Privacy Policy & AI Transparency

Last Updated: March 2026

Our AI "No-Training" Promise

BuildSheet is built on SOC 2 Type II compliant infrastructure. Your proprietary mechanical specifications, uploaded images, and structural build data are never used to train our AI models or third-party global models. All data processing using Google Gemini via Vertex AI is strictly governed by the Google Cloud Data Protection Addendum (CDPA), honoring enterprise-grade data residency and privacy controls.

1. Introduction

BuildSheet ("we", "our", or "us") respects your privacy. This Privacy Policy outlines how we collect, use, and protect your personal information when you use our website and application (the "Service"). This policy applies globally, adhering to the General Data Protection Regulation (GDPR / EU AI Act), the California Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA), the Lei Geral de Proteção de Dados (LGPD) for Brazil, the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) for Mexico, and the Personal Information Protection and Electronic Documents Act (PIPEDA) for Canada.

For our users and tech partners across the African continent, this policy adheres to the principles of the AU Malabo Convention, and complies specifically with the Protection of Personal Information Act (POPIA) of South Africa, the Nigeria Data Protection Act (NDPA), and the Kenya Data Protection Act (DPA).

2. Information We Collect

We collect information to provide and improve our Service. This includes:

Account Information: Name, email address, and authentication credentials (handled via Google/Firebase Auth).
Project Data: Build sheets, bills of material, design requirements, and uploaded mechanical images. Because this is your intellectual property, it is strictly isolated per tenant.
Usage Data & Analytics: How you interact with our platform (with your explicit consent where required by law).
Payment Information: Handled securely via Stripe. We do not store raw credit card numbers.

3. How We Process Data (Legal Basis)

Under GDPR and LGPD, we process your data on the following bases:

Contractual Necessity: To provide the core functionality of the Application (saving projects, AI drafting).
Consent: For non-essential cookies, analytics, and marketing communications. You may withdraw this at any time.
Legitimate Interest: To prevent fraud, ensure security, and improve platform performance.

4. Enterprise-Grade Data Security

We implement AES-256 encryption at rest and TLS in transit. Our database infrastructure (Google Firestore) resides within secure U.S. regions configured to comply with SOC 2 standards.

5. Your Global Privacy Rights

Depending on your jurisdiction (GDPR, CCPA/CPRA, LGPD, LFPDPPP, PIPEDA, POPIA, NDPA, Kenya DPA), you have the right to:

Access / Portability: Request a copy of the personal data we hold about you.
Correction / Rectification: Fix inaccurate or incomplete data.
Deletion / Cancellation ("Right to be Forgotten"): Request that we delete your account and associated data.
Opposition / Opt-Out: Object to processing. Under the CCPA/CPRA, we do not sell your personal data. You may opt out of sharing for cross-context behavioral advertising via our Cookie Preferences.

ARCO Rights (Mexico): Mexican residents may exercise their rights of Access, Rectification, Cancellation, and Opposition by contacting us.

Data Transfers (Canada & Global): Your data may be transferred to and stored on servers located in the United States, utilizing SOC 2 compliant infrastructure under strict data protection protocols.

To exercise any of these rights, please contact us via our support channels or you may export/delete your data directly from your account profile inside the Application.

6. Artificial Intelligence, Sub-processors & Transparency

To provide AI drafting and part-hydration capabilities, we utilize Google Cloud (Vertex AI) as a strict data sub-processor. As detailed in our promise above, inputs are not used for generative model training. We may also query public APIs (like NHTSA for safety recalls) on your behalf; such queries do not include your personally identifiable information.

EU AI Act Transparency Disclosure: BuildSheet incorporates AI systems intended to assist engineering professionals. Outputs generated by the BuildSheet engine (such as BOMs, visual drafts, and structural trees) are AI-generated or AI-assisted. Users are responsible for exercising independent professional judgment and verifying the accuracy and safety of all AI-generated technical specifications before manufacturing.

7. Contact Us

If you have any questions or concerns regarding this policy, or your data subject rights, please contact our Data Protection Officer (DPO). For users in Brazil, this acts as our Encarregado pelo Tratamento de Dados Pessoais. For users in Canada, this acts as our Privacy Officer. For users in South Africa, this acts as our Information Officer. Contact us at privacy@buildsheet.cloud.