Privacy Policy
Last updated: 2026-05-15 Effective: 2026-05-15 Version: v0.2 (pre-launch, pending Missouri counsel review)
1. Who we are
This Privacy Policy describes how Live a Little Enterprises, LLC, a Missouri limited liability company doing business as BeBuilt ("bebuilt," "we") collects, uses, and shares personal information in connection with our website at bebuilt.ai and our subscription service (together, the "Service").
If you have questions, contact us at brandon@livealittleventures.com.
2. Information we collect
We collect the following categories of information:
2.1 Account & billing information. When you subscribe or contact us, we collect your name, email, company, billing address, and payment information. Payment card details are collected and processed by our payment processor (Stripe) and are not stored on our servers.
2.2 Communications. Emails, Slack messages, call notes, and other communications you send to us or that we exchange in the course of providing the Service.
2.3 Project content. Materials, instructions, code, documents, credentials, and data you provide so that we can perform Requests on your behalf.
2.4 Usage and device data. Information automatically collected when you visit our website, including IP address, browser type, referring URL, pages viewed, and approximate location derived from IP.
2.5 Cookies and similar technologies. We use cookies and similar technologies for essential site functionality (e.g., maintaining sessions) and for limited, aggregate site analytics provided by Vercel Analytics. Vercel Analytics is privacy-preserving and does not use third-party cookies or persistent identifiers to track individual visitors across sites. You can control cookies through your browser settings.
2.6 Scheduling. When you book a call, our scheduling provider (Cal.com) collects your name, email, time-zone, and any information you choose to include in the booking form.
2.7 Sensitive information. Members may share credentials and access tokens with us so we can build and operate Deliverables on Member systems. We treat these as sensitive information. We do not use sensitive information for purposes other than providing the Service, and we do not disclose it except to the subprocessors listed in Section 4.1 to the extent required to perform the Service.
3. How we use information
We use the information above to:
- Provide, operate, and improve the Service.
- Perform Requests on your behalf, including provisioning third-party services where you authorize us to.
- Bill you and process payments.
- Communicate with you about your account, our Service, and (where lawful) bebuilt updates.
- Maintain security, prevent fraud, and enforce our Terms.
- Comply with legal obligations.
- Aggregate or de-identify information for analytics and Service improvement; once de-identified, that information is no longer subject to this Policy.
We do not sell personal information. We do not train, fine-tune, or otherwise use Member project content, Confidential Information, or personal information to develop AI models — whether bebuilt's own models or third-party models. The "generally applicable learnings" referenced in Section 7.2 of the Terms are limited to bebuilt's own internal methodology, patterns, and know-how that do not embed or reveal Member data and are not provided to AI model providers for training.
4. How we share information
We share information only as described below:
4.1 Subprocessors. We use third-party service providers ("subprocessors") to operate the Service. Current subprocessors include:
| Subprocessor | Purpose | Categories of data | Primary location |
|---|---|---|---|
| Stripe | Payment processing | Name, email, billing address, payment method | USA |
| Cal.com | Scheduling | Name, email, time-zone, booking form responses | USA |
| Vercel | Website and application hosting | Usage data, IP, deployed application content | USA |
| Vercel Analytics | Privacy-preserving site analytics | Aggregate page views, country-level location, device type | USA |
| Hetzner | Server infrastructure for hosted workloads | Application data, server logs | Germany / Finland |
| Supabase | Database, authentication, and storage | Account data, application data | USA |
| Google (Gmail / Google Workspace) | Business email and communications | Communications content | USA |
| Anthropic | LLM inference for AI features in Deliverables | Inputs and outputs from AI-enabled Requests | USA |
| OpenAI | LLM inference and embeddings for AI features in Deliverables | Inputs and outputs from AI-enabled Requests | USA |
We may add or change subprocessors as our stack evolves. The current list is available on request at brandon@livealittleventures.com. Where Member has signed a Data Processing Addendum requiring advance notice, bebuilt will provide at least thirty (30) days' notice of any material new subprocessor, during which Member may reasonably object. If the objection cannot be resolved, Member may terminate the affected portion of the Service.
4.2 At your direction. Where you ask us to provision third-party services in your account or send materials to a third party, we share what's necessary to do so.
4.3 Legal compliance. We may share information when required by law, subpoena, or other legal process, or to protect our rights and the safety of others. Where lawful, we will notify you first.
4.4 Business transfers. If bebuilt is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. The receiving party will be bound by terms at least as protective as this Policy.
5. AI processing
When a Request involves AI models, the inputs you provide and the outputs generated may be processed by the AI providers listed in Section 4.1 (currently Anthropic and OpenAI). We choose providers whose terms restrict the use of customer inputs and outputs for training their models, but their terms govern. Specifically, Anthropic's API does not use customer data to train models by default, and OpenAI's API has not used API inputs to train models by default since March 2023. bebuilt does not opt in to any data-sharing program with these providers. You can ask which providers we are using for any given Request, and we will tell you.
6. Data retention
We keep personal information for as long as needed to provide the Service and meet our legal obligations:
- Account and billing data: for the life of your subscription and seven (7) years thereafter for tax and accounting purposes.
- Project content: for the life of your subscription. On cancellation, we will, on request, return or delete project content within thirty (30) days, except where retention is required by law or to defend legal claims.
- Communications: typically three (3) years after our last interaction, unless required longer.
- Backups: encrypted backups may retain personal information for up to ninety (90) days after deletion from active systems, after which they are overwritten in the ordinary course.
- Aggregated or de-identified data: indefinitely.
7. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information, including:
- Encryption in transit (TLS) for all traffic between Members and the Service
- Encryption at rest for stored credentials and Member project content
- Access controls based on the principle of least privilege
- Audit logging of administrative actions
- Vendor management practices for the subprocessors listed in Section 4.1
No system is perfectly secure; we cannot guarantee absolute security. Use strong, unique passwords and scoped, revocable credentials, and tell us immediately if you suspect unauthorized access.
Breach notification. If bebuilt confirms a security incident that has resulted, or is reasonably likely to result, in unauthorized access to or disclosure of Member personal information, bebuilt will notify the affected Member without undue delay and in any event within seventy-two (72) hours of confirming the incident, with the information then known and a commitment to update Member as the investigation progresses.
8. Your rights
Depending on where you live, you may have the following rights:
- Access — request a copy of personal information we hold about you.
- Correction — request that inaccurate information be corrected.
- Deletion — request that we delete personal information, subject to legal exceptions.
- Portability — receive your information in a portable, machine-readable format.
- Objection / Restriction — object to or restrict certain processing.
- Withdrawal of consent — where processing is based on consent.
- Limit use of sensitive personal information — direct us to limit our use of sensitive personal information to that which is necessary to provide the Service.
- Opt-out of automated decision-making — where applicable, opt out of solely automated decisions with significant effects (we do not currently make such decisions).
How to exercise rights. Email brandon@livealittleventures.com with your request. Include enough information for us to identify your account and understand what you are asking for.
Verification. To protect your information, we will verify your identity before processing requests by matching the information you provide against the information we hold. For requests involving sensitive information or deletion, we may require additional verification.
Authorized agents. You may designate an authorized agent to act on your behalf by providing the agent with written, signed authorization. We may contact you directly to verify the agent's authority and your identity.
Response timelines. We will respond within forty-five (45) days of receiving a verified request, with one additional forty-five (45) day extension if reasonably necessary, in which case we will notify you of the extension and the reason for it.
Appeal. If we deny a request in whole or in part, you may appeal the decision by replying to our denial email with "Appeal" in the subject line and your basis for appeal. We will respond to appeals within sixty (60) days. If your appeal is denied, you may contact your state attorney general or equivalent supervisory authority.
Non-discrimination. We will not discriminate against you for exercising any of these rights.
Global Privacy Control. Where bebuilt processes personal information of California residents in a manner subject to the CCPA/CPRA, bebuilt honors Global Privacy Control (GPC) signals as a valid opt-out of sale or sharing for cross-context behavioral advertising. bebuilt does not currently sell or share personal information for cross-context behavioral advertising.
California residents. Under the CCPA/CPRA you have the rights above and the right to know the categories of personal information we collect, the sources from which it is collected, the business or commercial purposes for collecting it, and the categories of third parties to which we disclose it. We do not sell or share personal information for cross-context behavioral advertising.
EU/UK residents. To the extent the GDPR or UK GDPR applies to our processing, our legal bases include performance of a contract with you (Art. 6(1)(b)), our legitimate interests in operating and securing the Service (Art. 6(1)(f)), your consent (Art. 6(1)(a)) where required, and compliance with legal obligation (Art. 6(1)(c)). You may lodge a complaint with your local supervisory authority.
California personal information categories. For California residents, the following table summarizes the categories of personal information we collect, the sources, the business purposes, and the categories of recipients. We have not sold or shared personal information for cross-context behavioral advertising in the past twelve months and do not currently do so.
| CCPA category | Examples | Sources | Business purpose | Disclosed to |
|---|---|---|---|---|
| Identifiers | Name, email, account ID, IP address | Directly from you; automatically from your device | Account, billing, security, communications | Stripe, Vercel, Vercel Analytics, Google, Supabase |
| Customer records | Billing address, payment method | Directly from you; from Stripe | Billing, tax records | Stripe |
| Commercial information | Subscription history, Add-On Service usage | Generated through your use of the Service | Billing, Service improvement | Stripe, Supabase |
| Internet/network activity | Browser type, pages viewed, referring URL | Automatically from your device | Aggregate site analytics | Vercel, Vercel Analytics |
| Geolocation | Approximate (country/region) from IP | Automatically from your device | Site analytics, security | Vercel, Vercel Analytics |
| Audio/electronic information | Email content, call notes, Slack messages | Directly from you | Performing Requests; account communications | Google, Supabase |
| Professional information | Company, role | Directly from you | Account, communications | Supabase, Google |
| Inferences | Limited; e.g., feature interest from email subjects | Derived | Service improvement | None outside subprocessors |
| Sensitive personal information | Credentials and access tokens you share | Directly from you | Performing Requests | Subprocessors only as needed (Section 4.1) |
9. International transfers
We are based in the United States. Some of our subprocessors (for example, Hetzner) operate data centers in the European Union. Your information may therefore be transferred to and processed in the United States, the European Union, or other countries where our subprocessors operate. By using the Service, you consent to those transfers.
For transfers of EU/UK personal information to the United States, we rely on Standard Contractual Clauses entered into between bebuilt and the relevant subprocessor, supplemented by additional safeguards where appropriate. Where a subprocessor self-certifies under the EU-US Data Privacy Framework (and its UK Extension and Swiss-US extension), that certification provides an additional transfer mechanism. A Data Processing Addendum (DPA) implementing these protections is available on request at brandon@livealittleventures.com.
10. Children
The Service is offered for business and commercial use only and is not directed to children. We do not knowingly collect personal information from children under thirteen (13), and we do not knowingly collect personal information from children under sixteen (16) where required by applicable law (such as the EU GDPR). If you believe a child has provided us personal information, contact brandon@livealittleventures.com and we will delete it.
11. Changes to this Policy
We may update this Policy from time to time. Material changes will be posted here with an updated "Last updated" date and, where required, communicated to you by email.
12. Contact
Privacy inquiries: brandon@livealittleventures.com Mailing address: Live a Little Enterprises, LLC, 19 E Winthrope Rd, Kansas City, MO 64113
If you have a concern we have not addressed, you have the right to contact your local data protection authority.