Plain-English privacy notice.

BuildPilled is operated by Hayden Holland. Contact: hayden@buildpilled.io.

• Waitlist email. If you submit one. Stored in a single Firestore document keyed by hashed email.
• Standard server logs. IP, user-agent, request path, timestamp. Cloud Run + Cloud Logging defaults. Used for abuse / debugging.
• No analytics, no tracking cookies, no advertising pixels.We don’t embed third-party scripts on this site.

We email you exactly once when the agent-audit API opens. We may ask you a single follow-up question if your domain looks relevant. We do not sell the list. We do not share it with partners. We do not run paid acquisition off it.

• Waitlist: until you ask us to delete it, or until the product is generally available and you have not engaged for 12 months.
• Server logs: 30 days (Cloud Logging default), then automatic deletion.

Google Cloud, United States region. BuildPilled does not use long-lived cloud service-account keys for production access.

The Surface tier is live at /agent-audit. You POST your system_prompt and tool definitions. Those often contain secrets, internal IP, or customer-identifying language. Our handling rules:

• Audit inputs are processed in-memory only. We never write your system_prompt, your tool definitions, or the structured findings to disk or to a log line. The audit runs, the report is returned to you, and the inputs are discarded when the request finishes.
• Only receipt metadata is persisted. That means: a request id, timestamp, tier, amount in USD, network reference (the Stripe PaymentIntent id), and the integer count of findings produced. No prompt content, no tool content, no finding content. Kept for the auditability windows SOC 2 / NIST AI RMF expect.
• Stripe sees a hash of your body, not your body. MPP body-digest binding ties your Shared Payment Token to the exact bytes you sent, but only the digest crosses the wire to Stripe — never the prompt or tools.
• We will never use your prompts or tools to train or fine-tune models.
• A separate, longer data-handling page will accompany the Active and Compliance tier launches with the per-tier retention numbers and the data processing addendum.

Email hayden@buildpilled.io from the address you signed up with and ask us to:

• Show you what we have on file (we’ll reply within 7 days).
• Delete it (we’ll reply within 7 days, deletion within 30 days).
• Correct it.

EU/UK residents: we treat all signups as “legitimate interest” lead capture, with the same opt-out path above.

Found an issue with this site or the audit API? security.txt has the contact and PGP details.

If we change anything material, we’ll bump the “last updated” date and (if you’re on the waitlist) email you a diff. No silent rewrites.