement program)	Service debugging; quality assurance
Financial Records	7 years (UK/EU) / 5 years (UAE)	Tax, accounting, and regulatory compliance
Support Communications	3 years from ticket closure	Service history; dispute resolution

Upon account deletion or expiration of retention periods, we securely delete or anonymize personal data using industry-standard erasure methods. Some data may be retained in anonymized, aggregated form for statistical purposes.

Depending on your location, you have the following rights regarding your personal data:

How to Exercise Your Rights

To submit a request:

1. Log in to your Buildynx account and visit Settings → Privacy & Data, or
2. Email our Data Protection Officer at privacy@buildynx.com with "Data Rights Request" in the subject line

We will verify your identity and respond within:

• UK/EU: 1 month (extendable to 3 months for complex requests)
• UAE: 30 days from receipt of verified request

Requests are free of charge, unless manifestly unfounded or excessive.

We implement technical and organizational measures aligned with GDPR Article 32 and UAE PDPL security requirements:

• 🔐 Encryption: AES-256 for data at rest; TLS 1.3+ for data in transit
• 🛡️ Access Controls: Role-based access, multi-factor authentication, principle of least privilege
• 🔍 Monitoring: 24/7 security monitoring, intrusion detection, regular penetration testing
• 📋 Policies: Staff training, incident response plan, data protection by design & default
• 🌐 Infrastructure: SOC 2 Type II certified providers; regular third-party audits

While we strive to protect your data, no internet transmission is 100% secure. If you suspect a security incident, notify us immediately at security@buildynx.com.

We use cookies and similar technologies to enhance your experience. Our cookie practices comply with GDPR/ePrivacy and UAE PDPL:

Type	Purpose	Consent Required?
Strictly Necessary	Authentication, security, session management	No (legitimate interest/contract)
Functional	Preferences, language, accessibility settings	No (legitimate interest)
Analytics	Usage insights, performance monitoring (privacy-focused)	Yes (opt-in via cookie banner)
Marketing	Personalized ads, campaign tracking (if applicable)	Yes (explicit consent)

Manage your preferences anytime via our Cookie Consent Manager (footer link) or browser settings. Note: Disabling essential cookies may limit platform functionality.

We may update this Privacy Policy to reflect changes in our practices, services, or legal requirements. We will:

• Post the updated policy on this page with a revised "Last Updated" date
• Notify you of material changes via email or in-app notice (where required by law)
• Provide a summary of key changes for transparency

Continued use of our services after changes constitutes acceptance of the updated policy.

📬 Contact Our Data Protection Team

For questions about this policy, your data rights, or AI processing:

• Email: privacy@buildynx.com
• Data Protection Officer: dpo@buildynx.com
• Postal Address: Buildynx Ltd., Data Protection Team, [Full Address]
• UAE Representative: [If applicable per PDPL Art. 23]