Skip to main content

Privacy Policy

Last updated: December 6, 2025

BuilderBox ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our developer productivity platform, including our website, CLI tools, and MCP server integrations.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Password (stored as a secure hash—we never store plain text passwords)
  • Account preferences and settings

User-Generated Content

When you use our Service, we store:

  • Tasks, projects, and boards you create
  • Comments and activity logs
  • Calendar events and schedules

Usage Data

With your consent (via our cookie consent banner), we may collect:

  • Pages and features you visit
  • Time spent on different sections
  • Actions taken within the application
  • Error logs and crash reports

Device Information

We automatically collect:

  • Browser type and version
  • Operating system
  • IP address (for security and abuse prevention)
  • Device identifiers

2. CLI and MCP Data Collection

This section is particularly important. BuilderBox offers optional command-line interface (CLI) tools and MCP (Model Context Protocol) server integrations that track your coding activity. This feature is opt-in and requires you to actively install and configure these tools.

What Data is Collected

When you use the BuilderBox CLI, VS Code extension, or MCP integration, we collect:

File and Project Metadata

  • File Paths: The full paths of files you edit (e.g., /home/user/project/src/App.tsx)
  • Project Names: The name of the project or repository you're working in
  • Programming Languages: The language of files you edit (detected by extension)
  • Line Counts: Number of lines in files and cursor position
  • File Size: The size of files you edit in bytes
  • Git Context: Branch names, short commit hashes, and whether you have uncommitted changes
  • Dependencies: Package and import names extracted by parsing import/require statements in your files (not the file contents themselves)

Environment Information

  • Editor/IDE: The name and version of your code editor (e.g., VS Code 1.85.0, Cursor, Neovim)
  • Operating System: Your OS name and version (e.g., macOS 14.2, Windows 11, Ubuntu 22.04)
  • Machine Hostname: Your computer's hostname (e.g., justin-macbook-pro) to distinguish between devices
  • User Agent: The plugin name and version string identifying the BuilderBox tool sending data

Activity Metrics

  • Timestamps: When you started and stopped editing (Unix timestamps)
  • Change Metrics: Characters and lines added/deleted per edit (not the actual text)
  • Keystroke Counts: The number of keystrokes between activity reports (for distinguishing active typing from idle time—we do not record which keys)
  • Paste Detection: Whether text was pasted (to distinguish manual typing from clipboard operations)
  • Session Tracking: A unique session ID and idle duration to group related activity
  • Window Focus: Whether your editor window is focused
  • Debug Session: Whether you're in an active debugging session

AI Attribution (VS Code Extension Only)

  • AI Detection: Whether code was generated by an AI tool (e.g., GitHub Copilot, Cursor, Cline)
  • AI Tool Name: Which AI assistant generated the code
  • Completion Type: Whether it was an inline completion, chat response, or agent action
  • Acceptance Timing: How long you took to accept an AI suggestion (in milliseconds)
  • Completion Size: The number of characters shown vs. accepted
  • Confidence Score: Our AI detection algorithm's confidence level (0-1)

Important: We do NOT collect the actual contents of your files or the text you type. We only collect metadata about your coding activity. Your source code stays on your machine. Dependency detection works by parsing import statements—we extract only the package names, not your code.

Data Minimization: Our tools use throttling and coalescing to minimize the amount of data sent. Rapid edits within a short window are combined into a single activity report, reducing data volume while preserving accuracy.

How to Control CLI/MCP Data Collection

  • Don't install: Simply don't install the CLI tools if you don't want this tracking
  • Uninstall: Remove the CLI tools or MCP server configuration at any time
  • Revoke API Key: Delete your API key in Settings → Coding Activity to stop all data collection
  • Exclude Projects: Configure .builderboxignore files to exclude specific projects
  • Delete Data: Request deletion of your coding activity data at any time

Why We Collect This Data

Coding activity data is used to:

  • Display your coding statistics and activity charts
  • Track time spent on different projects and languages
  • Provide productivity insights and streak tracking
  • Help you understand your coding patterns

3. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Store and display your tasks, projects, and coding activity
  • Improve the Service: Analyze usage patterns to improve features and user experience
  • Communicate with You: Send service updates, security alerts, and support messages
  • Ensure Security: Detect and prevent fraud, abuse, and security incidents
  • Comply with Law: Meet legal obligations and respond to lawful requests

We do NOT sell your personal information to third parties. We do NOT use your data for advertising purposes. We do NOT share your coding activity data with employers or other users.

5. Data Storage and Security

Your data is stored securely using industry-standard practices:

  • Database: Hosted on Supabase infrastructure in the United States (AWS us-west-2)
  • Encryption at Rest: All data is encrypted using AES-256 encryption
  • Encryption in Transit: All connections use TLS 1.2 or higher
  • Access Controls: Role-based access controls limit who can access data
  • Backups: Regular automated backups with point-in-time recovery
  • Password Security: Passwords are hashed using bcrypt with appropriate work factors

6. Third-Party Services

We use the following third-party services to operate BuilderBox:

Supabase

Database hosting, authentication, and real-time subscriptions. Privacy Policy

Sentry

Error tracking and performance monitoring to improve service reliability. Privacy Policy

PostHog

Privacy-focused product analytics for understanding how the Service is used. PostHog is only enabled with your consent (via our cookie banner). We use privacy-safe settings: localStorage instead of cookies, text masking in session replays, and respect for Do Not Track. Privacy Policy

7. Data Retention

We retain your data for the following periods:

  • Active Accounts: Data is retained for as long as your account is active
  • Deleted Accounts: Account data is permanently deleted within 30 days of account deletion
  • Coding Heartbeats: Raw heartbeat data is retained for 1 year, then aggregated or deleted
  • Aggregated Statistics: Daily/weekly summaries may be retained indefinitely for your reference
  • Backups: Backups containing your data may persist for up to 30 days after deletion
  • Legal Requirements: Some data may be retained longer if required by law

8. Your Rights (GDPR/CCPA)

Depending on your location, you may have the following rights:

GDPR Rights (EU/EEA/UK Residents)

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time

CCPA Rights (California Residents)

  • Right to Know: Know what personal information is collected and how it's used
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the sale of personal information (we don't sell data)
  • Right to Non-Discrimination: Not be discriminated against for exercising your rights

To exercise any of these rights, please contact us at privacy@builderbox.app. We will respond to your request within 30 days.

9. Cookies and Local Storage

We use cookies and local storage for:

  • Essential Cookies: Session management and authentication (required for the Service to function)
  • Preference Cookies: Storing your theme, font size, and other settings
  • Analytics (localStorage): PostHog analytics uses localStorage instead of cookies for a more privacy-friendly approach (only with your consent)

When you first visit BuilderBox, you'll see a cookie consent banner. Analytics tracking is only enabled if you click "Accept." You can change your preference at any time in Settings.

We use browser localStorage to store your preferences locally and for analytics (PostHog). PostHog data is only sent to our analytics service if you have consented. Your local preferences never leave your device unless you explicitly sync them to your account.

10. Children's Privacy

BuilderBox is not intended for children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@builderbox.app, and we will delete such information.

11. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers are located. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the US.

We ensure appropriate safeguards are in place for international transfers, including:

  • Standard Contractual Clauses approved by the European Commission
  • Data processing agreements with all third-party providers
  • Technical and organizational security measures

12. Security Incident Response

In the event of a data breach that affects your personal information, we will:

  • Notify affected users via email within 72 hours of becoming aware of the breach
  • Describe the nature of the breach and types of data affected
  • Explain the steps we're taking to address the breach
  • Provide recommendations for protecting yourself
  • Report to relevant supervisory authorities as required by law

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last updated" date at the top
  • Sending an email to the address associated with your account (for material changes)

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: privacy@builderbox.app

General Inquiries: support@builderbox.app

Address: BuilderBox Inc., San Francisco, CA, United States

Response Time: We aim to respond to all privacy inquiries within 30 days

By using BuilderBox, you acknowledge that you have read and understood this Privacy Policy.