Skip to main content
Buildrok

Privacy Policy

Last updated: May 22, 2026

This Privacy Policy explains how Buildrok ("Buildrok", "we", "us", or "our") collects, uses, shares, and protects information when you use our website located at buildrok.com and our website-building service (together, the "Service"). Buildrok is based in Austin, Texas, United States.

By using the Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please do not use the Service.

1. Information we collect

1.1 Information you provide directly

  • Account information: your name and email address when you create an account or sign in (including via Google OAuth).
  • Site and draft content: business name, descriptions, phone numbers, addresses, images, and other content you enter to build, edit, preview, or publish a website.
  • Domain information: domain names you search for, purchase, or connect, plus the technical details we need to configure DNS and connect your domain to your hosted site.
  • Support communications: messages, names, and email addresses you submit via our contact form or by emailing support@buildrok.com. When you ask for help, we may also record internal notes about the conversation and the steps we took to investigate or resolve the issue (including audit-log entries from any Support Session we open on your account, see Section 3.4).
  • Leads from visitors to your published site: when a visitor to your published Buildrok site submits a quote request, booking, or contact form, we record the visitor's name, email address, phone number, message content, the form type used, the form's source page, and any custom field values, and we make this data available to you through your Lead Inbox. For this data, you are the data controller and Buildrok acts as a processor handling the data on your behalf so you can follow up with potential customers. You are responsible for ensuring that your own privacy notice to your visitors accurately describes how you collect and use these submissions.
  • Google Business Profile (optional integration): if you connect a Google Business Profile to your site, Buildrok uses Google OAuth to read business-profile data (such as listing details, reviews, posts, and photos) and to sync that data into your Buildrok site. We store an OAuth access token and refresh token associated with your account so the sync can run on a schedule. You can revoke access at any time from your Google account settings or by disconnecting the integration in your Buildrok dashboard.
  • Payment information: payment processing is handled entirely by Stripe, Inc. We do not receive or store your full card number, CVV, or bank account details. We may receive limited metadata such as payment status, transaction identifiers, the last four digits of the card, and card brand.

1.2 Information collected automatically

  • Server and access logs: standard server logs may include IP addresses, browser type, operating system, referring URLs, request timestamps, and HTTP status codes. These are used for security, debugging, and abuse prevention.
  • Custom page-view analytics (for published customer sites): when a visitor views a website published through Buildrok, we record a page view. We hash the visitor's IP address and user agent using a daily-rotating SHA-256 hash, the raw IP address is not stored. We record the page path, referring domain (hostname only), and device type (mobile, tablet, or desktop). This lightweight system does not use persistent cookies or fingerprinting and is designed to be privacy-respecting.
  • Browser storage (localStorage): we store your authentication token (JWT) and email address in your browser's localStorage to keep you signed in. We also store your preferred color scheme (light or dark mode) in localStorage. This data is stored locally on your device and is not a cookie.
  • Authentication cookies: when you sign in via OAuth (e.g., Google), our authentication provider (Neon Auth) may set a session cookie on its own domain to support the OAuth login flow. This cookie is scoped to the authentication provider's domain and is used solely for the sign-in process.
  • Support-session cookie (brk_imp): when authorized Buildrok personnel start a Support Session (see Section 3.4), our servers set a short-lived (one-hour), HTTP-only, HMAC-signed cookie named brk_imp on the support staff member's browser. This cookie is used solely to identify the active support session on the server side. The cookie is never set on your browser.

2. How we use information

  • Provide, operate, and maintain the Service (drafts, editing, previewing, publishing, domain management, and the Lead Inbox)
  • Process payments, manage subscriptions, and prevent fraud
  • Respond to support requests and communicate with you about your account, including providing supervised in-account help via time-limited, audit-logged Support Sessions (see Section 3.4)
  • Receive form submissions from visitors to your published site and surface them to you through your Lead Inbox so you can follow up with potential customers
  • Send transactional and lifecycle emails (e.g., support replies, password resets, and abandoned-draft reminders that include a one-click unsubscribe link). We do not send promotional marketing emails without your separate consent
  • Sync data with third-party integrations you have connected (such as Google Business Profile)
  • Improve the reliability, performance, and user experience of the Service
  • Detect and prevent abuse, fraud, and unauthorized access, including investigating reports of policy or content violations on published sites
  • Comply with legal obligations

3. How we share information

We do not sell your personal information. We share information only as necessary to provide the Service or as required by law.

3.1 Service providers (sub-processors)

  • Stripe, Inc.: payment processing and subscription billing. Stripe's privacy policy governs how Stripe handles payment data. Confirm actual Stripe data processing terms before publishing.
  • Neon (Neon Inc.): database hosting (PostgreSQL) and authentication (OAuth flows). Your account data, site content, and draft data are stored in a Neon-hosted database.
  • Vercel, Inc.: website hosting, DNS management, and serverless function execution. Vercel serves your published site and processes requests to our application.
  • OpenSRS (Tucows Inc.): domain registration. If you purchase a domain through Buildrok, the domain is registered via OpenSRS as the underlying registrar. OpenSRS's terms and ICANN policies apply.
  • Resend (Resend, Inc.): transactional email delivery. We use Resend to send support replies, password resets, abandoned-draft reminders, and other transactional or lifecycle messages. Your name and email address may be transmitted to Resend for delivery purposes.
  • Pexels (Pexels GmbH): stock-photo search and download. When you use the in-editor stock-photo picker, your search query and basic request metadata are sent to the Pexels API. We do not send your account email or any other personal identifier to Pexels. Selected photos are downloaded server-side and stored with your draft or site, so Pexels does not see which photos you ultimately use.
  • Google (Google LLC): if you connect a Google Business Profile to your site, we use Google OAuth and the Google Business Profile API to read your listing data, reviews, posts, and photos, and to sync that data into your Buildrok site. Access tokens are stored encrypted and can be revoked from your Google account or by disconnecting the integration in your Buildrok dashboard.

3.2 Legal disclosures

We may disclose information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Buildrok, our users, or others.

3.3 Business transfers

If Buildrok is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via a notice on the Service or by email before your information becomes subject to a different privacy policy.

3.4 Customer support access (Support Sessions)

Authorized Buildrok personnel may sign in to your account on your behalf to investigate a support request, a billing or abuse report, or a suspected security incident. We treat this as an internal data access rather than a third-party disclosure. Every such access is governed by the safeguards described in our Terms of Service (Section 8), including:

  • Role-restricted access: only staff who hold the admin role in our internal role table can initiate a Support Session.
  • A mandatory written reason (4 to 500 characters) captured at the time of access.
  • Recording of the staff member's identity and email, the target user, the reason, the IP address, and the user agent in an append-only audit log.
  • An automatic one-hour expiry, after which a new session (and a new audit record) is required.
  • A persistent banner shown on every page during the session, identifying the staff member acting on your behalf.
  • Sensitive self-service operations are blocked during a Support Session and cannot be performed on your behalf: subscription cancellation, profile changes, personal-data export requests, domain checkout, and domain purchase.

Support Session audit records (admin identity, target user, reason, IP, user agent, start and end times) are retained for at least twelve (12) months for security, compliance, and incident-response purposes. You may request a copy of the audit-log entries relating to your own account, or ask us to refrain from initiating future Support Sessions on your account, by emailing support@buildrok.com.

4. Data retention

We retain your account and site data for as long as your account is active or as needed to provide the Service. Draft sites may expire and be deleted after a period of inactivity. Transaction records, billing history, and related logs may be retained for a period consistent with accounting and legal requirements (typically up to seven years). You may request deletion of your account and personal data at any time (see Section 6).

Lead Inbox data: visitor submissions captured by your published site are retained for the life of your site so you can refer back to them. When you delete a lead from your Lead Inbox it is removed from your dashboard immediately. When you delete a site or your account, the leads associated with that site are deleted on the same schedule as the rest of your site data.

Support Session audit log: records of every Support Session opened on any account (admin identity, target user, written reason, IP address, user agent, and start and end timestamps) are retained for at least twelve (12) months for security, compliance, and incident-response purposes, and may be retained longer where required by law.

Email suppression lists: if you unsubscribe from lifecycle emails (such as abandoned-draft reminders), we retain a minimal record of your unsubscribe (email address and timestamp) so we do not email you again.

5. Cookies and tracking technologies

We do not use third-party advertising cookies or tracking pixels. The Service uses minimal browser storage:

  • localStorage (authentication): your JWT and email are stored locally to maintain your session.
  • localStorage (preferences): your light/dark mode preference is stored locally.
  • localStorage (editor hints): small dismissible-hint flags (for example, the mobile-editor tip on the preview page) are stored locally so we do not re-show a hint you have dismissed.
  • OAuth session cookie (Neon Auth): a short-lived session cookie may be set by our authentication provider during the Google sign-in flow. It does not track you across other sites.
  • Support-session cookie (brk_imp): a one-hour, HTTP-only, HMAC-signed cookie set only on Buildrok support staff browsers when a Support Session is active. Never set on customer browsers. See Section 3.4.

For more detail, see our Cookie Policy.

6. Your rights and choices

Depending on where you live, you may have certain rights regarding your personal information. These may include the right to access, correct, delete, or obtain a copy of your personal data. To exercise any of these rights, please contact us using the information in Section 9 below.

  • You can edit or delete your drafts and published sites from the dashboard.
  • You can delete your account from your account settings (Danger Zone tab). Deleting your account will remove your profile and disable access to the Service. Some transaction records may be retained for legal and accounting purposes.
  • You can contact us to request access to, correction of, or deletion of your personal information.

Texas residents

The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, provides Texas residents with certain rights with respect to personal data, including rights to access, correct, delete, obtain a copy of, and opt out of certain processing of your personal data. To submit a request under TDPSA, contact us at support@buildrok.com. We will respond within 45 days as required. We do not sell personal data and do not use personal data for targeted advertising or profiling for decisions that produce legal or similarly significant effects.

7. Children's privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us immediately so we can take appropriate steps to delete it.

8. Security

We use reasonable administrative, technical, and organizational measures designed to protect your information from unauthorized access, disclosure, alteration, or destruction. However, no method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where feasible, provide notice within the Service or by email. Your continued use of the Service after changes are posted constitutes acceptance of the updated Policy.

10. Contact us

If you have questions or concerns about this Privacy Policy or how we handle your information, please contact us: