Privacy Policy

Who We Are

BuildUX Inc. ("Company", "we", "our", or "us") is a Delaware C-Corporation with its registered agent at 131 Continental Drive, Suite 301, Newark, Delaware 19713. We operate Amedeo.ai ("Amedeo"), an AI Decision Intelligence platform that helps software product teams identify, prioritize, and prototype AI capabilities for their products (collectively, the "Services").

Amedeo.ai is a registered brand and product of BuildUX Inc. References to "Amedeo," "Amedeo.ai," or the "Platform" throughout this Policy refer to the Services operated by BuildUX Inc.

For the purposes of applicable data protection laws — including the General Data Protection Regulation ("GDPR"), the UK GDPR, and India's Digital Personal Data Protection Act ("DPDP Act") — BuildUX Inc. acts as a Data Controller with respect to personal data processed in connection with your account and your use of our Services, and as a Data Processor when processing personal data you upload on behalf of your own customers or end users.

Scope of This Privacy Policy

This Privacy Policy applies to:

• All visitors to the Amedeo.ai website and any subdomains operated by us
• Registered users who create an account and submit pipeline analysis runs
• Enterprise customers and their authorized users
• Any individual or organization that contacts us via email, social media, demo booking, or any other channel

This Policy does not apply to third-party websites, platforms, or services that we link to or whose APIs we utilize, each of which has its own privacy policy governing their data practices. It also does not apply to websites or services operated by third parties that embed or integrate Amedeo outputs.

Note for residents of California, the EU/EEA, the United Kingdom, and India: Additional region-specific rights and disclosures apply to you. Please see Section 15 — Regional Supplemental Disclosures.

Key Definitions

Personal Data / Personal Information means any information that identifies, relates to, describes, or is reasonably linkable to an identified or identifiable natural person.

Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, deletion, or destruction.

Data Controller is the entity that determines the purposes and means of processing Personal Data. BuildUX Inc. acts as Controller for your account and usage data.

Data Processor is an entity that processes Personal Data on behalf of a Controller. BuildUX Inc. acts as Processor when you upload documents containing your customers' data.

Sub-Processor is a third party engaged by BuildUX Inc. to process Personal Data in the course of providing the Services — for example, Anthropic, OpenAI, Google, and AWS.

Pipeline Run means a single execution of Amedeo's 17-stage AI Decision Intelligence platform initiated by a user.

Input Data means information you provide to initiate a Run, including product name, website URL, and any uploaded documents.

Output Data means reports, analysis, prototypes, and other materials generated by Amedeo's pipeline for your product.

Usage Data means automatically collected technical data about how you interact with our Services.

Sensitive Personal Information is a subset of Personal Data including financial account credentials, government IDs, biometric data, health data, and precise geolocation, as defined under applicable law.

Information We Collect

We collect information in three primary ways: information you provide directly, information collected automatically, and information derived from third-party sources accessed in connection with your Pipeline Run.

4.1 Information You Provide Directly

When you create an account, initiate contact, or submit a Pipeline Run, we may collect the following categories of information:

• Full name
• Email address
• Job title and role (e.g., Founder, Product Manager, CEO)
• Company or organization name
• Business website URL
• Phone number (if provided)
• LinkedIn profile URL or other professional identifiers (if provided)
• Password (stored in hashed, non-reversible form; we never store passwords in plaintext)
• Product name and product website URL submitted for pipeline analysis
• User feedback documents, NPS survey exports, customer research files, or other documents you voluntarily upload as supplemental input
• Any other textual context or instructions you provide alongside your Run request
• Billing name, billing address, and payment card metadata (collected via our third-party payment processor; we do not store full card numbers)
• Any communications you send to us via email, demo booking, or LinkedIn

Important: Documents you upload may contain Personal Data belonging to your own customers, employees, or research participants. When you upload such documents, you are the Data Controller and Amedeo acts as your Data Processor. You represent and warrant that you have all necessary rights, consents, and legal bases to upload and process such data. Please do not upload documents containing government ID numbers, financial account information, health records, or other Sensitive Personal Information unless strictly necessary.

4.2 Information Collected Automatically

When you access or use the Services, we and our technology partners automatically collect the following:

• IP address (used for geolocation at city/region level, fraud detection, and legal compliance)
• Browser type, version, and language settings
• Operating system and device type
• Screen resolution and device identifiers (where applicable)
• Pages visited on Amedeo.ai and the sequence of navigation
• Clickstream data and interaction patterns
• Pipeline Run initiation timestamps and completion status
• Feature usage and engagement metrics
• Session duration and frequency
• Referral URLs (the page that directed you to our site)
• Cookies and similar tracking technology identifiers — see Section 9 for full disclosure

4.3 Information Derived From Third-Party Sources and AI Processing

When you submit a Pipeline Run with a product website URL, Amedeo submits that URL and associated context to our AI infrastructure providers — currently Anthropic (Claude API), OpenAI (ChatGPT API), and Google (Gemini API) — which may programmatically fetch, analyze, and synthesize publicly available information from that URL and related online sources.

The categories of third-party source data that may be analyzed as part of a Pipeline Run include, to the extent permitted by applicable law and the terms of the respective AI provider:

• Public web content from the submitted product URL
• Publicly available app store listings (Apple App Store, Google Play Store)
• Publicly available user reviews from platforms such as G2, Capterra, and Trustpilot
• Publicly available social signals and community discussions (e.g., Reddit, Twitter/X, Product Hunt)
• Publicly available market and competitor information

Amedeo does not independently scrape or crawl third-party websites outside of what is processed through our AI provider APIs. Data fetching is governed by the respective terms of service and privacy policies of Anthropic, OpenAI, and Google. If those providers restrict certain data sources, those restrictions apply to Amedeo's Pipeline Runs accordingly.

4.4 Data We Do Not Collect

We do not knowingly collect Sensitive Personal Information unless you voluntarily upload it as part of a document. We do not collect Personal Data from children under the age of 18. We do not collect precise real-time geolocation data, biometric identifiers, or government-issued identification numbers except where required by law.

How We Use Your Information

We use the Personal Data we collect for the following purposes. For users subject to GDPR or UK GDPR, the corresponding lawful basis is identified in brackets.

5.1 Providing and Operating the Services

• To create and maintain your account [Contract Performance]
• To execute your Pipeline Runs and deliver Output Data, reports, and prototypes [Contract Performance]
• To process payments and manage subscriptions [Contract Performance / Legal Obligation]
• To authenticate users and maintain the security of accounts [Legitimate Interest / Legal Obligation]

5.2 Improving Our Products and AI Pipeline

• To analyze aggregated, de-identified usage patterns to improve the quality, accuracy, and performance of the Amedeo pipeline [Legitimate Interest]
• To use Input Data — including uploaded documents and product URLs — to fine-tune, evaluate, or improve our proprietary pipeline methodology and, potentially, AI models that power our pipeline, subject to your opt-out rights described in Section 8.3 [Consent where required / Legitimate Interest]

We may use your Input Data to improve Amedeo's pipeline. You have meaningful control over this. See Section 8.3 for how to limit this use. If you opt out, your data will not be used for pipeline improvement purposes beyond what is necessary to deliver your Run.

5.3 Communication and Marketing

• To respond to your inquiries, support requests, and demo bookings [Contract Performance / Legitimate Interest]
• To send transactional communications such as run completion notices, billing receipts, and policy change notifications [Contract Performance / Legal Obligation]
• To send marketing communications about Amedeo features, events, and industry content — only where you have opted in or where permitted under applicable law [Consent / Legitimate Interest]
• To reach out via LinkedIn or other channels in connection with our outreach, where you have interacted with Amedeo content or are a publicly listed decision-maker at a relevant company [Legitimate Interest]

5.4 Analytics and Research

• To measure website performance, user engagement, and product feature adoption using analytics tools [Legitimate Interest]
• To conduct internal research on how software product teams interact with AI-generated product discovery output [Legitimate Interest]

5.5 Legal, Safety, and Compliance

• To detect, investigate, and prevent fraud, unauthorized access, and abuse of our Services [Legal Obligation / Legitimate Interest]
• To comply with applicable laws, regulations, court orders, and government requests [Legal Obligation]
• To enforce our Terms of Service and protect the rights and safety of Amedeo, our users, and third parties [Legitimate Interest / Legal Obligation]

How We Share Your Information

We do not sell your Personal Data. We do not share Personal Data with third parties for third-party advertising purposes. We share Personal Data only in the limited circumstances described below.

6.1 AI Infrastructure Sub-Processors

The execution of each Pipeline Run requires us to transmit your Input Data to our AI infrastructure providers. These providers process your data on our behalf as Sub-Processors, and we have contractual Data Processing Agreements in place with each. Our current AI Sub-Processors are as follows:

• Anthropic, Inc. : Claude API. By default, Anthropic does not train its models on data submitted via the commercial API. Privacy reference: anthropic.com/legal/privacy
• OpenAI, LLC : ChatGPT / GPT API. By default, OpenAI does not train its models on data submitted via the API. Privacy reference: openai.com/policies/privacy-policy
• Google LLC : Gemini API. By default, Google does not train its models on data submitted via the API under its Cloud DPA. Privacy reference: cloud.google.com/terms/data-processing-addendum
• Amazon Web Services, Inc. : Cloud infrastructure, storage, and compute. Privacy reference: aws.amazon.com/privacy

We may engage additional AI infrastructure providers in the future. When we do, we will update this Sub-Processor disclosure and provide advance notice to users where required by law or contract. We require all Sub-Processors to maintain confidentiality obligations and data protection standards no less protective than our own.

6.2 Service Providers and Vendors

We engage other vendors who process data on our behalf for specific operational purposes, including payment processing, email delivery, website analytics (Google Analytics), user behavior analytics (Hotjar), calendar and scheduling tools (Calendly), CRM platforms, and cloud hosting and content delivery networks.

6.3 Business Transfers

In the event BuildUX Inc. undergoes a merger, acquisition, asset sale, reorganization, or bankruptcy, your Personal Data may be transferred to the acquiring or successor entity as part of that transaction, provided that entity agrees to honor this Privacy Policy or provides you with equivalent protections. We will notify you of any material change in ownership via email or prominent notice on our website.

6.4 Legal Obligations and Protection of Rights

We may disclose Personal Data if we believe in good faith that such disclosure is necessary to comply with a legal obligation, regulation, court order, subpoena, or government request; to protect and defend the rights, property, or safety of Amedeo, our users, or the public; to prevent or investigate possible wrongdoing in connection with our Services; or to protect against legal liability.

6.5 Aggregated and De-Identified Data

We may share aggregated, de-identified, or anonymized data that does not personally identify any individual for research, benchmarking, marketing, or business intelligence purposes. This data is not Personal Data and is not subject to the restrictions in this Policy.

Data Retention

We retain Personal Data for as long as necessary to fulfill the purposes for which it was collected, maintain our business relationship with you, comply with legal obligations, resolve disputes, and enforce our agreements. Our retention practices by data category are as follows:

• Account and Registration Data: Retained for the duration of your active account plus 3 years following account closure, or longer if required by applicable law.
• Pipeline Run Inputs (product URL, uploaded documents): Retained until you request deletion or until your account is closed. Deletion requests are honored within 30 days.
• Pipeline Run Outputs (reports, prototypes): Retained until you request deletion or until your account is closed. Outputs associated with deleted accounts are purged within 30 days.
• Payment and Billing Records: Retained for 7 years from the date of transaction in compliance with US tax and financial recordkeeping laws.
• Usage and Analytics Data: Retained in aggregated or anonymized form for up to 36 months. IP addresses and identifiable Usage Data are anonymized or deleted within 90 days.
• Communications and Support Records: Retained for 3 years from the date of last communication, or longer if relevant to a legal dispute.
• Data Used for Pipeline Improvement (if opted in): Retained in de-identified form for up to 5 years. Opting out terminates future use; already de-identified data may be retained in aggregate pipelines.
• Legal Hold Data: Where data is subject to a legal hold or active litigation, retention is extended until the hold is lifted.

Upon expiration of the applicable retention period or upon a valid deletion request, we will securely delete or anonymize Personal Data from active systems. Residual copies in encrypted backup archives will be purged within 90 days of their scheduled rotation cycle.

Your Rights and Choices

Subject to applicable law, you have the following rights with respect to your Personal Data. We will respond to all verifiable requests within the timeframe required by law — generally 30 days, with a 30-day extension where permitted. We do not charge a fee unless requests are manifestly unfounded, excessive, or repetitive.

8.1 Access, Portability, Correction, and Deletion

• Right of Access: You may request a copy of the Personal Data we hold about you, including Input Data, Output Data, account data, and usage records.
• Right to Portability: Where technically feasible, we will provide your data in a structured, commonly used, machine-readable format such as JSON or CSV.
• Right to Correction / Rectification: You may correct inaccurate or incomplete Personal Data in your account settings or by contacting privacy@buildux.com.
• Right to Deletion / Erasure: You may request deletion of your Personal Data. We will honor deletion requests subject to our legal retention obligations. Deletion of your account initiates deletion of all associated Input Data and Output Data within 30 days.

8.2 Restriction, Objection, and Withdrawal of Consent

• Right to Restrict Processing: You may request that we restrict processing of your data in certain circumstances, such as while a correction request is pending.
• Right to Object: You may object to processing based on our Legitimate Interest, including for direct marketing purposes.
• Withdrawal of Consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

8.3 AI Pipeline Training Opt-Out

We may use Input Data from your Pipeline Runs to improve our proprietary pipeline and, in future, any AI models we develop. You have the right to opt out of this use at any time by logging into your account settings and toggling off "Allow Amedeo to use my data for pipeline improvement," or by contacting us at privacy@buildux.com. Opting out will prevent your data from being used for future pipeline improvement activities. It does not affect your use of the Services.

8.4 Marketing Communications Opt-Out

You may opt out of marketing emails at any time by clicking the "Unsubscribe" link in any marketing email, or by contacting privacy@buildux.com. Opting out of marketing does not affect transactional communications related to your account or active pipeline runs.

8.5 How to Exercise Your Rights

To exercise any of the rights described in this Section, please email us at privacy@buildux.com with the subject line "Privacy Rights Request" and include your full name, your registered email address, and a description of the right you wish to exercise. We may ask you to verify your identity before fulfilling your request. We will not discriminate against you for exercising your privacy rights.

Cookies and Tracking Technologies

We use cookies and similar technologies — including web beacons, pixels, and local storage, on the Amedeo.ai website. A cookie is a small text file placed on your device by our server. Cookies enable us to recognize returning visitors, maintain your session, and collect analytics data.

Strictly Necessary Cookies

These cookies are required for the website and Services to function. They enable login, security, and form submissions. You cannot opt out of strictly necessary cookies as they are essential to provide the service you have requested.

Functional and Preference Cookies

These cookies remember your settings and preferences across sessions, such as language preference and demo form auto-fill data. You may disable these via your browser settings, though some features may not function as expected.

Analytics and Performance Cookies

We currently deploy Google Analytics (_ga, _gid cookies) and Hotjar (_hjid cookie) to collect anonymized or pseudonymized data about how users navigate our site. This data helps us improve page performance and user experience. You may opt out via our cookie consent banner, via the Google Analytics Opt-Out Browser Add-On at tools.google.com/dlpage/gaoptout, or via Hotjar's opt-out page at hotjar.com/policies/do-not-track/.

Marketing and Retargeting Cookies

We may deploy marketing pixels — such as the LinkedIn Insight Tag or Meta Pixel — to track conversions, measure campaign effectiveness, and enable retargeting on third-party platforms. These are deployed only where legally permitted and with your consent via our cookie consent banner. You may opt out via the cookie consent banner at any time.

Managing Your Cookie Preferences

Upon first visiting the Amedeo.ai website, users in the EU/EEA, UK, and other applicable jurisdictions will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. Your preferences are saved for 12 months. You may also configure your browser to refuse or delete cookies at any time. For LinkedIn Insight Tag opt-out, visit linkedin.com/psettings/enhanced-advertising (requires a LinkedIn account).

For more detail on our specific cookie deployments, please refer to our Cookie Policy.

AI-Specific Privacy Disclosures

Because Amedeo is an AI Decision Intelligence platform, we provide the following additional disclosures regarding how AI systems interact with your data.

10.1 How Your Data Flows Through Our AI Pipeline

When you submit a Pipeline Run, your Input Data is transmitted via authenticated, encrypted API calls (TLS 1.2 or higher) to one or more AI API providers. The AI provider processes your Input Data and returns model outputs. Per the commercial API terms of each provider, your API inputs are not used to train the provider's public models. We receive, compile, and store the model outputs as your Output Data in your account on our AWS infrastructure.

10.2 No Automated Legally Significant Decisions

Amedeo's pipeline generates analytical reports and prototypes for your consideration. No Amedeo output constitutes an automated decision that produces legal effects or similarly significant effects on any individual. All outputs are informational and require human review before being acted upon.

10.3 Accuracy of AI Outputs

AI-generated outputs may contain inaccuracies, hallucinations, or errors. Amedeo does not warrant the accuracy, completeness, or fitness for purpose of any pipeline output. You are responsible for independently verifying any factual claims in Output Data before acting on them.

10.4 Future AI Provider Integrations

We reserve the right to integrate additional or alternative AI providers as our pipeline evolves. Material changes to AI providers will be disclosed via an updated Sub-Processor disclosure and communicated to registered users with at least 30 days' advance notice where required.

Children's Privacy

The Services are not directed to, and we do not knowingly collect Personal Data from, individuals under the age of 18. If we become aware that we have inadvertently collected Personal Data from a minor, we will promptly delete such data. If you are a parent or guardian and believe that your child has provided us with Personal Data without your consent, please contact us immediately at privacy@buildux.com

International Data Transfers

BuildUX Inc. is a US-based company. If you are located outside the United States, your Personal Data will be transferred to and processed in the United States, where data protection laws may differ from those in your country. We rely on the following mechanisms to legitimize international data transfers:

• Standard Contractual Clauses (SCCs): For transfers of EU personal data to the United States and other third countries, we rely on the European Commission's Standard Contractual Clauses (2021/914) as the primary transfer mechanism. We execute SCCs with Sub-Processors receiving EU personal data.
• UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom, we rely on the UK IDTA or the UK Addendum to the EU SCCs.
• India DPDP Act: For users in India, transfers of personal data are conducted in accordance with the Digital Personal Data Protection Act, 2023, and applicable rules promulgated thereunder.
• Other Jurisdictions: For transfers from other jurisdictions, we rely on applicable legal mechanisms recognized in those jurisdictions.

Each of our AI infrastructure Sub-Processors (Anthropic, OpenAI, Google, AWS) maintains its own cross-border transfer mechanisms compliant with applicable law. We verify these mechanisms as part of our due diligence in engaging Sub-Processors.

Data Security

We implement technical and organizational measures designed to protect your Personal Data against unauthorized access, loss, alteration, and disclosure. These measures include:

• Encryption of data in transit using TLS 1.2 or higher for all communications between you, our servers, and our Sub-Processors
• Encryption of data at rest using AES-256 or equivalent standards on our AWS infrastructure
• Access controls and role-based permissions limiting employee access to Personal Data on a need-to-know basis
• Regular security assessments and vulnerability monitoring
• Multi-factor authentication requirements for internal system access
• Incident response procedures for detecting, investigating, and reporting data breaches in accordance with applicable law

BuildUX Inc. intends to pursue SOC 2 Type II certification as part of its security maturity roadmap. In the interim, we align our security controls with the SOC 2 Trust Services Criteria. This Policy will be updated to reflect achieved certifications.

No method of data transmission or storage is 100% secure. While we employ commercially reasonable safeguards, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials. In the event of a data breach likely to result in high risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes required by applicable law — for example, within 72 hours under GDPR.

Third-Party Websites and Services

The Amedeo.ai website and pipeline outputs may contain links to or references to third-party websites, services, or platforms. This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices, data handling, or content of any third party. We encourage you to review the privacy policies of any third-party sites before providing them with Personal Data.

When you connect third-party accounts — such as scheduling via Calendly or payments via Stripe — the data you provide to those third parties is governed by their respective terms and privacy policies.

Regional Supplemental Disclosures

15.1 United States — California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:

• Right to Know: You may request information about the categories and specific pieces of Personal Information we have collected about you, the sources of collection, the business or commercial purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your Personal Information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate Personal Information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share Personal Information as those terms are defined under the CCPA/CPRA. If this practice changes, we will update this Policy and provide an opt-out mechanism.
• Right to Limit Use of Sensitive Personal Information: We do not use Sensitive Personal Information for purposes beyond those permitted under the CPRA without your explicit consent.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

15.2 European Union / EEA — GDPR

If you are located in the EU/EEA, the GDPR applies to our processing of your Personal Data. The lawful bases we rely on for each processing activity are identified in Section 5. You have the rights of access, rectification, erasure, restriction, portability, and objection described in Section 8. You also have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects — see Section 10.2. If you believe we have violated your GDPR rights, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

Our registered agent address for formal GDPR correspondence is: BuildUX Inc., c/o Registered Agent, 131 Continental Drive, Suite 301, Newark, Delaware 19713, USA.

15.3 United Kingdom — UK GDPR

If you are located in the United Kingdom, the UK General Data Protection Regulation and the Data Protection Act 2018 apply. The rights described in Section 15.2 apply equivalently under UK law. You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk. International transfers from the UK are conducted under the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as applicable.

15.4 India — DPDP Act, 2023

If you are a Data Principal located in India, the Digital Personal Data Protection Act, 2023, and applicable rules apply to our processing of your Personal Data. In addition to the rights described in Section 8, you have the right to a summary of your Personal Data and the processing activities conducted in relation to it; the right to grievance redressal by contacting privacy@buildux.com; and the right to nominate another individual to exercise your rights on your behalf in the event of death or incapacity. BuildUX Inc. does not transfer Personal Data of Indian residents to jurisdictions not permitted under the DPDP Act, except as otherwise required by law.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or product features. When we make material changes, we will update the "Effective Date" at the top of this Policy, post the revised Policy on the Amedeo.ai website, and notify registered users by email at least 14 days before material changes take effect — or 30 days for changes that materially expand our use of your Personal Data or require your consent under applicable law.

Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised Policy, to the extent permitted by applicable law. For material changes that require consent under GDPR, we will seek your affirmative consent before applying the change to your data. Prior versions of this Policy are available upon written request to privacy@buildux.com.

How to Contact Us

We will acknowledge receipt of all privacy requests within 5 business days and provide a substantive response within 30 calendar days, or within the legally required timeframe for your jurisdiction.