Full policy. The summary below highlights the key terms; in case of conflict the iubenda-hosted version prevails. View full Privacy Policy.

Privacy Policy — Summary

Effective date: 2026-04-29. Cookie Policy.

The full legal text on this page is currently available in English only. A professionally translated version will be provided in due course.

Data fiduciary / controller: PairOx Pty Ltd (Business Number: 154 477 728), 4 Lorikeet Street, Glenwood, NSW 2768, Australia.

Privacy contact: privacy@runmybuild.ai

Grievance Officer / Data Protection Contact

In compliance with the India Digital Personal Data Protection Act 2023 (DPDP), EU GDPR Article 27, California CPRA, and the Australian Privacy Act 1988, the following officer handles all data-protection requests, privacy complaints, and grievances:

Name: Privacy & Compliance Lead
Designation: Grievance Officer
Email: privacy@runmybuild.ai
Postal address: PairOx Pty Ltd (ABN 82 154 477 728), 4 Lorikeet Street, Glenwood, NSW 2768, Australia.
Response SLA: 30 calendar days. Urgent matters (security breach, child safety, imminent harm) are acknowledged within 24 hours and actioned within 72 hours.

You may exercise data-subject rights — access, correction, deletion, portability — by emailing the address above with subject line[DSAR] and your full registered name.

1. What we collect

Account data (name, email, role, organisation).
Project and operational data you enter or upload (documents, photos, messages).
Technical data (logs, device/browser, IP) for security and reliability.
Analytics when you opt in via our cookie banner.

2. Why we use it

To provide the Service, secure accounts, improve the product, comply with law, and communicate with you.

3. Legal bases

Contract performance, legitimate interests (security, product improvement), consent (analytics/marketing where used), and legal obligation. Under DPDP, processing is based on consent or a legitimate use as defined in the Act.

4. Sharing

We share data only with sub-processors needed to deliver the Service (see the Sub-processors section below). We do not sell personal information to third parties.

5. Retention

We retain account data for as long as your account is active and for up to 7 years thereafter for legal and audit purposes, unless a shorter period is required by applicable law. Transactional and project data is retained for 7 years to meet financial and construction-record obligations. You may request earlier deletion (subject to legal-hold exceptions) by emailing privacy@runmybuild.ai.

6. Your rights

Australia (Privacy Act 1988, APPs): Access, correction, complaint to OAIC (oaic.gov.au).
New Zealand (Privacy Act 2020): Access, correction, complaint to OPC (privacy.org.nz).
India (DPDP 2023): Access, correction, erasure, grievance escalation. Contact our Grievance Officer at grievance@runmybuild.ai.
United States: Rights vary by state (e.g. CCPA/CPRA for California residents — right to know, delete, opt-out of sale/sharing; Virginia CDPA; Colorado CPA). We honour verified requests from residents of states with applicable privacy laws.

To exercise any right, email privacy@runmybuild.ai with the subject "Privacy Rights Request".

7. International data transfers

Our sub-processors operate primarily in the United States and Australia (Sydney region). Where data is transferred outside your country of residence, we rely on standard contractual clauses, Data Processing Agreements (DPAs) with each vendor, and equivalent safeguards recognised under applicable law. See the Sub-processors section for per-vendor detail.

8. Security

We implement appropriate technical and organisational measures including TLS in transit, encrypted storage at rest, row-level access controls in our database, and rate-limiting on all public API endpoints. We use Sentry for error monitoring with PII scrubbing configured.

9. Cookies

See our Cookie Policy for full details. A consent banner fires on first visit; analytics cookies are opt-in only.

Sub-processors

The following third parties process personal data on our behalf. Each has a published Data Processing Agreement (DPA) referenced below.

Sub-processor	Purpose	Region	DPA
Vercel Inc.	Web hosting + serverless functions	Global edge (primary us-east-1)	DPA
Railway Corp.	API hosting	Configurable (AU or US)	DPA
Neon Inc.	Postgres primary data store	ap-southeast-2 (Sydney)	DPA
Upstash Inc.	Redis — sessions, rate-limiting, cache	Region per configuration	DPA
Amazon Web Services (S3)	File storage — uploads, documents, photos	ap-southeast-2 (Sydney)	DPA
Sentry (Functional Software, Inc.)	Error monitoring — PII scrubbing configured	US	DPA
Resend Labs Inc.	Transactional email	US	DPA
Anthropic PBC	AI features (briefings, conversational AI)	US	DPA
Stripe, Inc.	Payment processing (subscriptions)	Global (PCI-DSS)	DPA
Twilio Inc.	SMS notifications	US-managed; AU number routing	DPA
GitHub, Inc. (Microsoft)	Code hosting + CI/CD	US	DPA
BetterStack	Uptime monitoring + status page	EU	DPA

10. Changes to this policy

Material changes will be communicated by email (to registered users) or by a prominent notice on the Service at least 14 days before taking effect.

11. Multi-jurisdiction notes

Australia: Governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We are an APP entity.
New Zealand: We comply with the Privacy Act 2020 (NZ) for NZ-resident users. NZ users may lodge complaints with the Office of the Privacy Commissioner.
India: We comply with the Digital Personal Data Protection Act 2023 (DPDP). We act as a Data Fiduciary. A Grievance Officer is designated above.
United States: We honour state-law privacy rights on a verified-request basis. We do not sell or share personal information for cross-context behavioural advertising.

Back to home