Skip to main content

Privacy Policy

Effective Date: February 8, 2026
Last Updated: February 8, 2026

Welcome to TalkBuildr ("we", "us", or "our"), provided by IdeaVista, trading as TalkBuildr. We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our chatbot platform in compliance with the General Data Protection Regulation (GDPR) and Dutch data protection law.

Data Controller:
IdeaVista, trading as TalkBuildr
Amsterdam, The Netherlands
KvK Number: 97755893
Email: privacy@talkbuildr.com

Controller vs. Processor: When you embed a TalkBuildr chatbot on your website, you (the account holder) are the data controller for the personal data of your website visitors. IdeaVista acts as a data processor on your behalf under our Data Processing Agreement. You are responsible for having a lawful basis to collect visitor data and for informing your visitors about the processing in your own privacy policy.

  1. Information We Collect
    • Personal Information: Name, email address, payment details (processed by Stripe), company name (optional)
    • Usage Data: Chat logs, support messages, analytics data, IP addresses, device/browser information
    • Cookies and Tracking: See our Cookie Policy for detailed information
  2. Legal Basis for Processing (GDPR Article 6)

    We process your personal data under the following legal bases:

    • Contract Performance (Article 6(1)(b)): Processing necessary to provide our Services and fulfill our contract with you (account management, service delivery, support)
    • Consent (Article 6(1)(a)): For analytics cookies and marketing communications (where you have opted in)
    • Legitimate Interests (Article 6(1)(f)): For fraud prevention, security, improving our Services, and business analytics
    • Legal Obligation (Article 6(1)(c)): For compliance with tax, accounting, and legal requirements
  3. How We Use Your Information
    • To provide, maintain, and improve our Services
    • To process payments and manage subscriptions (via Stripe)
    • To communicate with you about your account, updates, and support
    • For analytics, troubleshooting, and security purposes
    • To comply with legal obligations (tax, accounting, law enforcement requests)
    • To prevent fraud and ensure platform security
  4. Information Sharing & Third-Party Processors

    We do not sell your personal data. We share data with the following trusted third-party processors under Data Processing Agreements (DPAs):

    • Stripe (USA): Payment processing — covered by EU-US Data Privacy Framework (DPF)
    • Supabase (USA): Database and authentication — covered by EU Standard Contractual Clauses (SCCs)
    • Vercel (USA): Application hosting and delivery — covered by EU-US Data Privacy Framework (DPF)
    • OpenAI (USA): AI processing for chatbot responses — covered by Data Processing Agreement. OpenAI does not train models on data submitted via its API
    • Resend (USA): Transactional email delivery — covered by EU-US Data Privacy Framework (DPF)
    • Upstash (EU/USA): Rate limiting and caching — covered by EU Standard Contractual Clauses (SCCs)
    • Sentry (EU — Germany): Error tracking and monitoring — hosted in the EU, no international transfer required
    • Google Analytics (USA): Analytics (only with your consent) — covered by EU-US Data Privacy Framework (DPF)

    For full details on sub-processors, data types, and transfer mechanisms, see our Data Processing Agreement.

    We may disclose information if required by law or to protect our legal rights.

  5. International Data Transfers

    Some of our service providers are located outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:

    • EU-US Data Privacy Framework (DPF) adequacy decision where applicable
    • EU Standard Contractual Clauses (SCCs) approved by the European Commission
    • Data Processing Agreements (DPAs) with all processors

    Sentry is hosted in the EU (Germany) and does not involve international data transfers.

    Note on BYOK Users: If you use Bring Your Own Key (BYOK) encryption, please note that this does not fully protect against lawful access requests from third countries as stated by the European Data Protection Board (EDPB). See our Terms of Service for full BYOK disclaimers.

  6. Data Retention

    We retain your personal data for the following periods:

    • Account Data: Until you delete your account, plus 30 days for backup purposes
    • Chat Logs: Until account deletion (you can delete individual conversations at any time)
    • Billing Records: 7 years (required by Dutch tax law)
    • Analytics Data: 24 months (anonymized)
    • Support Correspondence: 3 years from last contact

    After these periods, data is permanently deleted or anonymized. You can request earlier deletion by exercising your GDPR rights (see section 7).

  7. Your GDPR Rights

    Under GDPR, you have the following rights:

    • Right of Access (Article 15): Request a copy of your personal data
    • Right to Rectification (Article 16): Correct inaccurate or incomplete data
    • Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
    • Right to Data Portability (Article 20): Receive your data in a machine-readable format
    • Right to Restriction of Processing (Article 18): Limit how we use your data
    • Right to Object (Article 21): Object to processing based on legitimate interests or direct marketing
    • Right to Withdraw Consent (Article 7(3)): Withdraw consent for analytics cookies or marketing at any time
    • Right to Lodge a Complaint (Article 77): File a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens — AP)

    How to Exercise Your Rights:
    Email us at privacy@talkbuildr.com with your request. We will respond within one month as required by GDPR Article 12(3). This period may be extended by two further months for complex requests, in which case we will inform you within the first month.

    Dutch Data Protection Authority:
    Autoriteit Persoonsgegevens
    autoriteitpersoonsgegevens.nl

  8. Data Security

    We implement appropriate technical and organizational measures to protect your data:

    • Encryption in transit (TLS 1.2+) and at rest (AES-256)
    • Row-Level Security (RLS) on all database tables (87 policies)
    • Role-based access controls (RBAC) with 5 distinct permission levels
    • Rate limiting on all public API endpoints
    • Error monitoring via Sentry (EU-hosted)
    • Incident response procedures
  9. Data Breach Notification

    In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

    • Notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach (GDPR Article 33)
    • Notify affected users without undue delay if the breach poses a high risk to their rights (GDPR Article 34)
    • Provide clear information about the nature of the breach and remedial actions taken

    BYOK Users: If you use Bring Your Own Key encryption and your keys are compromised, you are responsible for notifying authorities and affected parties as required by GDPR. See Terms of Service for full BYOK liability.

  10. Cookies and Tracking Technologies

    We use cookies and similar tracking technologies. For detailed information about:

    • What cookies we use
    • Why we use them
    • How to manage your cookie preferences
    • Cookie consent banner requirements (Dutch AP compliance)

    Please see our Cookie Policy.

  11. Children's Privacy

    Our Services are not directed to individuals under 16 years of age (in accordance with the Dutch Implementation Act GDPR — Uitvoeringswet AVG, or UAVG). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will delete such information.

  12. Automated Decision-Making and Profiling

    We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you (GDPR Article 22).

    AI processing (via OpenAI) is used to generate chatbot responses, but this does not constitute automated decision-making that affects your rights. You maintain full control over how you use chatbot responses. OpenAI does not train its models on data submitted via the API.

  13. Updates to This Policy

    We may update this Privacy Policy from time to time. When we make material changes:

    • We will update the "Last Updated" date at the top
    • We will notify you via email at least 30 days before material changes take effect
    • We will display a prominent notice on our website

    Where changes require your consent under GDPR, we will seek your renewed consent before applying those changes. If you do not agree with the updated policy, you may close your account.

  14. Contact Information

    For privacy concerns, GDPR requests, or data protection questions, contact us:

    Privacy Contact Email: privacy@talkbuildr.com
    General Support: support@talkbuildr.com

    Company Details:
    IdeaVista, trading as TalkBuildr
    Amsterdam, The Netherlands
    KvK Number: 97755893
    https://talkbuildr.com

    Note on Data Protection Officer: As a small enterprise, IdeaVista is not required to appoint a Data Protection Officer under GDPR Article 37. For all data protection inquiries, please contact us using the email addresses above.

    Note on EU Representative: As a Netherlands-based company with an establishment in the EU, we are not required to appoint an EU representative under GDPR Article 27.

Related Policies