This Privacy Policy explains how BuildCrate ("we", "us", "our") collects, uses, discloses and protects your personal information when you use buildcrate.co and the BuildCrateproduct (the "Service"). We comply with the Australian Privacy Principles in the Privacy Act 1988 (Cth) and, where applicable, the EU General Data Protection Regulation (GDPR).
1. Who is the data controller
BuildCrate is the data controller for the personal information processed through the Service. You can contact us at team@buildcrate.co for any privacy-related request, including access, correction, deletion, export or withdrawal of consent.
2. What we collect
Account data
- Email address, display name, password hash (managed by our auth provider).
- Authentication metadata (IP, login timestamps, device fingerprint for session security).
Subscription & billing data
- Stripe customer ID, subscription status, plan, renewal date, founding member number.
- Billing details (name, address, last 4 of card) are held by Stripe, not by us. We never see or store full card numbers.
Product data you create
- Brand briefs, product scores, launch progress, calculator inputs, notes.
- Any text or URLs you submit to AI-powered features.
Usage data
- Pages visited, features used, performance and error logs.
- Cookies strictly necessary for authentication and session continuity.
3. Why we use it
- Service delivery: create your account, run the tools, persist your work.
- Billing: charge your subscription, send receipts, prevent fraud.
- Support: reply to your emails at team@buildcrate.co.
- Product improvement: aggregate, anonymised usage analytics.
- Legal: comply with tax, accounting and law-enforcement obligations.
We do not sell your personal data. We do not run third-party ad networks on the authenticated app and we do not use your private content to train public AI models.
4. Who we share data with
- Stripe, payment processing.
- Lovable Cloud / Supabase, managed database, auth and storage.
- AI providers (Google, OpenAI via Lovable AI Gateway), when you explicitly use AI features. Inputs are processed transiently and are not retained for model training.
- Email provider, to send transactional and account emails.
- Authorities, only where compelled by valid legal process.
5. International transfers
Data may be processed in the United States, the European Union and Australia. Where data leaves your jurisdiction we rely on standard contractual clauses or equivalent safeguards offered by our processors.
6. How long we keep it
- Account & product data: while your account is active, then 30 days after deletion request.
- Billing records: 7 years (Australian tax law).
- Server logs: 30 days rolling.
7. Your rights
You can at any time:
- Access a copy of your data.
- Correct inaccurate data from the Settings page or by email.
- Delete your account and associated data.
- Export your data in a portable format.
- Withdraw consent for optional processing.
- Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or, if you are in the EU, your local supervisory authority.
Send any rights request to team@buildcrate.co. We respond within 30 days.
8. Security
- TLS in transit, encryption at rest on managed infrastructure.
- Row-Level Security on every database table, users can only see their own rows.
- Role-based access (member / admin) enforced server-side.
- Passwords hashed with bcrypt; leaked-password protection enabled.
- Service-role keys are server-only and never shipped to the browser.
9. Children
The Service is not directed at children under 16 and we do not knowingly collect their data.
10. Changes
We may update this policy. Material changes will be announced by email and on this page. Continued use after the effective date constitutes acceptance.
11. Governing law
This policy is governed by the laws of Australia (state of Victoria).