buildloopsLegal Center

Privacy Policy

Last updated: April 6, 2026

BuildLoops, Inc. ("BuildLoops," "we," "us," or "our") operates the BuildLoops.ai platform and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you visit our website at buildloops.ai, use our platform, or otherwise interact with us.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

Account Information. When you create an account, we collect your name, email address, and password. If you sign up through a third-party authentication provider (such as Google or GitHub), we receive your name, email address, and profile identifier from that provider.

Project and Business Data. When you use the Service, you provide information about your product, business model, target customers, pricing, go-to-market strategy, and related inputs as you progress through Stations and Lines. This includes product descriptions and code repository metadata (Station S1), customer interview notes and survey responses (Station S2), demand experiment data such as landing page conversion rates and ad performance (Station S3), competitive intelligence inputs (Station S4), customer segment definitions and profiles (Station O1), value proposition drafts (Station O2), pricing hypotheses and test results (Stations O4--O5), channel strategy and campaign data (Stations C1--C5), activation, churn, and retention metrics (Stations T1--T5), and investor narrative materials (Stations K1--K3). We refer to all data you input into Stations collectively as "Content."

Payment Information. If you subscribe to a paid plan, our third-party payment processor (Stripe, Inc.) collects your payment card details, billing address, and transaction history. We do not store your full payment card number on our servers.

Communications. When you contact us for support, provide feedback, or respond to surveys, we collect the content of those communications along with your contact details.

1.2 Information Collected Automatically

Usage Data. We collect information about how you interact with the Service, including which Stations and Lines you access, the sequence and duration of your sessions, loop phase completion rates, features used, actions taken, and the Outputs generated.

Device and Technical Data. We collect your IP address, browser type and version, operating system, device identifiers, screen resolution, referring URLs, and general location inferred from your IP address.

Cookies and Similar Technologies. We use cookies, local storage, and similar tracking technologies to maintain your session, remember your preferences, and analyze usage patterns. See Section 8 (Cookies) for details.

1.3 Information from Third-Party Integrations

When you connect third-party tools through the Service, we receive data from those tools as authorized by you. The Service integrates with the following categories of third-party tools, among others:

  • Analytics platforms (such as Google Analytics/GA4, Mixpanel, PostHog, and Amplitude) --- providing page views, user events, conversion funnels, and cohort data.

  • Payment processors (such as Stripe, Gumroad, and LemonSqueezy) --- providing transaction data, revenue metrics, and pricing experiment results.

  • Audience and market intelligence services (such as SparkToro, SimilarWeb, and Crunchbase) --- providing audience demographics, competitor traffic data, and market intelligence.

  • Customer research tools (such as Respondent.io, Typeform, Tally, and Grain/Otter.ai) --- providing survey responses, interview transcripts, and call recordings.

  • Marketing and CRM tools (such as HubSpot, Mailchimp, ConvertKit, and Buffer) --- providing email engagement data, campaign performance, and contact information.

  • Landing page and ad platforms (such as Carrd, Google Ads, and Meta Ads) --- providing conversion rates, click-through data, and ad performance metrics.

  • Product and revenue analytics (such as ProfitWell/Paddle, Baremetrics, and ChartMogul) --- providing subscription metrics and unit economics data.

  • Session replay and feedback tools (such as Hotjar, FullStory, and Canny) --- providing qualitative usage data and feature request information.

We access only the data necessary to operate the relevant Station and only for as long as the integration remains active. You control which integrations are active and may disconnect them at any time through your account settings. A current list of all integration partners is maintained at buildloops.ai/integrations.

1.4 Information from Third Parties

We may receive information about you from third-party sources, including authentication providers, analytics services, marketing platforms, and publicly available sources. We use this information to supplement our records, improve the Service, and personalize your experience.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide, operate, and maintain the Service, including running AI-guided Station loops, generating evidence-based recommendations, and enabling context accumulation across your journey through all 5 Lines and 23 Stations.

  • To process transactions and manage your subscription.

  • To personalize and improve the Service, including refining our Station designs, loop architectures, prompt systems, and recommendation quality using aggregated, anonymized usage patterns.

  • To communicate with you, including sending service-related notices, responding to inquiries, and providing customer support.

  • To send marketing communications where permitted by law, including product updates, feature announcements, and educational content. You may opt out at any time.

  • To analyze usage trends, monitor the effectiveness of the Service, and conduct research to improve our offerings.

  • To detect, prevent, and address fraud, security incidents, and technical issues.

  • To comply with legal obligations, enforce our Terms of Service, and protect our rights, property, and safety and that of our users.

3. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

Service Providers. We share information with third-party vendors who perform services on our behalf, including cloud hosting, payment processing, analytics, email delivery, and customer support tools. These providers are contractually required to use your information only to provide services to us and in accordance with this Privacy Policy.

Third-Party Integrations. When you connect a third-party tool to the Service, we exchange data with that tool as necessary to operate the relevant Station. You control which integrations are active. Data shared with each integration is limited to what is necessary for that Station's function.

AI Model Providers. We use third-party large language model (LLM) providers to power our AI-guided processes. Inputs you provide to Stations are sent to these providers for processing. See Section 4 (AI-Specific Data Practices) for detailed information about how your data is handled by AI providers.

Partner Referrals. When BuildLoops recommends a third-party tool within a Station (such as Carrd for landing pages, Respondent.io for customer research, or Stripe Atlas for business formation), we may share a referral identifier with that partner. We do not share your Content, project details, or business data with referral partners. You decide whether to engage with any recommended tool.

Business Transfers. If BuildLoops is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and a prominent notice on the Service at least 30 days before any such transfer takes effect.

Legal Requirements. We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of BuildLoops, our users, or the public.

With Your Consent. We may share information with your explicit consent or at your direction.

Aggregated or De-Identified Data. We may share aggregated or de-identified data that cannot reasonably be used to identify you, for purposes such as industry benchmarking, research, and product improvement.

4. AI-Specific Data Practices

BuildLoops is an AI-powered platform. Transparency about how your data interacts with AI systems is essential to our relationship with you. This section describes our AI data practices in detail.

4.1 How Your Data Is Processed by AI

Each Station in the BuildLoops system runs a structured 5-phase loop. During these loops, the Content you provide --- along with accumulated context from prior Stations --- is sent to third-party LLM providers for processing. The AI generates Outputs including diagnostics, evidence syntheses, recommendations, action plans, and investor materials. This processing is integral to the Service.

4.2 No Training on Your Data

BuildLoops does not use your Content or Outputs to train any AI models. This commitment is contractual and extends to our AI subprocessors. Specifically:

  • Your Content and Outputs are not used to train, fine-tune, or improve BuildLoops' AI models or any third-party AI models.

  • Our agreements with LLM providers contractually prohibit them from using your Content or Outputs to train their models.

  • Our LLM providers do not retain your Content or Outputs beyond the processing window necessary to generate a response. We maintain zero-retention API agreements with our AI providers, meaning your data is processed ephemerally and not stored on provider systems after the response is returned.

  • No human at BuildLoops or at our AI subprocessors reviews your Content or Outputs, except where you explicitly request human support or where required by law.

If we ever wish to use anonymized data patterns to improve our systems, we will do so through a separate, opt-in program with clear terms, following the model of established AI companies. Participation would be entirely voluntary and would not affect your access to the Service.

4.3 Context Accumulation

A core feature of the Service is that context from earlier Stations is retained within your account and used to inform subsequent Stations. For example, customer language captured during Signal Line conversations (S2) is used to generate value propositions in the Offer Line (O2), which in turn feeds message testing in the Channel Line (C2). This accumulated context is stored on BuildLoops infrastructure, not with AI providers. Each time a Station loop runs, the relevant context is assembled and sent to the LLM provider for that specific processing session only.

4.4 AI Subprocessor Transparency

We maintain a current list of AI model providers (subprocessors) used to power the Service at buildloops.ai/subprocessors. This list includes the provider name, purpose, data processing location, and retention policy. We will notify you by email at least 30 days before adding or changing an AI model provider, because a change in AI provider can materially affect output quality and data handling. You may object to a new AI subprocessor by contacting us within 15 days of notification.

4.5 AI Output Limitations

AI-generated Outputs are recommendations based on the Content and context you provide. They are not guarantees of business outcomes. The quality of Outputs depends significantly on the quality and accuracy of your inputs. AI systems may produce inaccurate, incomplete, or misleading results. You are solely responsible for independently evaluating and verifying any Output before relying on it. See our Terms of Service for additional disclaimers.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account information is retained until you delete your account.

  • Content and Station data (including accumulated context) is retained for the life of your account, as its value depends on continuity across Stations and Lines.

  • Usage and analytics data is retained for up to 36 months for product improvement purposes, after which it is aggregated or deleted.

  • Payment records are retained as required by applicable tax and accounting laws (typically 7 years).

  • Communications and support records are retained for up to 24 months after resolution.

  • AI processing data is not retained by our LLM providers beyond the processing window (zero retention).

When you delete your account, we will delete or anonymize your personal information within 90 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or legal compliance). Aggregated, de-identified data derived from your usage may be retained indefinitely.

6. Data Security

We implement commercially reasonable technical and organizational measures to protect your information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).

  • Zero-retention agreements with AI model providers ensuring ephemeral processing of your Content.

  • Access controls limiting employee access to personal data on a need-to-know basis.

  • Regular security assessments and vulnerability testing.

  • Secure software development practices.

  • Incident response procedures for detecting, reporting, and responding to data breaches.

No method of transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Breach Notification

In the event of a security breach that affects your personal data, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms. Notification will include the nature of the breach, the data affected, the measures taken to address it, and recommended steps you can take. Where required by applicable law, we will also notify the relevant supervisory authority within the same timeframe.

8. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

  • Essential Cookies: Required for the Service to function (session management, authentication). These cannot be disabled.

  • Analytics Cookies: Help us understand how users interact with the Service (e.g., Google Analytics, Mixpanel). You may opt out of these.

  • Functional Cookies: Remember your preferences and settings (e.g., language, theme, last-accessed Station).

  • Marketing Cookies: Used to deliver relevant advertising and measure campaign effectiveness. You may opt out of these.

You can manage cookie preferences through our cookie consent banner or your browser settings. Disabling certain cookies may affect the functionality of the Service.

9. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.

  • Correction: Request correction of inaccurate or incomplete information.

  • Deletion: Request deletion of your personal information, subject to legal and contractual retention requirements.

  • Portability: Request a machine-readable export of your data, including your Content, Outputs, and accumulated Station context (see Section 13 for export details).

  • Restriction: Request that we restrict processing of your information in certain circumstances.

  • Objection: Object to processing of your information for direct marketing or where processing is based on legitimate interests.

  • Withdrawal of Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise these rights, contact us at privacy@buildloops.ai. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

10. International Data Transfers

BuildLoops is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. We take steps to ensure that your data receives an adequate level of protection, including through the use of Standard Contractual Clauses (SCCs) or other approved transfer mechanisms where required by applicable law. Our Data Processing Addendum (available at buildloops.ai/legal/dpa) includes the relevant transfer safeguards.

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@buildloops.ai.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the purposes of collection, and the categories of third parties with whom we share information.

  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.

  • Right to Correct: You may request correction of inaccurate personal information.

  • Right to Opt Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.

  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To submit a request, contact us at privacy@buildloops.ai or use the mechanisms provided in your account settings.

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

  • Performance of a Contract: Processing necessary to provide the Service you requested.

  • Legitimate Interests: Processing for purposes such as product improvement, fraud prevention, and security, where our interests do not override your fundamental rights.

  • Consent: Where you have given explicit consent for specific processing activities.

  • Legal Obligation: Processing required to comply with applicable laws.

You have the rights described in Section 9, as well as the right to lodge a complaint with your local data protection authority. For GDPR-related inquiries, contact our Data Protection Officer at dpo@buildloops.ai.

13.1 Data Processing Addendum

For customers who require it, we offer a Data Processing Addendum (DPA) that governs our processing of personal data on your behalf as a data processor under GDPR Article 28. The DPA covers processing scope, subprocessor obligations, data deletion, breach notification, audit rights, and international transfer safeguards including Standard Contractual Clauses. The DPA is available at buildloops.ai/legal/dpa and is incorporated into our Terms of Service for all customers in the EEA, UK, and Switzerland.

14. Data Export and Portability

You may export your data at any time through your account settings. Exportable data includes:

  • All Content you have submitted to any Station.

  • All Outputs generated by the Service across all Lines and Stations.

  • Your accumulated context chain (the data that flows between Stations).

  • Integration connection metadata (which tools were connected, when, and what data was exchanged).

Exports are provided in structured, machine-readable formats (JSON and/or CSV). Upon account termination, you have 90 days to export your data before it is deleted in accordance with Section 5.

15. Subprocessor List

We maintain a current list of subprocessors (including AI model providers, cloud infrastructure providers, analytics services, and other vendors that process personal data on our behalf) at buildloops.ai/subprocessors. The list includes each subprocessor's name, purpose, data processing location, and relevant certifications. We update this list as subprocessors change and provide 30 days' notice before material changes take effect.

The Service may contain links to or integrations with third-party websites and tools across our partner ecosystem (including the tools listed in Section 1.3). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through BuildLoops. When BuildLoops recommends a partner tool within a Station, the recommendation is based on relevance to your Station context, not on advertising arrangements.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

BuildLoops, Inc.

Email: privacy@buildloops.ai

Data Protection Officer: dpo@buildloops.ai

Website: buildloops.ai/privacy

← Legal Center