← BUILDPILLED
§ Privacy  [ Last updated 2026-04-30 ]

Plain-English privacy notice.

BuildPilled is a security audit firm; we’d be embarrassed to quietly hoover up data. Here is what we collect, why, how long we keep it, and how to make us delete it.

Who we are

BuildPilled is operated by Hayden Holland. Contact: hayden@buildpilled.io.

What we collect on this site

  • Waitlist email. If you submit one. Stored in a single Firestore document keyed by hashed email.
  • Standard server logs. IP, user-agent, request path, timestamp. Cloud Run + Cloud Logging defaults. Used for abuse / debugging.
  • No analytics, no tracking cookies, no advertising pixels.We don’t embed third-party scripts on this site.

What we do with it

We email you exactly once when the agent-audit API opens. We may ask you a single follow-up question if your domain looks relevant. We do not sell the list. We do not share it with partners. We do not run paid acquisition off it.

How long we keep it

  • Waitlist: until you ask us to delete it, or until the product is generally available and you have not engaged for 12 months.
  • Server logs: 30 days (Cloud Logging default), then automatic deletion.

Where it lives

Google Cloud, project bp-resources-origin, region us-central1. BuildPilled never holds Google Cloud service-account keys; all access is brokered via Workload Identity Federation.

When you call the agent-audit API (forthcoming)

When the per-call API is live, you will be POSTing your system_prompt and tool definitions. Those often contain secrets, internal IP, or customer-identifying language. Our handling rules:

  • Audit inputs are processed in-memory, not persisted to a database.
  • The structured findings document and the Stripe MPP receipt are persisted; we keep them only for the auditability windows SOC 2 / NIST AI RMF expect.
  • We will never use your prompts or tools to train or fine-tune models.
  • A separate, longer data-handling page will accompany API launch with the exact retention numbers and the data processing addendum.

Your rights

Email hayden@buildpilled.io from the address you signed up with and ask us to:

  • Show you what we have on file (we’ll reply within 7 days).
  • Delete it (we’ll reply within 7 days, deletion within 30 days).
  • Correct it.

EU/UK residents: we treat all signups as “legitimate interest” lead capture, with the same opt-out path above.

Security disclosure

Found an issue with this site or the audit API? security.txt has the contact and PGP details.

Changes

If we change anything material, we’ll bump the “last updated” date and (if you’re on the waitlist) email you a diff. No silent rewrites.