Privacy Policy

BuildPM ("BuildPM", "Company", "we", "us", or "our") operates the website located at https://buildpm.co and any associated subdomains, applications, and services (collectively, the "Service").

This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you visit or use the Service. It applies to all visitors, users, applicants, and partners ("you" or "your").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

For the purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other applicable data protection laws, BuildPM is the data controller responsible for your personal data. You can contact us at privacy@buildpm.co.

3.1 Information you provide directly

• Waitlist and newsletter sign-up: email address and submission source
• Builder application: full name, email address, LinkedIn profile URL, current role, experience level, areas of interest, and free-text responses
• Partner application: company name, contact name, email address, partnership tier preference, and description of interest
• Communications: any information you provide when you email us or submit a support request

3.2 Information collected automatically

When you consent to analytics (see Section 5), we collect the following through PostHog and Vercel Analytics:

• Pages visited, time on page, and navigation paths
• Interactions such as clicks, scroll depth, and form engagements
• Device type, operating system, browser type and version, and screen resolution
• Approximate geographic location (country and city level, derived from IP address. We do not store raw IP addresses.)
• Referrer URL, landing page, and UTM campaign parameters
• Session recordings with all form inputs automatically masked

3.3 Information we do NOT collect

• Payment or financial information (we do not process payments)
• Government-issued identification numbers
• Precise geolocation or GPS data
• Biometric data
• Data from minors under 16 (see Section 12)

We process your personal data under the following legal bases:

• Consent (Art. 6(1)(a)): analytics cookies and session recordings are only activated after you affirmatively consent via our cookie banner
• Contract performance (Art. 6(1)(b)): processing your application or waitlist sign-up to provide the Service you requested
• Legitimate interests (Art. 6(1)(f)): improving our Service, preventing fraud and abuse, and ensuring security. We balance these interests against your rights and do not use this basis for marketing
• Legal obligation (Art. 6(1)(c)): where we are required by law to retain or disclose data

No analytics data is collected until you affirmatively accept cookies. If you decline, PostHog is fully disabled and no tracking data leaves your browser. We also honor the Do Not Track (DNT) browser signal.

Cookie inventory

We do not use third-party advertising cookies, cross-site tracking pixels, or fingerprinting techniques. We do not share data with advertising networks.

• To process and respond to your waitlist sign-up, application, or inquiry
• To communicate with you about your application status and Service updates
• To provide, maintain, and improve the Service
• To understand usage patterns and optimize user experience (only with consent)
• To detect, prevent, and address fraud, abuse, or technical issues
• To comply with legal obligations and enforce our Terms of Service

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

We do not sell, rent, or trade your personal data. We share data only with the following categories of service providers ("sub-processors") who process data on our behalf under written agreements:

We may also disclose data if required by law, court order, or governmental authority, or if necessary to protect the rights, property, or safety of BuildPM, our users, or the public.

Your data may be transferred to and processed in countries outside your jurisdiction, including the United States. Where we transfer data outside the EEA or UK, we rely on:

• EU-US Data Privacy Framework (where the recipient is certified)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Your explicit consent, where applicable

You may request a copy of the applicable transfer safeguards by contacting us at privacy@buildpm.co.

• Application and waitlist data: retained for as long as your application or account is active, plus 12 months after the last interaction, unless you request earlier deletion
• Analytics data: retained for 12 months from the date of collection, then automatically deleted or anonymized
• Cookie consent preferences: retained in your browser localStorage until you clear it or change your preference
• Communications: retained for 24 months for support and audit purposes

When data is no longer needed, we securely delete or irreversibly anonymize it.

10.1 Rights under GDPR (EEA and UK residents)

• Right of access (Art. 15): obtain a copy of your personal data
• Right to rectification (Art. 16): correct inaccurate or incomplete data
• Right to erasure (Art. 17): request deletion of your data ("right to be forgotten")
• Right to restrict processing (Art. 18): limit how we use your data
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format
• Right to object (Art. 21): object to processing based on legitimate interests
• Right to withdraw consent: withdraw consent at any time by changing your cookie preference or contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, CNIL in France, or your national DPA).

10.2 Rights under CCPA/CPRA (California residents)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used
• Delete your personal information, subject to certain exceptions
• Opt out of the sale or sharing of personal information. We do not sell or share personal information as defined by the CCPA/CPRA.
• Non-discrimination: we will not discriminate against you for exercising your rights

In the preceding 12 months, we have not sold personal information. We do not use sensitive personal information for purposes beyond those permitted by the CPRA.

10.3 How to exercise your rights

To exercise any of the above rights, email privacy@buildpm.co with the subject line "Privacy Rights Request". We will verify your identity and respond within 30 days (or sooner if required by applicable law). If we need additional time, we will inform you of the reason and extension period.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include:

• Encryption in transit (TLS 1.2+) and at rest
• Access controls and least-privilege principles for internal systems
• Regular security reviews of our sub-processors
• Automatic masking of form inputs in session recordings

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority as required by applicable law.

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16, we will promptly delete it. If you believe we have inadvertently collected such data, please contact us at privacy@buildpm.co.

The Service may contain links to third-party websites or services (e.g., LinkedIn, partner tools). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Effective date" and "Last reviewed" dates at the top
• Provide notice via the Service (e.g., a banner or email notification for material changes)

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy. If you do not agree with the changes, you should stop using the Service and request deletion of your data.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

• Email: privacy@buildpm.co
• General inquiries: hello@buildpm.co

We aim to respond to all privacy-related inquiries within 5 business days.