Skip to main content

Privacy Policy

Effective date: 6 August 2025

BuildingPP OÜ, registry code 17224732, Laulupeo tn 3, Tallinn 10121, Estonia - doing business as "Bilt," "we," "us," or "our"—operates an AI-powered platform that lets you describe an idea in natural language and receive a ready-to-ship mobile application. Protecting your privacy and securing your data are central to that mission.

This Privacy Policy ("Policy") explains how Bilt collects, uses, discloses, and otherwise processes personal data when you visit bilt.me (the "Site") or use any of our products, apps, APIs, or related services (together, the "Services"). The Policy incorporates by reference our Terms of Service and any Data-Processing Agreement ("DPA") we execute with you. Where a signed DPA conflicts with this Policy, the DPA governs Customer Personal Data. If you do not agree with the Policy, please stop using the Services.

1. Key definitions

Personal data (also called "personal information") means any information that identifies or can reasonably be linked to an individual, as defined by the EU GDPR, UK GDPR, Swiss FADP, Canada PIPEDA, California CCPA/CPRA, and similar laws. Examples include name, business email address, and IP address.

Customer Content means prompts, files, code, configuration, images and other data you upload to, or generate with, the Services. Customer Content is also called "Customer Data" in this Policy.

Customer Personal Data means personal data contained in Customer Content that you, as controller, instruct us to process.

Service Data means telemetry, logs, and similar technical data that Bilt, acting as an independent controller, collects to secure, operate, and improve the Services. Service Data may include readable source code or project artefacts.

We do not intentionally collect special-category or sensitive personal data (health, biometric, precise geolocation, etc.) and instruct customers not to upload such data unless we have signed a separate written agreement permitting it (for example, a HIPAA Business Associate Agreement).

2. What we collect and why

  • Account identifiers – name, e-mail address, company, and role. We receive these directly from you to create and manage your account, send security notifications, and provide user support.
  • Payment and billing information – subscription tier and invoice history. Card data are handled exclusively by our payment provider. We process billing data to fulfil our contract with you and meet accounting obligations.
  • Customer Content – prompts, generated code, images, files, build artefacts and any other project data you choose to upload. We process this information solely to deliver and improve the Services you request.
  • Service Data – IP address, device and browser details, API calls, feature usage, error logs and cookies. We collect this automatically to secure the platform, prevent fraud, debug issues and analyse performance.
  • Marketing preferences – opt-in status for product updates and event invitations. We process this data only with your consent or where permitted by law.

3. Legal bases for processing

For residents of the European Economic Area, the United Kingdom and Switzerland, we rely on four legal grounds:

  • Performance of a contract – to provide, maintain and support the Services you request.
  • Legitimate interests – to secure our platform, detect fraud, compile aggregate analytics and improve features, provided those interests do not override your rights.
  • Consent – for non-essential cookies, marketing e-mails and any processing that requires consent under applicable law. You may withdraw consent at any time.
  • Legal obligation – to comply with tax rules, export-control and sanctions regulations, court orders and other mandatory requirements.

For users in the United States, Canada and other jurisdictions, we rely on equivalent concepts recognised under those privacy regimes.

4. How we use personal data

We use personal data to:

  • deliver, operate, and maintain the Services, including storing code, compiling builds, and distributing apps;
  • personalise your workspace and, where feasible, tune AI models on de-identified or aggregated data;
  • monitor performance, prevent fraud, debug problems, and secure the platform;
  • process payments, issue invoices, and satisfy bookkeeping, export-control, and sanctions requirements;
  • send transactional messages such as security alerts and billing notices, and - if you have opted in - product announcements or event invitations;
  • conduct aggregate analytics to improve accuracy, efficiency, and user experience.

We do not engage in solely automated decision-making that produces legal or similarly significant effects on individuals.

5. Cookies and similar technologies

We use four categories of cookies:

  • Strictly necessary cookies support sign-in, session routing, and anti-fraud features and do not require consent.
  • Analytics and performance cookies (for example, PostHog and Google Analytics) help us measure feature adoption and diagnose errors. We obtain prior consent for these cookies in the EEA, United Kingdom, and Switzerland, and we honour Global Privacy Control signals in the United States.
  • Functional cookies remember preferences such as language or theme.
  • Marketing cookies measure the effectiveness of our campaigns through services including Google Ads, Meta, Reddit, X, and TikTok. These cookies require consent where applicable, and we respect opt-out preferences elsewhere.

You can manage cookie settings at any time via the on-site Settings panel, through your browser. Non-essential cookies expire no later than thirteen months from placement.

6. Sub-processors

We engage carefully vetted service providers to host infrastructure, send e-mail, process payments, run analytics, and perform similar tasks. Each sub-processor is bound by written data-protection terms that provide GDPR-equivalent safeguards. We will give at least ten business days' notice of any new sub-processor so that customers may object.

7. International data transfers

If you are located in the EEA, United Kingdom or Switzerland, personal data may be processed in the United States or other jurisdictions whose privacy laws have not been deemed adequate by your local authority. Transfers are protected by:

  • the EU–US Data Privacy Framework (once our certification is approved);
  • the European Commission's Standard Contractual Clauses 2021/914 (Module 2);
  • the UK International Data Transfer Addendum;
  • the Swiss Addendum; and
  • additional technical and organisational measures such as end-to-end encryption and strict access controls.

8. Security measures

We protect personal data by using:

  • TLS 1.2+ encryption in transit and AES-256 encryption at rest;
  • 24 / 7 monitoring, centralised logging retained for twelve months and daily encrypted backups;
  • hosting in SOC 2 Type II and ISO 27001 certified data centres;
  • external penetration tests and an annual SOC 2 Type II audit.

If we confirm a breach that affects Customer Personal Data, we will notify impacted customers without undue delay and, in any event, within 72 hours as required by law and any applicable DPA.

9. Your privacy choices and rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you or request a copy in a portable format.
  • Delete personal data, subject to exceptions under applicable law.
  • Correct inaccurate or incomplete personal data.
  • Withdraw consent to non-essential cookies or marketing e-mails.
  • Opt out of targeted advertising in jurisdictions where that right exists (for example, via the Global Privacy Control signal).
  • Appeal any denial of a privacy request (U.S. residents may appeal within sixty days).
  • Complain to your supervisory authority (in the EEA: the Estonian Data Protection Inspectorate; in the United Kingdom: the Information Commissioner's Office; in Switzerland: the FDPIC).

To exercise any of these rights, email info@bilt.me with enough information for us to confirm your identity. We will respond within thirty days or the timeframe required by law.

10. Retention

We keep personal data only as long as needed for the purposes outlined in this Policy or as required by law.

  • Account data are retained for the life of the account plus six years to meet tax and bookkeeping rules.
  • Service logs are retained for one year, then permanently deleted.
  • Encrypted backups follow a rolling thirty-day retention schedule.
  • Customer Content is deleted within thirty days after you remove a project or close your account, unless legal obligations require longer storage.

11. Regulated data notice

The Services are not designed or warranted to handle protected health information under HIPAA, cardholder data under PCI-DSS, or any other highly regulated data unless we have signed a separate written agreement (for example, a HIPAA Business Associate Agreement). Do not upload such data without our prior written consent.

12. Children

You must be at least sixteen years old, or the age of digital consent in your jurisdiction if higher, to use the Services. We do not knowingly collect personal data from minors. If we learn that we possess data about a minor, we will delete it promptly.

13. Disclosures

We may disclose personal data:

  • to sub-processors listed in Section 6;
  • to competent authorities when legally required; where permitted, we will give advance notice before producing data;
  • to investigate, prevent, or respond to fraud, security incidents, or violations of our Terms of Service;
  • to a successor entity in connection with a merger, acquisition, or asset sale, provided the successor continues to respect this Policy.

We never sell personal data.

14. Notice and contact information

Transactional communications such as password resets, security alerts, and billing notices are mandatory. You can opt out of marketing e-mails at any time via the unsubscribe link in your account settings.

  • General privacy inquiries and data-subject requests – info@bilt.me
  • Data Protection Officer – info@bilt.me
  • Postal address – BuildingPP OÜ (Bilt) – Privacy, Laulupeo tn 3-2, Kesklinna linnaosa, Tallinn 10121, Estonia

Representatives for supervisory authorities

Bilt is established in the European Union, so an Article 27 GDPR representative is not required.

UK residents may contact the Data Protection Officer via email.

We aim to answer verified requests within thirty days. If your inquiry is not resolved, you may complain to the relevant supervisory authority.

15. Changes to this Policy

We may update this Policy to reflect changes in law or our practices. If changes are material, we will give at least thirty days' notice by e-mail or an in-product banner. The "Effective date" above will show when revisions take effect. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

16. Governing law and venue

This Policy is governed by Estonian law. Any dispute arising under it shall be resolved exclusively in the Harju County Court, unless mandatory consumer-protection law grants you the right to sue elsewhere.

This Policy was prepared by BuildingPP OÜ and publicly available regulatory guidance as of 6 August 2025.