Contents

  1. Data Controller
  2. Data We Collect
  3. Legal Basis for Processing (GDPR)
  4. How We Use Your Data
  5. Third-Party Processors
  6. International Data Transfers
  7. Data Retention
  8. Cookies and Tracking
  9. Children's Privacy
  10. Your Rights (GDPR)
  11. Security
  12. Changes to This Policy
  13. Contact and DPA

Plain-English Summary: We collect the minimum data needed to run your account and process payments. We never sell your data. Payments go through Stripe — we never see your card number. AI prompts are sent to Anthropic to generate responses. You can request deletion of your data at any time.

1. Data Controller

The data controller responsible for your personal data is:

BuildPilot Labs
Ranjeet Singh
Munich, Germany
Email: contact@buildpilotlabs.com

For all privacy-related enquiries, data subject requests, or to reach our Data Protection contact, email the address above with the subject line "Privacy / GDPR".

2. Data We Collect

2.1 Account Data

When you register an account, we collect:

2.2 Payment and Billing Data

Payments are handled exclusively by Stripe. We never receive, process, or store your full payment card number, CVV, or bank details. We store only:

Stripe's handling of your payment data is governed by the Stripe Privacy Policy.

2.3 License and Usage Data

2.4 Technical / Log Data

When you use our website or API, our servers automatically record:

2.5 AI Prompt Data

When you use CodeSage Pro's AI features, your prompts (which may include code snippets and screen captures you choose to submit) are transmitted to our API, which forwards them to Anthropic to generate a response. We do not persistently store the content of your prompts or AI responses beyond the duration needed to fulfil the request. Anthropic's handling of this data is governed by Anthropic's Privacy Policy.

2.6 Contact Form Data

If you use our contact form, we collect your name, email address, and message content solely to respond to your enquiry.

We process your personal data under the following legal bases as set out in Article 6 of the GDPR:

Data / ActivityLegal Basis (Art. 6 GDPR)
Account registration and loginArt. 6(1)(b) — performance of a contract
Processing payments and managing subscriptionsArt. 6(1)(b) — performance of a contract
Sending transactional emails (receipts, alerts)Art. 6(1)(b) — performance of a contract
Security, fraud prevention, rate limitingArt. 6(1)(f) — legitimate interests (protecting the Service and users)
Legal and tax record-keepingArt. 6(1)(c) — legal obligation (§ 257 HGB, § 147 AO)
Responding to contact form enquiriesArt. 6(1)(f) — legitimate interests (providing support)
Marketing emails (if opted in)Art. 6(1)(a) — consent

4. How We Use Your Data

We do not: sell your data to any third party; use your data for advertising; share your data with any party except as described in Section 5; use your code or prompts to train AI models.

5. Third-Party Data Processors

We engage the following sub-processors who may process your personal data on our behalf:

ProcessorPurposeLocationSafeguard
Stripe, Inc. Payment processing, subscription management USA (with EU data residency options) Standard Contractual Clauses; Privacy Policy
Hostinger International Ltd. Web hosting and database hosting EU (Netherlands) EU-based infrastructure; Privacy Policy
Anthropic, PBC AI model inference (processing prompts) USA Standard Contractual Clauses; Privacy Policy
Google LLC Web fonts (Google Fonts, loaded from CDN) USA Standard Contractual Clauses; Privacy Policy

We use Google Analytics 4 for anonymous, aggregated usage statistics — but only if you opt in via our cookie banner. Analytics is loaded with Google Consent Mode v2 (denied by default) and with IP anonymisation enabled. If you do not consent, Google Analytics is never loaded and no analytics cookies are set. We do not use Meta Pixel or any advertising / behavioural-advertising tracking.

6. International Data Transfers

Stripe and Anthropic are US-based companies. When your data is transferred to the United States, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914/EU) to ensure an adequate level of protection for your personal data.

Where available, we request that processors apply EU data residency settings. Our hosting infrastructure (database and web server) is located in the EU.

7. Data Retention

Data CategoryRetention PeriodReason
Account data (name, email, password hash)Duration of account + 30 days after deletion requestContract performance
Payment / billing records (Stripe IDs, plan)10 years from transactionGerman commercial / tax law (§ 257 HGB, § 147 AO)
API usage logs13 months (rolling)Fraud prevention, dispute resolution
Server access logs (IP, HTTP)30 days (rolling)Security and abuse prevention
Contact form submissions24 months from last interactionLegitimate interest (enquiry management)
AI prompt contentNot persistently storedProcessed in real-time only

When you request account deletion, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g. billing records). We will confirm deletion by email.

8. Cookies and Tracking

We use strictly necessary cookies (which do not require consent) and, only with your consent, optional analytics cookies. When you first visit, a cookie banner lets you accept or reject analytics. You can change or withdraw your choice at any time using the cookie button in the bottom-left corner of any page, or by reopening preferences from this policy.

Cookie NameTypePurposeDuration
PHPSESSIDSession / Strictly necessaryCSRF token storage for form securitySession (deleted on browser close)
bp_consentStrictly necessaryStores your cookie choices (which categories you accepted)180 days
bp_tokenFunctional (localStorage)JWT authentication token for logged-in users30 days (stored in localStorage, not a cookie)
_ga, _ga_*Analytics (optional — consent required)Google Analytics 4 — distinguishes anonymous visitors and sessions. Set only after you opt in.Up to 13 months

Analytics cookies are set only after you opt in. Until then, Google Analytics is not loaded (Google Consent Mode v2, denied by default). You can withdraw consent as easily as you gave it — click the cookie button at the bottom-left of any page and choose “Reject all” or untick Analytics.

Google Fonts: Our pages load fonts from Google Fonts CDN (fonts.googleapis.com). This may result in Google receiving your IP address. If you wish to avoid this, you can use a browser extension to block external font requests.

9. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@buildpilotlabs.com and we will promptly delete the data.

10. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), Switzerland, or the UK, you have the following rights under the GDPR (and equivalent local laws):

Right of Access (Art. 15)Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16)Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17)Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to Restriction (Art. 18)Request that we limit processing of your data in certain circumstances.
Right to Portability (Art. 20)Receive your data in a structured, machine-readable format (JSON/CSV) for transfer to another provider.
Right to Object (Art. 21)Object to processing based on legitimate interests. We will stop unless we have compelling grounds.
Right to Withdraw Consent (Art. 7)Where processing is based on consent, you may withdraw it at any time without affecting past processing.
Right to Lodge a Complaint (Art. 77)File a complaint with your local supervisory authority. In Germany: BfDI. In Bavaria: LDA Bayern.

To exercise any of these rights, email us at contact@buildpilotlabs.com with the subject "GDPR Request – [Right]". We will respond within 30 days. We may ask you to verify your identity before processing a request.

We will not discriminate against you for exercising your privacy rights.

11. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page. We encourage you to review this page periodically.

Continued use of the Service after an update constitutes acceptance of the revised Policy.

13. Contact and Data Protection

For all privacy enquiries, data subject requests, or to report a potential data breach:

BuildPilot Labs — Data Controller
Ranjeet Singh
Munich, Germany
Email: contact@buildpilotlabs.com
Subject line: "Privacy / GDPR"

You also have the right to lodge a complaint with the competent data protection supervisory authority:

EU ODR Platform for consumer disputes: https://ec.europa.eu/consumers/odr