This Privacy Policy explains how Buildrok LLC ("Buildrok", "we", "us", or "our") collects, uses, shares, and protects information when you use our website located at buildrok.com and our website-building service (together, the "Service"). Buildrok is based in Austin, Texas, United States.
By using the Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please do not use the Service.
1. Information we collect
1.1 Information you provide directly
- Account information: your name and email address when you create an account or sign in (including via Google OAuth).
- Site and draft content: business name, descriptions, phone numbers, addresses, images, and other content you enter to build, edit, preview, or publish a website.
- Domain information: domain names you search for, purchase, or connect, plus the technical details we need to configure DNS and connect your domain to your hosted site.
- Support communications: messages, names, and email addresses you submit via our contact form or by emailing support@buildrok.com. When you ask for help, we may also record internal notes about the conversation and the steps we took to investigate or resolve the issue (including audit-log entries from any Support Session we open on your account, see Section 3.4).
- Leads from visitors to your published site: when a visitor to your published Buildrok site submits a quote request, booking, or contact form, we record the visitor's name, email address, phone number, message content, the form type used, the form's source page, and any custom field values, and we make this data available to you through your Lead Inbox. For this data, you are the data controller and Buildrok acts as a processor handling the data on your behalf so you can follow up with potential customers. You are responsible for ensuring that your own privacy notice to your visitors accurately describes how you collect and use these submissions. Visitors can request permanent deletion of their form submissions at any time through our self-service data deletion page.
- Google Business Profile (optional integration): if you connect a Google Business Profile to your site, Buildrok uses Google OAuth to read business-profile data (such as listing details, reviews, posts, and photos) and to sync that data into your Buildrok site. We store an OAuth access token and refresh token associated with your account so the sync can run on a schedule. You can revoke access at any time from your Google account settings or by disconnecting the integration in your Buildrok dashboard.
- Payment information: payment processing is handled entirely by Stripe, Inc. We do not receive or store your full card number, CVV, or bank account details. We may receive limited metadata such as payment status, transaction identifiers, the last four digits of the card, and card brand.
1.2 Information collected automatically
- Server and access logs: standard server logs may include IP addresses, browser type, operating system, referring URLs, request timestamps, and HTTP status codes. These are used for security, debugging, and abuse prevention.
- Custom page-view analytics (for published customer sites): when a visitor views a website published through Buildrok, we record a page view. We hash the visitor's IP address and user agent using a daily-rotating SHA-256 hash, the raw IP address is not stored. We record the page path, referring domain (hostname only), and device type (mobile, tablet, or desktop). This lightweight system does not use persistent cookies or fingerprinting and is designed to be privacy-respecting.
- Product analytics on our marketing pages (cookieless): on our own marketing pages at buildrok.com (not on the websites you publish), we use two privacy-respecting, first-party analytics tools, PostHog and Vercel Web Analytics, to understand which pages are viewed and how visitors move through our signup flow so we can improve the product. We configure PostHog to store its identifier in your browser's localStorage rather than a cookie and we disable session recording; Vercel Web Analytics is cookieless and stores no identifier on your device. Neither tool sets an advertising or tracking cookie or is used for cross-site tracking. See our Cookie Policy for details and how to opt out.
- Browser storage (localStorage): we store your authentication token (JWT) and email address in your browser's localStorage to keep you signed in. We also store your preferred color scheme (light or dark mode) in localStorage. This data is stored locally on your device and is not a cookie.
- Authentication cookies: when you sign in via OAuth (e.g., Google), our authentication provider (Neon Auth) may set a session cookie on its own domain to support the OAuth login flow. This cookie is scoped to the authentication provider's domain and is used solely for the sign-in process.
- Support-session cookie (brk_imp): when authorized Buildrok personnel start a Support
Session (see Section 3.4), our servers set a short-lived (one-hour), HTTP-only, HMAC-signed cookie
named
brk_impon the support staff member's browser. This cookie is used solely to identify the active support session on the server side. The cookie is never set on your browser.
2. How we use information
- Provide, operate, and maintain the Service (drafts, editing, previewing, publishing, domain management, and the Lead Inbox)
- Process payments, manage subscriptions, and prevent fraud
- Respond to support requests and communicate with you about your account, including providing supervised in-account help via time-limited, audit-logged Support Sessions (see Section 3.4)
- Receive form submissions from visitors to your published site and surface them to you through your Lead Inbox so you can follow up with potential customers
- Send transactional and lifecycle emails (e.g., support replies, password resets, and abandoned-draft reminders that include a one-click unsubscribe link). We do not send promotional marketing emails without your separate consent
- Sync data with third-party integrations you have connected (such as Google Business Profile)
- Improve the reliability, performance, and user experience of the Service
- Detect and prevent abuse, fraud, and unauthorized access, including investigating reports of policy or content violations on published sites
- Comply with legal obligations
3. How we share information
We do not sell your personal information. We share information only as necessary to provide the Service or as required by law.
3.1 Service providers (sub-processors)
- Stripe, Inc.: payment processing and subscription billing. Stripe's privacy policy governs how Stripe handles payment data.
- Neon (Neon Inc.): database hosting (PostgreSQL) and authentication (OAuth flows). Your account data, site content, and draft data are stored in a Neon-hosted database.
- Vercel, Inc.: website hosting, DNS management, and serverless function execution. Vercel serves your published site and processes requests to our application. We also use Vercel Web Analytics, a cookieless analytics tool, to collect aggregate page-view and performance metrics for our own marketing pages only.
- PostHog, Inc.: first-party product analytics for our own marketing pages only (not for the websites you publish). PostHog records page views and interactions so we can understand and improve our signup flow. We configure PostHog to store its identifier in your browser's localStorage rather than a cookie, to disable session recording, and we do not use it for advertising or cross-site tracking.
- OpenSRS (Tucows Inc.): domain registration. If you purchase a domain through Buildrok, the domain is registered via OpenSRS as the underlying registrar, with you as the registrant (legal owner). To do this we collect the registrant contact details you enter at checkout (your name, postal address, email, and phone number) and transmit them to OpenSRS, which is required by ICANN to register a domain. OpenSRS and the relevant domain registry may publish or retain this information as ICANN policy requires; we enable WHOIS privacy where the registry supports it. OpenSRS's terms and ICANN policies apply.
- Resend (Resend, Inc.): transactional email delivery. We use Resend to send support replies, password resets, abandoned-draft reminders, and other transactional or lifecycle messages. Your name and email address may be transmitted to Resend for delivery purposes.
- Pexels (Pexels GmbH): stock-photo search and download. When you use the in-editor stock-photo picker, your search query and basic request metadata are sent to the Pexels API. We do not send your account email or any other personal identifier to Pexels. Selected photos are downloaded server-side and stored with your draft or site, so Pexels does not see which photos you ultimately use.
- Google (Google LLC): if you connect a Google Business Profile to your site, we use Google OAuth and the Google Business Profile API to read your listing data, reviews, posts, and photos, and to sync that data into your Buildrok site. Access tokens are stored encrypted and can be revoked from your Google account or by disconnecting the integration in your Buildrok dashboard.
- Cloudflare, Inc.: object storage and content delivery. Images and media you upload to your drafts and published sites are stored in Cloudflare R2 and served through our image API or Cloudflare's network.
- Twilio Inc.: SMS delivery. If you enable SMS notifications (for example, lead alerts or booking messages), the recipient phone number and the message content are transmitted to Twilio for delivery.
- Sentry (Functional Software, Inc.): error monitoring and diagnostics. When an error occurs in the Service, technical details (such as the stack trace, browser and operating-system version, and the page involved) are sent to Sentry so we can find and fix bugs. We configure Sentry not to collect IP addresses or request headers, and session replay on our editor surfaces masks all text and form input and blocks media before anything leaves your browser.
3.2 Legal disclosures
We may disclose information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Buildrok, our users, or others.
3.3 Business transfers
If Buildrok is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via a notice on the Service or by email before your information becomes subject to a different privacy policy.
3.4 Customer support access (Support Sessions)
Authorized Buildrok personnel may sign in to your account on your behalf to investigate a support request, a billing or abuse report, or a suspected security incident. We treat this as an internal data access rather than a third-party disclosure. Every such access is governed by the safeguards described in our Terms of Service (Section 8), including:
- Role-restricted access: only staff who hold the
adminrole in our internal role table can initiate a Support Session. - A mandatory written reason (4 to 500 characters) captured at the time of access.
- Recording of the staff member's identity and email, the target user, the reason, the IP address, and the user agent in an append-only audit log.
- An automatic one-hour expiry, after which a new session (and a new audit record) is required.
- A persistent banner shown on every page during the session, identifying the staff member acting on your behalf.
- Sensitive self-service operations are blocked during a Support Session and cannot be performed on your behalf: subscription cancellation, profile changes, personal-data export requests, domain checkout, and domain purchase.
Support Session audit records (admin identity, target user, reason, IP, user agent, start and end times) are retained for at least twelve (12) months for security, compliance, and incident-response purposes. You may request a copy of the audit-log entries relating to your own account, or ask us to refrain from initiating future Support Sessions on your account, by emailing support@buildrok.com.
4. Data retention
We retain your account and site data for as long as your account is active or as needed to provide the Service. Draft sites expire and are permanently deleted after a period of inactivity: drafts created without an account expire after roughly 24 hours, and drafts attached to an account expire after 14 days of inactivity. When you delete a published site it is held for a 30-day recovery period and then permanently deleted along with its associated data. Transaction records, billing history, and related logs may be retained for a period consistent with accounting and legal requirements (typically up to seven years). You may request deletion of your account and personal data at any time (see Section 6).
Lead Inbox data: visitor submissions captured by your published site are retained for the life of your site so you can refer back to them. When you delete a lead from your Lead Inbox it is removed from your dashboard immediately. When you delete a site or your account, the leads associated with that site are deleted on the same schedule as the rest of your site data. A visitor can also delete their own submissions, including attached files, at any time through our data deletion page; appointment records linked to a deleted submission are anonymized so the calendar slot remains accurate without identifying the visitor.
Support Session audit log: records of every Support Session opened on any account (admin identity, target user, written reason, IP address, user agent, and start and end timestamps) are retained for twelve (12) months after the session ends for security, compliance, and incident-response purposes, then automatically deleted, unless we are legally required to retain specific records longer.
Email suppression lists: if you unsubscribe from lifecycle emails (such as abandoned-draft reminders), we retain a minimal record of your unsubscribe (email address and timestamp) so we do not email you again.
5. Cookies and tracking technologies
We do not use third-party advertising cookies or tracking pixels. The Service uses minimal browser storage:
- localStorage (authentication): your JWT and email are stored locally to maintain your session.
- localStorage (preferences): your light/dark mode preference is stored locally.
- localStorage (editor hints): small dismissible-hint flags (for example, the mobile-editor tip on the preview page) are stored locally so we do not re-show a hint you have dismissed.
- localStorage (cookieless analytics): on our marketing pages only, our first-party analytics tool (PostHog) stores its identifier in localStorage rather than a cookie. It is not used for cross-site tracking or advertising, and clearing your browser storage removes it. Vercel Web Analytics on those pages is cookieless and stores nothing on your device.
- OAuth session cookie (Neon Auth): a short-lived session cookie may be set by our authentication provider during the Google sign-in flow. It does not track you across other sites.
- Support-session cookie (brk_imp): a one-hour, HTTP-only, HMAC-signed cookie set only on Buildrok support staff browsers when a Support Session is active. Never set on customer browsers. See Section 3.4.
Do Not Track and Global Privacy Control signals. Some browsers can send a "Do Not Track" (DNT) signal or a Global Privacy Control (GPC) opt-out preference signal. There is no industry-standard way to respond to a DNT signal. Because we do not track you across third-party websites, do not serve targeted advertising, and do not sell or "share" your personal information for cross-context behavioral advertising, our behavior does not change based on whether a DNT or GPC signal is present, there is nothing for these signals to switch off. Where a recognized opt-out preference signal such as GPC is legally treated as a request to opt out of the sale or sharing of personal information, we honor it by default.
For more detail, see our Cookie Policy.
6. Your rights and choices
Depending on where you live, you may have certain rights regarding your personal information. These may include the right to access, correct, delete, or obtain a copy of your personal data. To exercise any of these rights, please contact us using the information in Section 10 below.
- You can edit or delete your drafts and published sites from the dashboard.
- You can delete your account from your account settings (Danger Zone tab). Deleting your account will remove your profile and disable access to the Service. Some transaction records may be retained for legal and accounting purposes.
- You can request an export of the data we hold for your account from your account settings; the export includes your profile, sites, domain purchases, Lead Inbox, bookings, and support access log in a machine-readable format.
- If you are a visitor who submitted a form on a website hosted by Buildrok, you can permanently delete your submissions through our data deletion page without contacting anyone.
- You can contact us to request access to, correction of, or deletion of your personal information.
Users in the European Economic Area and the United Kingdom
Where the GDPR or UK GDPR applies, we process personal data on the following legal bases:
- Performance of a contract (Article 6(1)(b)): providing the Service you signed up for, including building, hosting, and publishing your site, processing payments, and delivering leads to your Lead Inbox.
- Legitimate interests (Article 6(1)(f)): securing the Service, preventing fraud, spam, and abuse, debugging and error monitoring, and improving reliability and performance.
- Consent (Article 6(1)(a)): optional integrations you choose to connect (such as Google Business Profile) and any communications that require an opt-in. You can withdraw consent at any time.
- Legal obligation (Article 6(1)(c)): retaining transaction and billing records for tax and accounting purposes.
You have the rights to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interests. To exercise these rights, contact us using the details in Section 10, use the data export option in your account settings, or, for form submissions made on a Buildrok-hosted website, use the self-service data deletion page. You also have the right to lodge a complaint with your local data-protection supervisory authority.
International data transfers
Buildrok is based in the United States, and the service providers (sub-processors) listed in Section 3.1 process data in the United States and other countries. If you access the Service from the European Economic Area, the United Kingdom, or another region with data-transfer restrictions, your personal data may be transferred to and processed in the United States, where data-protection laws may differ from those in your jurisdiction. Where we transfer personal data out of the EEA or the UK, we rely on appropriate safeguards under applicable law, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum), and, where a sub-processor is certified, the EU-U.S. Data Privacy Framework and its UK extension. You may contact us using the details in Section 10 for more information about the safeguards we use.
California residents
This section applies if you are a California resident.
- No sale or sharing of personal information. We do not sell your personal information, and we have not sold it in the prior twelve (12) months. We do not "share" personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). We do not use third-party advertising cookies or tracking pixels. Because we do not sell or share personal information, we do not provide a separate "Do Not Sell or Share My Personal Information" page, this disclosure serves that purpose.
- "Shine the Light" (Cal. Civil Code § 1798.83). We do not disclose personal information to third parties for those third parties' own direct marketing purposes. California residents may contact us at support@buildrok.com with any questions about this practice.
- Do Not Track. We disclose how we respond to "Do Not Track" and Global Privacy Control browser signals in Section 5 (Cookies and tracking technologies) above.
- CCPA rights. To the extent the CCPA applies to your interaction with us, you have the right to know and access the personal information we have collected about you, to request that we correct or delete it, and to be free from discrimination for exercising these rights. To exercise these rights, email support@buildrok.com or use the data export and account-deletion tools described above. Visitors who submitted a lead through a published Buildrok site can permanently delete their information at any time through our data deletion page.
Texas residents
The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, provides Texas residents with certain rights with respect to personal data, including rights to access, correct, delete, obtain a copy of, and opt out of certain processing of your personal data. To submit a request under TDPSA, contact us at support@buildrok.com. We will respond within 45 days as required. We do not sell personal data and do not use personal data for targeted advertising or profiling for decisions that produce legal or similarly significant effects.
Other U.S. state residents
A number of other U.S. states (including Colorado, Connecticut, Virginia, Oregon, Montana, and others) have comprehensive privacy laws that grant rights similar to those described above, such as the rights to access, correct, delete, and obtain a copy of your personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. We extend these rights to residents of any U.S. state that grants them. As noted above, we do not sell personal data or use it for targeted advertising or for profiling that produces legal or similarly significant effects, and where your browser sends a recognized universal opt-out signal such as Global Privacy Control, we honor it. To exercise any of these rights, email support@buildrok.com; we will respond within the timeframe required by your state's law.
7. Children's privacy
The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us immediately so we can take appropriate steps to delete it.
8. Security
We use reasonable administrative, technical, and organizational measures designed to protect your information from unauthorized access, disclosure, alteration, or destruction. However, no method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.
9. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where feasible, provide notice within the Service or by email. Your continued use of the Service after changes are posted constitutes acceptance of the updated Policy.
10. Contact us
If you have questions or concerns about this Privacy Policy or how we handle your information, please contact us:
- Email: support@buildrok.com
- Contact form: buildrok.com/contact
- Mailing address: Buildrok LLC, 5900 Balcones Drive, Suite 100, Austin, TX 78731, United States