Privacy policy for governed agent planning.

buildr-plannr collects the data needed to authenticate users, operate workspaces, coordinate human and agent planning, bill subscriptions, support customers, and secure the service.

• Names, email addresses, workspace role labels, Cognito identifiers, authentication events, identity provider claims, MFA state, and session metadata used to create accounts and secure access.
• Workspace metadata, project records, issues, comments, labels, priorities, acceptance criteria, dependencies, task contracts, import/export history, and verification evidence created by users or agents.
• Agent capability metadata, claim and lease state, approval requests, readiness checks, risk scores, run quota events, audit trail entries, and evidence showing what an agent attempted and how it was reviewed.
• Stripe customer IDs, subscription IDs, invoice references, checkout and billing portal session state, plan tier, entitlement snapshots, and billing contact metadata. Raw card data is handled by Stripe, not buildr-plannr.
• Support request content, severity and routing metadata, data request evidence, enterprise procurement messages, security review references, and lifecycle email delivery metadata.
• Request IDs, deployment health signals, redacted operational logs, error summaries, security diagnostics, activation events, feature usage events, and pseudonymous analytics used to operate and improve the service.

We use customer data to provide the planning product, enforce agent governance, maintain entitlements, troubleshoot issues, meet security obligations, and communicate about the service.

• Operate projects, issues, task contracts, context packs, approval gates, evidence records, imports, exports, and workspace settings.
• Authenticate users through Cognito, authorize workspace access, protect sessions, and investigate suspicious account activity.
• Measure privacy-safe product activation and conversion trends without sending raw issue bodies, agent prompts, private context, secrets, or customer source material to analytics tooling.
• Process subscriptions through Stripe, maintain plan limits and entitlement state, issue invoices, and support billing questions.
• Monitor reliability and security using redacted CloudWatch logs, metrics, alarms, diagnostics, and incident evidence.

We share data with subprocessors only where needed to run, secure, bill, monitor, email, analyze, or support buildr-plannr.

• AWS hosts application runtime, storage, queues, logs, deployment evidence, backups, and networking for the deployed environments.
• Amazon Cognito handles user pools, app clients, token issuance, verification, password reset, MFA, and identity provider claims.
• Stripe handles checkout, subscriptions, invoices, payment method references, billing portal sessions, and billing webhooks.
• Monitoring, analytics, email, and support vendors must follow the published subprocessor update process before they receive new categories of customer or workspace data.
• The public subprocessor list at /subprocessors records vendor purpose, region, data categories, status, and notification process.

Retention is scoped to product operation, security, legal obligations, customer contracts, and explicit export or deletion requests.

• Workspace, project, issue, agent activity, task contract, and evidence records are retained while the workspace is active and then removed or exported through the supported account and workspace lifecycle.
• Authentication data is retained in Cognito while the account exists and for the security windows required to investigate abuse, account recovery, or access disputes.
• Billing data is retained for subscription administration, tax, accounting, dispute, and compliance obligations; Stripe retains payment records under its own processing terms.
• Operational logs are redacted and retained according to the active Terraform-managed CloudWatch retention policy unless an incident, abuse investigation, or legal obligation requires a scoped hold.
• Backups and derived evidence age out through environment-specific backup, export, and deletion processes documented in security and operations materials.

Workspace owners and authorized users can request access, export, correction, deletion, restriction, or portability support for personal data handled by buildr-plannr.

• Use in-product exports for issue and workspace records where available, or open the legal support path for data that requires manual review.
• Request correction or deletion for account, workspace, support, or billing metadata where the request does not conflict with legal, security, tax, or contractual retention duties.
• Enterprise customers can request vendor, subprocessor, DPA, security, and audit evidence through their nominated legal or security review contact.
• Requests involving another user's data, a workspace owned by another organization, or security-sensitive records may require identity, authority, or ownership verification.

The product is designed to keep agent execution governed, workspace access scoped, and sensitive data out of places that do not need it.

• Redact tokens, secrets, API keys, Cognito tokens, webhook signatures, private keys, raw passwords, and full customer email values from logs and support evidence.
• Analytics must use pseudonymous identifiers and must not collect raw prompts, issue bodies, context pack contents, source material, or customer secrets.
• Agent activity is tracked through approval gates, audit records, run quota controls, and evidence so humans can review high-impact actions.
• Access to production systems is handled through AWS account boundaries, least-privilege roles, CI evidence, and environment-specific deployment controls.

Privacy, DPA, subprocessor, legal, data request, billing, and enterprise security review questions route through the legal support path.

• Use /support?intent=legal for privacy rights requests, data deletion questions, DPA review, and subprocessor questions.
• Use /contact?intent=security-review for enterprise security review and procurement requests.
• Include privacy-safe identifiers, workspace name, request type, and proof of authority where needed; do not include passwords, tokens, API keys, or private source material.