Privacy Policy

This Privacy Policy describes how personal information is collected, used, shared, and protected by INOVA AI SOLUTIONS PTY LTD (ABN: 19 698 288 836) ("Company", "we", "us", or "our") through our prompt-based No-Code Enterprise AI Platform, BLDR, hosted at https://www.BLDR.bot (the "Platform" or "Service").

We take privacy seriously and comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) (including the 2026 Automated Decision-Making transparency reforms), the General Data Protection Regulation (GDPR) in Europe and the United Kingdom, and the California Consumer Privacy Act (CCPA/CPRA) in the United States.

1. Important Structural Notice: Processor vs. Controller

Depending on how you use our Platform, we may act as either a Data Controller or a Data Processor:

• We act as a Data Controller when we collect and process personal data for our own business purposes (such as when you register for an individual account, purchase platform credits, subscribe to our newsletters, or interact with our direct marketing).
• We act as a Data Processor when we process data on behalf of an enterprise client, workspace administrator, or team account owner (collectively, "Workspace Owners"). This includes:
  • Information and prompt inputs uploaded by team members into an enterprise-controlled workspace.
  • Data collected from the end-users of custom web applications or automated APIs built and deployed by Workspace Owners using the Platform ("Deployments").

In situations where we act as a Data Processor, the privacy policy of the respective Workspace Owner governs the processing of that data. Users must contact the relevant Workspace Owner directly to exercise any of their data subject rights.

2. Personal Information We Collect

We collect personal information through several channels to provide our prompt-based Enterprise AI services:

A. Information You Directly Provide to Us

• Contact & Registration Data: First and last name, business email address, corporate telephone number, job title, company name, and physical business address.
• Account Credentials: Passwords, authentication tokens, API keys, and configurations created to secure your Platform profile.
• Prompt Inputs & User-Generated Content (UGC): Prompt instructions, contextual text inputs, uploaded files, source code, design models, structured spreadsheets, audio-visual clips, and associated metadata (such as timestamps, system identifiers, and geographical origins) provided to the Platform's workspace.
• Financial and Billing Data: Payment details required to process credit acquisitions and monthly subscriptions. This data is transmitted directly and securely to our external Payment Processor (such as Stripe) in an encrypted format. We do not store raw credit card details on our local servers.
• Support and Interaction Logs: Communications, feedback, and logs generated when you contact our customer success, technical support, or system safety teams.

B. Automatically Collected Information

• Technical Device Data: IP address, operating system, browser type, screen resolution, regional and language settings, and device hardware specifications (RAM, CPU, and disk size metrics).
• System Usage & Session Logs: Pages or settings viewed, time spent in specific Platform workspaces, prompt execution frequencies, system navigation path metrics, and logs recording the status of automated processes.
• Isolated Sandbox Execution Logs: When the Platform executes code, scripts, or operational queries within our ephemeral virtual environments ("Sandboxes"), we collect execution trace logs, shell command outputs, and debugging metrics to ensure system security and verify that processes complete successfully.

C. Information Received from Third-Party Integrations

• Connected Enterprise Credentials: If you leverage Third-Party login services (such as Microsoft Azure AD, Google Workspace, or GitHub Enterprise) to authenticate your access to BLDR, we receive metadata such as your verified email address and unique user identifier, subject to your third-party account configuration settings.
• External API Integrations (Connectors): When you configure BLDR to pull or push data using native external connectors, we access data streams in accordance with the permissions and scopes you authorize, complying fully with external provider policies (such as the Google API Services User Data Policy, where applicable).

3. How We Use Your Personal Information

We use your personal data to power our Platform's features, optimize system performance, and comply with international regulations:

• Platform Provisioning & Execution: Activating and maintaining your account, executing prompt workflows, distributing computational tasks across Sandbox environments, and transmitting prompt parameters to our integrated model inference endpoints.
• Transactional Management: Processing payments, monitoring platform credit usage across individual and enterprise team accounts, and delivering invoices and renewal notifications.
• System Personalization: Saving interface preferences, default prompt configurations, and template settings to streamline workflows.
• System Diagnostics & Optimization: Tracking system latency, debugging Sandbox failures, preventing algorithmic execution loops, and analyzing platform usage patterns to design more efficient AI tools.
• Security & Threat Mitigation: Monitoring for malicious activity (such as prompt injection attacks, automated scraping, malware distribution, or denial of service attempts), securing our cloud infrastructure, and investigating policy violations.
• Legal Compliance & Rule Enforcement: Responding to valid government requests, complying with regulatory audit trails, and defending our legal rights.

4. Special Transparency Notice: Automated Decision-Making (ADM)

In compliance with APP 1.7 and 1.8 of the Privacy Act 1988 (Cth), we provide the following disclosures regarding our use of automated computer systems and artificial intelligence engines:

Our Platform, BLDR, utilizes advanced algorithmic configurations, machine learning models, and automated logic structures to process your inputs and execute prompt actions.

• Self-Generated System Decisions: We do not deploy automated decision-making processes that result in significant, legally binding, or adverse effects on individuals without human intervention.
• Workspace Owner Deployments: Workspace Owners may configure prompt workflows, autonomous agents, and decision trees using BLDR to assist in evaluating, filtering, or scoring criteria (such as in recruitment tracking, credit assessments, or customer triage systems). In these scenarios, the Workspace Owner is responsible for establishing appropriate human-in-the-loop validation, providing transparent disclosures, and ensuring compliance with regional laws regarding automated decisions.

5. Sharing Your Information

We share your personal information only under strict conditions and with appropriate safeguards:

• Enterprise Administrators & Teams: If you access BLDR under a corporate-sponsored Team Plan, your Workspace Owner and designated system administrators can view your session logs, prompt inputs, generated outputs, workspace configurations, and resource usage statistics.
• Third-Party AI Foundation Model Providers: To execute prompt requests, we transmit instructions to secure AI foundation model endpoints (such as OpenAI, Anthropic, or Google Cloud Vertex AI). We configure these integrations to use enterprise-grade privacy settings that prevent these providers from utilizing your inputs to train their public models.
• Essential Service Providers: We share necessary data with trusted contractors and infrastructure providers who maintain our cloud servers, handle secure payment gateways, monitor system safety, or distribute administrative emails on our behalf.
• Corporate Transactions: If we undergo a merger, acquisition, structural reorganization, or asset sale, your information may be shared with prospective purchasers and transition advisors subject to strict confidentiality agreements.
• Legal and Regulatory Disclosures: We will disclose data to law enforcement, government regulators, or judicial authorities if we believe in good faith that such disclosure is necessary to comply with a valid legal obligation under Australian or international law.

6. Retention of Personal Data

We retain personal data only as long as necessary to fulfill the operational purposes detailed in this policy, satisfy legal reporting requirements, or resolve active disputes:

• Account & Profile Data: Retained for the active duration of your subscription and for up to seven (7) years following account termination to comply with Australian tax and corporate audit regulations.
• Sandbox Data: Session logs and prompt execution data within our ephemeral virtual machine sandboxes are deleted automatically after fourteen (14) days.
• Enterprise Workspace Data: Purged or returned to the enterprise customer in accordance with the specific terms outlined in their Master Services Agreement (MSA) or Data Processing Addendum (DPA).

7. International Data Transfers

Our Platform infrastructure utilizes global cloud networks. Although INOVA AI SOLUTIONS PTY LTD is an Australian entity, personal data may be transferred to and stored on secure servers located in the United States, Singapore, or the European Union.

When transferring personal data outside of Australia or other regional boundaries, we implement robust safeguards. This includes utilizing standard contractual clauses, ensuring data recipients are located in jurisdictions recognized as providing adequate data protections, or establishing binding contract terms that require recipients to treat your data with a level of security equivalent to the APPs, GDPR, or CCPA.

8. Specific Regional Privacy Disclosures

A. Australian Privacy Rights (Privacy Act 1988)

If you reside in Australia, you have the following rights regarding your personal information:

• Access & Correction: You have the right to request access to the personal data we hold about you and to request that we correct any errors.
• Privacy Complaints: If you believe we have breached the Australian Privacy Principles, you can submit a written complaint to us. We will investigate the issue and respond in writing within thirty (30) days. If you are not satisfied with our response, you can escalate your complaint to the Office of the Australian Information Commissioner (OAIC).

B. European & United Kingdom Rights (GDPR)

If you are located in the EEA or the United Kingdom, you have the following rights as a data subject:

• The Right to Erasure ("Right to be Forgotten"): You can request that we delete your personal data under certain conditions.
• The Right to Portability: You can request that we transfer a machine-readable copy of your personal data to you or a designated third party.
• The Right to Restrict/Object: You can object to our processing of your personal data on the basis of Legitimate Interests, or request that we restrict its processing.
• Withdrawal of Consent: If we process your data based on your explicit consent, you have the right to withdraw that consent at any time.
• Supervisory Complaint: You have the right to lodge a complaint with your local Data Protection Authority if you believe our data processing violates applicable laws.

C. California Consumer Privacy Rights (CCPA/CPRA)

• No Sale of Data: We do not sell your personal data to third parties for financial compensation.
• The Right to Limit Use of Sensitive Data: We do not collect or process sensitive personal data for the purpose of inferring characteristics about individuals.
• Opt-Out of Targeted Advertising: You can restrict the use of tracking technologies for targeted advertising by using our "Privacy Choices" settings menu.

9. Security Safeguards

We implement robust technical and organizational security measures to protect your personal information:

• Encryption of data both in transit (using TLS 1.3 or equivalent protocols) and at rest (using AES-256 encryption standards).
• Ephemeral virtual machine sandboxes that isolate code executions and session environments between tenants.
• Role-based access controls (RBAC) that restrict access to database systems containing personal information to authorized personnel.
• Regular security audits, vulnerability scanning, and secure software development lifecycle reviews.

While we take every reasonable precaution to secure our systems, no internet transmission or electronic storage method is completely secure. We cannot guarantee absolute security, and you transmit your data to the Platform at your own risk.

10. Policy Modifications

We reserve the right to update this Privacy Policy at any time. When material changes are made, we will update the "Last Updated" date at the top of this document and notify you via email or through a prominent notice on your Platform dashboard.

Changes to this policy become effective immediately upon being posted on this webpage.

11. Contacting Our Data Protection Officer

If you have any questions, would like to exercise your regional privacy rights, or wish to submit a privacy complaint, please contact our Data Protection Officer:

• Entity: INOVA AI SOLUTIONS PTY LTD (Attn: Data Protection Officer)
• Email: Data@inovasolutions.ai
• Postal Address: Unit 2, 40 Inkerman St, Parramatta NSW 2150, Australia