Privacy Policy

The BuilderWorld team, operating from Taiwan, is the data controller for personal information you provide through this service. Contact: hello@builderworld.io.

Account data: email address and OAuth identifier (GitHub or Google) when you sign up; any profile fields you choose to fill (display name, bio, avatar, social handles, location).

Content you post: projects, comments, likes, follows, saves.

Usage data: pages you visit, interactions with projects, search queries. We hash your IP with a rotating secret before storing it, only to dedupe view counts within a 1-hour window.

Payment data (if you subscribe to Pro): Lemon Squeezy processes your card. We receive only the customer ID, subscription status, renewal date, and billing email — never card numbers or full PAN.

Cookies and similar: a Supabase auth session cookie (required for sign-in), a locale preference cookie, and a product analytics cookie if PostHog is enabled. PostHog is configured to only build a profile for identified (signed-in) users; we do not track anonymous visitors across sessions, and session recording is disabled.

Run the service — authenticate you, show your profile, serve the feed, process interactions.

Communicate with you — transactional email (account updates, receipts) and, if you've opted in, the weekly project digest.

Improve the product — anonymous usage analytics to understand which features matter.

Prevent abuse — detect spam, scraping, multi-account misuse, payment fraud.

Comply with law — respond to lawful requests where required.

Performance of contract — we process account and project data to provide the service you signed up for.

Legitimate interests — abuse prevention, security, and anonymous usage analytics (we balance these against your rights).

Consent — for optional weekly digest emails; you can unsubscribe from any digest email or in settings.

Legal obligation — tax records related to your subscription (managed by Lemon Squeezy as Merchant of Record).

Supabase (PostgreSQL database + authentication + storage) — hosted in Singapore.

Vercel (hosting + CDN + serverless functions).

Resend (transactional and digest email delivery).

Lemon Squeezy (payment processing, as Merchant of Record for subscriptions).

PostHog (product analytics, if enabled).

Each of these has their own privacy and security posture; they're standard vendors used across thousands of SaaS products.

Public content you post (projects, comments, profile) is visible to anyone on the internet by design.

We do not sell or rent personal information. We do not share your email with other users.

We disclose data to subprocessors above, to law enforcement where legally required, and in a business transfer if BuilderWorld is acquired (users would be notified first).

Active account data: while your account exists.

Deleted accounts: profile and projects are removed from public view immediately and permanently deleted within 30 days, subject to legal retention requirements.

Payment / tax records: as required by applicable tax law (typically 5–7 years), held by Lemon Squeezy.

Server logs: up to 90 days for debugging and abuse detection.

BuilderWorld is based in Taiwan. Data may be stored or processed in Singapore (Supabase), the US and EU (Vercel, Resend, PostHog), or wherever Lemon Squeezy processes payments. Where required, we rely on standard contractual clauses with our processors.

Access — ask what we hold about you.

Correct — fix inaccurate data (most fields are editable in settings).

Delete — close your account and have your data erased.

Export — request a copy of your profile, projects, and interaction history.

Object or restrict — to specific processing activities.

Withdraw consent — unsubscribe from emails, disable analytics where applicable.

Complain to a supervisory authority if you're in the EU, UK, or similar jurisdiction.

To exercise any of these, email hello@builderworld.io. We respond within 30 days.

BuilderWorld is not intended for users under 13 (or under 16 in the EU/UK). We don't knowingly collect data from children. If you believe a child has created an account, email hello@builderworld.io and we'll remove it.

We encrypt data in transit (HTTPS everywhere) and at rest (Supabase-managed). Authentication tokens are short-lived. Payment card data never touches our servers. Row-level security isolates users' private data (e.g. your saves list).

No system is perfectly secure. If you suspect a breach affecting your account, email hello@builderworld.io as soon as possible.

We may update this Policy. Material changes will be announced with at least 14 days' notice via email or in-app notice. The "Last updated" date at the top of this page always reflects the current version.