Privacy Policy
Last updated · June 19, 2026
This policy explains what personal data Buildy collects when you use buildy.me, how we use it, and the rights you have. The data controller is Gonzalo Gomez (Calle Los Caserios 8, 39700 Castro-Urdiales, Cantabria, Spain), who operates Buildy as a sole trader in Spain. Questions? Email hello@buildy.me.
01Data we collect
- Account — your name, email address and a securely hashed password.
- Projects & content — the prompts you write, the code and files Buildy generates, your chat messages, and project settings (including any backend keys you choose to store, such as a Supabase anon key).
- Billing — handled by Paddle, our reseller and Merchant of Record. We store your plan, subscription status and Paddle customer/subscription identifiers, but we never see or store your full card number — Paddle processes payment under its own privacy policy.
- Technical — log data, IP address, timestamps and basic usage metrics, used for security and reliability.
02How we use it
We use your data to:
- provide and operate the Service, including generating code with AI;
- authenticate you and keep your account secure;
- process payments and manage subscriptions;
- enforce plan quotas and prevent abuse;
- provide support and send essential service emails (e.g. password reset).
Our legal bases under the GDPR, mapped to each purpose:
- Performance of our contract — providing the Service, your account, authentication and billing.
- Legitimate interests — keeping the Service secure and preventing abuse. You can object to this processing.
- Consent — analytics cookies only; you can withdraw consent at any time via Cookie settings in the footer.
- Legal obligation — keeping invoicing and tax records as required by Spanish law.
We do not use your prompts or generated code to train AI models.
03AI processing & connected services
To generate code, the prompts you submit and the relevant parts of your project are sent to our AI provider, Anthropic, which processes them to return a result. Please review Anthropic's privacy policy for details of how they handle data submitted through their API. We send only what is needed to fulfil your request.
Some features send your data to third parties at your direction. If you connect GitHub, your project code is pushed to a repository (and managed one-click builds run on GitHub Actions). If you connect Supabase, the app talks to your own Supabase project using your keys. These services process that data under their own terms.
04Who we share data with (subprocessors)
We don't sell your data. We share it only with the service providers we need to run Buildy:
| Provider | Purpose |
|---|---|
| Anthropic | AI code generation |
| Paddle | Payments & subscriptions (Merchant of Record; UK/Ireland) |
| Spacemail | Transactional email |
| GitHub (Microsoft) | Source-code sync & managed app builds, when you use them (US) |
| Expo / EAS | Optional mobile app builds (US) |
| Google Analytics | Usage analytics — only with your consent (US) |
| OVH (France) | Application & database hosting — servers in the EU |
05International transfers
Several of our providers process data outside the European Economic Area — Anthropic, Google, GitHub (Microsoft) and Expo/EAS (mainly in the United States), and Paddle (our payments Merchant of Record, in the United Kingdom). Where a provider is certified under the EU–US Data Privacy Framework, transfers to it rely on that adequacy mechanism; transfers to the UK rely on the UK adequacy decision. Otherwise they rely on the European Commission's Standard Contractual Clauses together with appropriate supplementary measures.
06Retention
How long we keep data:
- Account & project data — while your account is active; deleted or anonymized within a short period after you delete a project or close your account.
- Billing & invoice records — retained for the period required by Spanish tax and commercial law (generally 4–6 years).
- Technical logs — kept for a short period (up to about 12 months) for security and reliability.
07Your rights
If you are in the EEA or UK, you have the right to access, correct, delete, restrict or port your data, to object to certain processing, and to withdraw consent. To exercise any of these, email hello@buildy.me; we respond within one month (GDPR art. 12). You can also lodge a complaint with your data protection authority — in Spain, the Agencia Española de Protección de Datos (AEPD, aepd.es).
08Cookies
We keep cookies to a minimum and set no advertising or cross-site tracking cookies. Analytics cookies are set only if you accept, and you can change or withdraw your choice at any time via Cookie settings in the footer (which also clears the analytics cookies).
| Cookie | Purpose | Duration |
|---|---|---|
| session | Keep you signed in (strictly necessary, first-party — no consent needed) | Session / up to 30 days |
| _ga | Google Analytics — distinguishes users (consent; Google, US) | ~13 months |
| _ga_* / _gid | Google Analytics — session state (consent; Google, US) | ~24 hours – 13 months |
09Security
Data is encrypted in transit over HTTPS, passwords are stored hashed, and access is restricted. No system is perfectly secure, but we take reasonable measures to protect your data.
10Children
Buildy sets a minimum age of 16 to use the Service (an eligibility rule; Spain's age of digital consent is 14). It is not directed to children under 16, and we do not knowingly collect their personal data.
11Changes
We may update this policy. We will post the new version with an updated date and, for material changes, take reasonable steps to notify you.
12Contact
Email hello@buildy.me with any privacy questions.