Legal
Privacy Policy.
Last updated 26 June 2026
This Privacy Policy explains how Builte Limited ("Builte", "we", "us", "our") collects, uses, discloses, retains and protects personal data in connection with the website at builte.global (the "Site"), our business communications, and our partnership engagements with industrial and commercial operators ("Operators"). It applies to website visitors, business and partnership contacts, and individuals whose personal data is captured within Operator environments where Builte technology is deployed.
Key points
- We process three groups of people: visitors to this Site, business contacts who engage with us about partnerships, and individuals whose image or activity may be captured inside an Operator environment where our systems are deployed.
- Inside an Operator environment, the Operator is the controller of personal data captured on its premises. Builte acts as a processor under a written agreement, and applies minimisation, obscuring of identifiers (such as face and licence-plate blurring) and access controls by default.
- Operator data is treated as confidential. We do not share an Operator's data with that Operator's competitors. We do not use it to train shared models that benefit other operators without explicit written permission.
- We do not sell personal data and we do not share personal data for cross-context behavioural advertising as defined under the California Consumer Privacy Act.
- You have rights over your personal data. To exercise them, contact partners@builte.global.
1. Controller and contact
1.1 Builte Limited is a company registered in England and Wales, with its registered office in London, United Kingdom. References to "Builte" in this Policy mean Builte Limited and its affiliates from time to time.
1.2 For personal data we collect through the Site and through our direct business communications, Builte is the controller. For personal data captured inside an Operator environment under a partnership agreement, the Operator is the controller and Builte acts as a processor under that agreement, except where Builte processes such data for its own defined purposes (for example, statutory compliance, or contractually permitted dataset development), in which case Builte is the controller for those defined purposes.
1.3 Privacy contact: partners@builte.global. Postal correspondence may be addressed to Builte Limited, Privacy, London, United Kingdom.
2. Scope and data subjects
2.1 This Policy applies to the following categories of data subject:
- Site Visitors: individuals who access or interact with the Site.
- Business Contacts: individuals who contact Builte, or whom Builte contacts, in relation to a prospective, current or former partnership, including personnel of Operators, suppliers, advisers and investors.
- Operator Environment Individuals: individuals whose personal data may be captured by Builte systems deployed inside an Operator environment, including the Operator's staff, contractors, visitors and, in limited cases, members of the public present in semi-public operational spaces.
3. Categories of personal data
3.1 Site Visitors
- Identifiers and contact details submitted through forms (name, company, role, business email, country, industry, message content).
- Technical data automatically collected to operate the Site (IP address, user agent, referrer, timestamps, approximate location derived from IP, device characteristics).
- Cookie data and similar identifiers as described in our Cookie Policy.
3.2 Business Contacts
- Business identifiers and contact details (name, employer, role, business email, business telephone).
- Correspondence and meeting records relating to the partnership lifecycle.
- Commercial diligence information voluntarily shared by an Operator or its personnel.
3.3 Operator Environment Individuals
- Visual data from fixed cameras or sensors at Operator sites, which may include images of individuals.
- Operational sensor data which may indirectly identify an individual through context, role or location (for example, workstation telemetry).
- Identifiers issued by the Operator (such as employee or badge identifiers) where the Operator chooses to share them for the agreed purpose.
3.4 Builte does not seek to collect special category personal data or biometric data for the purpose of uniquely identifying a natural person. Where visual data could be processed in a way that produces biometric identifiers, Builte applies the controls described in Section 5.
4. Purposes and lawful bases
4.1 We process personal data for the following purposes and on the following lawful bases under the UK GDPR and the EU GDPR.
| Purpose | Categories | Lawful basis |
|---|---|---|
| Operating, securing and improving the Site | Site Visitors | Legitimate interests in providing a secure and performant website. Consent for non-essential cookies. |
| Responding to enquiries and managing the partnership lifecycle | Business Contacts | Legitimate interests in pursuing and managing commercial relationships. Where pre-contractual steps are taken at the request of the data subject, performance of a contract. |
| Deploying and operating Builte systems inside an Operator environment | Operator Environment Individuals | The Operator's lawful basis as controller (typically legitimate interests in operational safety, productivity and quality, supported by appropriate notices and, where required, consent or other condition). |
| Producing operational intelligence for the Operator | Operator Environment Individuals | Processor processing on the Operator's documented instructions under Article 28 UK GDPR and Article 28 EU GDPR. |
| Building and retaining underlying datasets and improving models, subject to contract | Operator Environment Individuals (where permitted) | Legitimate interests of Builte in developing physical AI systems, only where the data has been de-identified or aggregated to a standard agreed in writing with the Operator, and only to the extent expressly permitted by the partnership agreement. |
| Compliance with legal and regulatory obligations | All | Legal obligation. |
| Establishment, exercise or defence of legal claims | All | Legitimate interests, and, where relevant, Article 9(2)(f) UK GDPR / EU GDPR. |
4.2 Where we rely on legitimate interests, we have carried out a balancing assessment which considers the nature of the data, the reasonable expectations of the data subjects, the safeguards applied, and the impact on data subject rights and freedoms. The relevant assessment can be requested from the contact in Section 1.
5. Identifiable footage and special category data
5.1 Builte systems deployed inside an Operator environment may incidentally capture identifiable footage of individuals. Builte does not deploy facial recognition for the purpose of uniquely identifying a natural person unless this is expressly required by the Operator under a written authorised purpose, supported by the Operator's data protection impact assessment, and lawful in the relevant jurisdiction.
5.2 Default technical and organisational measures applied to visual data include:
- Capture limited to the area and the time necessary for the agreed operational purpose.
- Automated obscuring of faces, licence plates and other direct identifiers at, or as close as practicable to, the point of capture, unless an authorised purpose requires identifiable retention.
- Strict role-based access, with access to identifiable footage limited to named individuals on a need-to-know basis and logged.
- Encryption in transit and at rest, with key separation between Operator environments.
- Defined retention periods, with default short-term retention of raw footage and longer retention only of derived, de-identified analytical outputs.
5.3 Notice and, where required, consent at Operator sites is operated jointly with the Operator. The Operator is responsible for posting signage at the perimeter and at points of capture, for informing its workforce, and for any required works council or employee representative consultation. Builte supports the Operator with template notices and a data protection impact assessment framework.
6. Operator and partnership data
6.1 Operator confidential information, operational data, and personal data captured in the Operator environment are treated as confidential under the partnership agreement.
6.2 Builte does not disclose Operator-identifying data to a competitor of that Operator. Builte does not use Operator-identifying data to produce intelligence for a competitor of that Operator.
6.3 Where the partnership agreement permits Builte to develop underlying datasets and derived models, such datasets are constructed so that the contributing Operator is not identifiable in the dataset or in any output derived from it, and personal data is de-identified or aggregated to the standard agreed with the Operator.
7. Recipients and disclosures
7.1 We disclose personal data to the following categories of recipient:
- Service providers acting as processors, including cloud infrastructure, communications, customer relationship management, productivity, security, and analytics providers, in each case bound by written terms that comply with Article 28 UK GDPR and Article 28 EU GDPR.
- Professional advisers such as lawyers, auditors, insurers and bankers, subject to duties of confidentiality.
- Operators and their authorised personnel, for personal data captured at their sites.
- Acquirers or successors in connection with a corporate transaction, subject to confidentiality and lawful safeguards.
- Regulators, courts and law enforcement where required by law or to establish, exercise or defend legal rights.
7.2 We do not sell personal data. We do not share personal data for cross-context behavioural advertising.
8. International transfers
8.1 Builte operates internationally. Personal data may be transferred to, accessed from, or stored in jurisdictions outside the United Kingdom and the European Economic Area, including the United States.
8.2 Where personal data is transferred outside the United Kingdom, we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, an adequacy regulation made by the Secretary of State, or another lawful transfer mechanism. Where personal data is transferred outside the European Economic Area, we rely on the EU Standard Contractual Clauses (2021/914), an adequacy decision of the European Commission, or another lawful transfer mechanism. Supplementary technical and organisational measures are applied where required by a transfer risk assessment.
8.3 A copy of the relevant transfer mechanism for a specific transfer can be requested from the contact in Section 1, subject to redaction of commercially sensitive information.
9. Retention
9.1 We retain personal data for no longer than is necessary for the purposes for which it was collected. Indicative periods are:
| Category | Indicative retention |
|---|---|
| Site enquiry submissions and correspondence | Up to 24 months from last interaction, then archived for a further 36 months for legal and audit purposes. |
| Business Contact records relating to a live partnership | Duration of the partnership plus 6 years. |
| Raw visual data captured in an Operator environment | Default 7 to 30 days, subject to the Operator's documented instructions and applicable law. |
| De-identified or aggregated analytical outputs | For so long as the Operator's authorisation permits, and thereafter as needed for model integrity and audit. |
| Server logs and security telemetry | Up to 12 months, longer where required for incident investigation. |
9.2 At the end of the applicable retention period, personal data is securely deleted, anonymised, or returned to the Operator in accordance with the partnership agreement.
10. Security
10.1 Builte maintains a written information security programme appropriate to the nature of the data it processes. Controls include identity and access management with single sign-on and multi-factor authentication, role-based access, network segmentation, encryption in transit (TLS 1.2 or higher) and at rest, hardened build pipelines, dependency monitoring, endpoint protection, structured logging, vulnerability management, secure software development practices, penetration testing, vendor due diligence, secure decommissioning, and incident response procedures.
10.2 Builte will notify the Operator of any personal data breach affecting personal data processed on its behalf without undue delay, and in any event within the period required by the partnership agreement and applicable law.
11. Your rights (UK and EU)
11.1 Subject to the conditions and exemptions in applicable law, individuals in the United Kingdom and the European Economic Area have the following rights:
- Right of access.
- Right to rectification.
- Right to erasure.
- Right to restriction of processing.
- Right to data portability.
- Right to object, including to processing based on legitimate interests and to direct marketing.
- Right not to be subject to a decision based solely on automated processing which produces legal or similarly significant effects.
- Right to withdraw consent, where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
11.2 Requests in respect of personal data captured inside an Operator environment should be directed in the first instance to the Operator as controller. Builte will support the Operator's response as required by the partnership agreement.
11.3 To exercise rights in respect of personal data for which Builte is the controller, write to partners@builte.global. We may request information reasonably necessary to verify your identity.
12. US state privacy rights
12.1 If you are a resident of California, you have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), to know what personal information we have collected about you, to delete it, to correct inaccurate personal information, to opt out of the sale or sharing of personal information, and to limit the use and disclosure of sensitive personal information. Comparable rights apply to residents of other US states with general consumer privacy legislation, including Virginia, Colorado, Connecticut, Utah, Texas, Oregon and others.
12.2 Categories of personal information collected, the business and commercial purposes for collection, and the categories of recipients are set out in Sections 3, 4 and 7.
12.3 Notice of right to opt out of sale and sharing: Builte does not sell personal information and does not share personal information for cross-context behavioural advertising as those terms are defined under the CCPA. There is, therefore, no sale or sharing from which to opt out.
12.4 Sensitive personal information: we do not use or disclose sensitive personal information for purposes that require an opt-out under the CCPA.
12.5 To submit a verifiable consumer request, write to partners@builte.global. You may use an authorised agent. We will not discriminate against you for exercising your rights.
13. Cookies and analytics
13.1 We use a limited set of cookies and similar technologies as described in our Cookie Policy.
14. Children
14.1 The Site is not directed to children. We do not knowingly collect personal data from individuals under 16. If you believe a child has provided personal data to us, contact the address in Section 1 and we will take appropriate steps.
15. Complaints
15.1 We would like the opportunity to address your concerns before you approach a regulator. Please contact us first at partners@builte.global.
15.2 If you are not satisfied, you may lodge a complaint with the Information Commissioner's Office in the United Kingdom (ico.org.uk), the supervisory authority of your habitual residence, place of work or place of the alleged infringement within the European Economic Area, or the relevant US state authority.
16. Changes to this Policy
16.1 We may update this Policy from time to time. The "Last updated" date at the top of the page reflects the date of the most recent revision. Where changes are material we will take additional steps to bring them to your attention.