B Burooj

Privacy Policy

Last updated: 18 April 2026 · Effective: 18 April 2026

This Privacy Policy explains how Burooj (“we,” “us”) collects, uses, and shares personal information when you use the Burooj platform at burooj.ai (the “Service”). Capitalised terms not defined here have the meaning given in our Terms of Service.

We are the controller of the personal data described in Sections 3 and 4 below. Where you use the Service to process personal data of individuals for whom you are the controller (for example, end-users of a product you deploy with Burooj), we act as your processor under our Data Processing Agreement.

1. Who We Are; Contact

Operator: Burooj, at burooj.ai.
General / support: [email protected]
Privacy and data-subject requests: [email protected]
Security reports: [email protected]
EU / UK data-subject contact (general): email [email protected].
EU Article 27 representative: VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland. Web form for EU data-subject inquiries: verasafe.com/contact-article-27-representative . See also our local EU Representative page.
UK Article 27 representative: VeraSafe United Kingdom Ltd., 37 Albert Embankment, London SE1 7TL, United Kingdom.

2. Summary (TL;DR)

We collect the data we need to operate the Service: account info, your project prompts and generated code, payment records, and basic usage/error telemetry.
We do not sell or share personal information for cross-context behavioural advertising.
We do not train any AI model on your prompts or generated code, and we require our AI providers to contractually do the same on the API tier we use.
You can access, correct, export, or delete your data at any time from Settings or by emailing [email protected].
Honouring a Global Privacy Control (GPC) signal: yes. Honouring “Do Not Track”: we do not deploy cross-site tracking, so DNT has no behaviour to change.

3. What We Collect and Why (GDPR legal basis)

Category	Examples	Purpose	GDPR Art. 6 basis
Account	Email, display name, password hash, authentication tokens, role, settings	Create and secure your account; deliver the Service	Contract (6(1)(b))
Project content	Your prompts, conversation transcripts, functional spec, ADRs, generated source code, build artefacts, verification reports	Generate, store, and return the product you asked us to build	Contract (6(1)(b))
Payment (metadata only; no card data)	Transaction ID, amount, currency, Paddle customer ID, invoice PDF URL, wallet balance, refund history	Billing, accounting, fraud prevention, tax compliance	Contract (6(1)(b)); legal obligation (6(1)(c))
Operational telemetry	Request logs, feature-usage events, build success/failure rates, AI-model latency, token spend	Operate, secure, debug, and improve the Service	Legitimate interests (6(1)(f))
Error tracking	Browser exceptions, stack traces, device/browser info, URL, user ID (only if you accept error diagnostics)	Fix bugs, prevent regressions	Consent (6(1)(a)) where collected via non-essential cookies; otherwise legitimate interests (6(1)(f))
Communications	Support tickets, email we send you (transactional, service updates)	Respond to you; deliver build/receipt emails	Contract / legitimate interests
Abuse and security signals	IP address, rate-limit counters (hashed), user-agent, failed-login attempts, content-moderation flags	Protect the Service and other users; enforce the Acceptable Use Policy and upstream provider policies	Legitimate interests (6(1)(f)); legal obligation where CSAM or similar content is reported

Sensitive categories (GDPR Art. 9 / CCPA “sensitive PI”). We do not ask you to submit special-category data (health, race/ethnicity, political opinions, religious beliefs, union membership, genetic/biometric data, sexual orientation, precise geolocation) and we do not intentionally process it. Please do not include such data in your project prompts. If you do, you authorise us to process it to the extent strictly necessary to deliver the Service you requested (GDPR Art. 9(2)(a); Burooj does not infer sensitive characteristics from your content).

4. Children

The Service is not directed to, or intended for, individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact [email protected] and we will delete it.

5. How We Use Your Data

To provide, operate, secure, and improve the Service.
To process payments and manage your wallet balance (via Paddle).
To communicate with you: transactional emails (build status, receipts), support responses, and service-critical updates. We do not send marketing email without your opt-in consent, and every such email includes an unsubscribe link.
To detect, investigate, and prevent fraud, abuse, and violations of our Acceptable Use Policy or upstream provider usage policies.
To comply with legal obligations (e.g., tax records, responding to lawful information requests, reporting child safety incidents to NCMEC or equivalent authorities).

We do not:

sell or share your personal data for cross-context behavioural advertising (as those terms are defined under the CCPA/CPRA);
train any AI model on your prompts or generated code;
profile you for credit, insurance, or similar consequential decisions;
use sensitive PI for purposes beyond those listed in 11 CCR §7027(m) without giving you a right to limit that use.

6. Sub-Processors and Third-Party Services

The table below lists each service provider we engage to process personal data on our behalf, its role, what data it sees, where it processes, and the transfer mechanism used for data leaving the EEA/UK. We update this list at least 30 days before adding or replacing a sub-processor (see Section 13).

Sub-processor	Purpose	Data categories	Processing region	EEA/UK transfer mechanism
Supabase, Inc. (USA)	Database, authentication	Account, project content, payment metadata, operational logs	AWS ap-northeast-2 (Seoul)	SCCs 2021/914 Module 3 + UK Addendum
Anthropic, PBC (USA)	AI inference (Claude)	Your prompts, generated code (transient; no training)	USA	EU-US DPF + UK Extension; SCCs Module 3 as fallback
Google LLC / Google Cloud (USA)	AI inference (Gemini); compute, storage (GCS), Artifact Registry, Cloud Run, Cloud Functions	Prompts, generated code, build artefacts	USA (us-central1); Gemini via Vertex AI	EU-US DPF + UK Extension; SCCs Module 3 as fallback
OpenAI, LLC (USA)	AI inference (fallback / specific steps)	Prompts, code snippets (transient; no training on API)	USA	EU-US DPF + UK Extension; SCCs Module 3 as fallback
MiniMax (Shanghai MiniMax AI Technology Co., Ltd.)	AI inference for specific fix cycles	Code snippets (transient; no training per our contract)	Processed outside the EEA	SCCs Module 3 + Transfer Impact Assessment; see Section 8
Paddle.com Market Ltd (UK)	Merchant of Record — payment processing, tax, invoicing	Email, name, billing address, card data (Paddle only; we never see it), transaction history, tax-ID where applicable	UK / EEA / USA	Paddle is a separate controller for payment/tax data; for processor-role data, UK IDTA / SCCs as applicable
Cloudflare, Inc. (USA)	CDN, DNS, bot management, Pages, Workers deploy target	IP address, request metadata, TLS logs	Global edge (closest region)	EU-US DPF + UK Extension; SCCs Module 3 as fallback
Sentry (Functional Software, Inc., USA)	Error tracking (only if you accept error diagnostics)	Stack traces, browser/device info, user ID	USA	EU-US DPF + UK Extension; SCCs Module 3 as fallback
Resend (Resend, Inc., USA)	Transactional email delivery	Email address, email content (e.g., build receipts)	USA	EU-US DPF + UK Extension; SCCs Module 3 as fallback
Upstash, Inc. (USA)	Rate limiting, session cache (Redis)	IP address, hashed user ID, rate counters	USA	EU-US DPF + UK Extension; SCCs Module 3 as fallback
Grafana Labs (USA)	Observability, metrics, traces	Anonymised metrics and traces (operational telemetry, no content)	USA	EU-US DPF + UK Extension; SCCs Module 3 as fallback
Temporal Technologies, Inc. (USA)	Workflow orchestration (build pipeline)	Build metadata; content is stored outside Temporal via a payload codec	USA	EU-US DPF + UK Extension; SCCs Module 3 as fallback
Neon, Inc. (USA)	Ephemeral test databases for generated apps	Generated schema; no end-user content	AWS ap-southeast-1 (Singapore)	SCCs Module 3 + UK Addendum

Paddle, as Merchant of Record, is a separate controller for the payment and tax data it collects at checkout; see Paddle's Privacy Policy.

7. Your Rights

7.1 GDPR / UK GDPR Rights (EEA, UK, Switzerland)

Access (Art. 15): a copy of your personal data.
Rectification (Art. 16): correct inaccurate data.
Erasure (Art. 17): delete your account and associated data, subject to legal retention (e.g., tax records under Section 10).
Restriction (Art. 18): temporarily restrict processing.
Portability (Art. 20): receive your data in a structured, machine-readable format (JSON).
Objection (Art. 21): object to processing based on legitimate interests.
Withdraw consent (Art. 7(3)): where processing is based on consent, you can withdraw it at any time (e.g., decline error diagnostics in Settings → Privacy).
Automated decisions (Art. 22): request human review of any decision based solely on automated processing that produces legal or similarly significant effects on you. In practice, automated account-abuse decisions and tier-scoring can be reviewed by a human on request.
Lodge a complaint with your Data Protection Authority (e.g., ICO in the UK, CNIL in France, DPC in Ireland).

Exercise any right by emailing [email protected] or via Settings → Privacy (which offers one-click data export and account deletion). We respond within 30 days (extendable by 60 days for complex requests, with notice).

7.2 California Rights (CCPA/CPRA) — Your California Privacy Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA/CPRA”):

Right to know the categories and specific pieces of personal information we have collected about you, the sources, business purposes, and categories of third parties to whom we disclose.
Right to delete personal information we have collected, subject to statutory exceptions (e.g., completion of the transaction, security incidents, legal obligations).
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information. Burooj does not sell or share personal information as those terms are defined under the CCPA/CPRA. We honour the Global Privacy Control (GPC) browser signal (Sec-GPC: 1) automatically as a universal opt-out.
Right to limit use and disclosure of sensitive personal information. We do not use sensitive PI for purposes beyond those permitted under 11 CCR §7027(m). If we ever expand this use, we will post a “Limit the Use of My Sensitive Personal Information” link.
Right to opt out of automated decision-making technology (ADMT), as implemented by CPPA regulations. You may request human review of any significant automated decision by contacting [email protected].
Right to non-discrimination for exercising any right. We do not deny service, charge different prices, or degrade quality because you exercise a right.

Categories collected in the last 12 months (Cal. Civ. Code §1798.140(v)): identifiers; customer records (billing address, tax ID where applicable); commercial information (tier, purchases, wallet balance); internet/network activity (prompts, session data, logs); approximate geolocation (derived from IP); professional information (only if provided by you, e.g., company name). We disclose to the sub-processors in Section 6. Sources include you directly, your browser/device, and Paddle.

Shine the Light (Cal. Civ. Code §1798.83). Burooj does not share personal information with third parties for those third parties' own direct-marketing purposes.

Exercise a California right by emailing [email protected] with subject line “California Privacy Request.” We verify your identity before responding. You may designate an authorised agent in writing.

8. International Transfers

We transfer personal data outside the EEA and the UK to the countries shown in Section 6, primarily the United States. We rely on the following mechanisms:

The EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) and the UK Extension, where the recipient is certified at dataprivacyframework.gov.
Standard Contractual Clauses (Commission Implementing Decision 2021/914, Module 3), plus the UK Addendum, for recipients not covered by an adequacy mechanism.
For transfers to MiniMax, we additionally complete a Transfer Impact Assessment consistent with EDPB Recommendations 01/2020, with supplementary measures including contractually required no-training, transient processing, and on-path encryption.

9. How We Use AI; No Training on Your Data

Burooj is an AI-assisted service (EU AI Act Art. 50 transparency notice: you are interacting with AI). We send your prompts and intermediate artefacts to the AI providers listed in Section 6 to generate Output. We contractually require each provider to not use your Input or Output to train its foundation models:

Anthropic — API usage; no training on customer inputs or outputs per Anthropic Commercial Terms.
Google (Gemini via Vertex AI) — customer data not used to train Google's foundation models per the Google Cloud DPA.
OpenAI — API usage; no training on API data (default) per OpenAI's Enterprise Privacy commitments; zero-retention or 30-day abuse-monitoring retention.
MiniMax — API usage; we have contracted that your inputs are not used to train MiniMax models. If this guarantee becomes unavailable, we will stop routing prompts to MiniMax and notify affected users.

Burooj itself does not train any AI model. Operational telemetry (aggregated metrics, model latency, cache hits) is used only to run and improve the Service, not to train models.

10. Data Retention

Category	Retention	Reason
Account data	Life of account + 30 days after deletion	Grace period for accidental deletion; legal holds
Project prompts and generated code (in your workspace)	Until you delete or close your account; 30-day soft-delete thereafter	Core service function; you control retention
Build artefacts in GCS	NEARLINE after 30 days, COLDLINE after 90 days, deleted after 365 days	Storage cost/recovery trade-off; you can delete earlier from Settings
Payment and tax records	Up to 10 years	Legal obligation (UK HMRC 6 years; EU VAT up to 10 years; US IRS 7 years) — GDPR Art. 17(3)(b) carve-out
Operational logs	90 days	Security, incident response, performance debugging
Security audit logs	12 months	Incident forensics; abuse investigation
Error diagnostics (Sentry, when consented)	90 days	Bug triage window
Anonymised analytics	14 months	Trend analysis; ICO/CNIL-accepted norm
Backups	30-day rolling window	Disaster recovery; deletion requests propagate after the backup rotates out
Support tickets	24 months after resolution	Follow-up, quality assurance

11. Security

Our technical and organisational measures include:

TLS 1.3 in transit; AES-256 at rest (database, object storage).
Row Level Security on every database table; principle of least privilege.
Authentication via Supabase Auth with bcrypt-hashed passwords.
Build containers run inside gVisor sandboxes on GKE Autopilot with network policies.
Secrets managed in GCP Secret Manager; no plain-text secrets in logs or source.
Continuous vulnerability scanning (Trivy, Semgrep, TruffleHog) and weekly dependency audits.
Audit logging on all administrative and data-access actions.
Incident response: we commit to notifying the relevant supervisory authority within 72 hours of becoming aware of a qualifying personal-data breach (GDPR Art. 33), and affected individuals without undue delay where required (GDPR Art. 34). Reach us at [email protected].

12. Cookies and Similar Technologies

See our Cookie Policy for the full list of cookies and local-storage keys we use, their purpose, classification, and lifetime. We use strictly necessary storage (authentication session, bot-management, consent preference, theme) by default; non-essential storage (error diagnostics) is set only after your affirmative consent.

13. Changes to This Policy and to Sub-Processors

We may update this Privacy Policy. For material changes we will notify you at least 14 days before the effective date by email or in-app notice. The “Last updated” date above reflects the latest revision.

We publish sub-processor changes at least 30 days before they take effect, by updating Section 6 and (if you subscribe) by email. You may object for reasonable data-protection reasons by writing to [email protected] within 15 days of notice; if we cannot resolve the objection, you may terminate the Service as your sole remedy.

14. Contact and Complaints

Privacy inquiries and data-subject requests: [email protected]
General support: [email protected]
You may lodge a complaint with your supervisory authority. For UK users, the ICO (ico.org.uk). For EU users, your national DPA (list at edpb.europa.eu). For California, the CPPA (cppa.ca.gov) and California Attorney General.