Privacy Policy

1. Introduction

This Privacy Policy describes how buildsheet ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use our Service.

We are an sole proprietorship registered in Hungary, and we are committed to protecting your privacy in accordance with:

• EU General Data Protection Regulation (GDPR)
• Hungarian data protection laws
• Other applicable privacy regulations

2. Data Controller Information

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Email address: For account identification, authentication, and communication
• Full name: For personalization and invoicing purposes
• Password: Securely hashed using bcrypt (we never store plain-text passwords)
• Account status: Whether your account is active or disabled
• Registration date: When you created your account

3.2 Billing and Payment Information

When you make a purchase, we collect:

• Billing address: Street address, city, state/province, postal code, and country
• Payment transaction data: Amount, currency, payment status, transaction IDs (processed by Stripe)
• Stripe identifiers: Session ID, payment intent ID, customer ID
• Billingo partner ID: For Hungarian invoice generation

Important: We do NOT store your credit card details. All payment card information is processed and stored securely by Stripe, our PCI-DSS compliant payment processor.

3.3 Content Data

We store the cheatsheets and documentation you create, including:

• Cheatsheet content: Text, markdown, formulas, and styling
• Grid configuration: Layout settings, frozen rows/columns
• Cell data: Values, formulas, and formatting stored as JSON
• Metadata: Titles, descriptions, categories, template status
• Timestamps: Creation and last modification dates
• Deletion status: Soft-delete flags for recovery purposes

3.4 Usage and Technical Data

We automatically collect:

• Authentication data: JWT tokens stored in secure, HTTP-only cookies
• Rate limiting data: Request counts to prevent abuse (stored in Redis)
• Session data: Temporary purchase intent data (stored in browser sessionStorage)
• Auto-save data: Automatic saves triggered every 2 seconds when changes are detected
• Analytics data (optional): We may use analytics tools to understand how users interact with our Service, including page views, feature usage, and performance metrics. This helps us improve the Service and user experience.

Note: We do not use advertising trackers or sell your data to third parties. We do not track your browsing behavior outside our Service.

3.5 Email Communication Data

We process email addresses for:

• Transactional emails: Password resets, welcome emails, refund confirmations
• Invoices: Electronic invoices sent via Billingo
• Customer support: Responses to your inquiries

4. How We Use Your Information

4.1 Service Provision

• Create and maintain your account
• Authenticate your identity and secure your account
• Store and sync your cheatsheets across devices
• Enable auto-save functionality
• Generate PDF and Markdown exports
• Provide technical support and customer service

4.2 Payment Processing

• Process one-time payments through Stripe
• Generate electronic invoices through Billingo (Hungarian tax compliance)
• Handle refund requests and process refunds
• Apply discount codes when applicable
• Maintain payment records for accounting and tax purposes

4.3 Communication

• Send password reset emails with time-limited tokens
• Send welcome emails to new users
• Send refund confirmation emails
• Send invoices/receipts for purchases
• Respond to support inquiries

4.4 Security and Fraud Prevention

• Rate limiting
• Detect and prevent fraudulent transactions
• Monitor for suspicious account activity
• Enforce password requirements (8+ chars, mixed case, numbers, special characters)

4.5 Legal Compliance

• Comply with GDPR, Hungarian, and EU data protection laws
• Comply with Hungarian tax and invoicing regulations
• Respond to legal requests and court orders
• Enforce our Terms of Service

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

6. Data Sharing and Third-Party Services

We share your data with the following trusted third-party service providers who help us operate the Service:

Important: We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.

7. Data Retention

7.1 Active Accounts

We retain your personal data for as long as your account is active and you continue to use the Service. Since buildsheet offers lifetime access, your data is retained indefinitely unless you request deletion.

7.2 Deleted Content

• Soft-deleted cheatsheets: Marked as deleted but may be recoverable for a limited time
• Permanent deletion: Content may be permanently deleted after a reasonable period

7.3 Closed Accounts

After you close your account or request deletion:

• We will delete your personal data within 30 days
• Some data may be retained for legal or regulatory purposes (e.g., payment records for tax compliance)
• Anonymized usage data may be retained for analytics and service improvement

7.4 Legal Retention Requirements

Certain data must be retained to comply with legal obligations:

• Payment and invoice records: Retained for 8 years (Hungarian tax law requirement)
• Fraud prevention records: Retained as necessary to prevent future fraudulent activity

8. Cookies and Tracking Technologies

8.1 Authentication Cookie

8.2 Session Storage (Client-Side)

We use browser sessionStorage (not cookies) for:

• pendingPurchase: Temporarily stores purchase intent for unauthenticated users (expires after 5 minutes or when tab closes)
• scrollToPricing: Flag to auto-scroll to pricing section after signup

Note: sessionStorage data is stored locally in your browser, never transmitted to our servers, and is automatically cleared when you close the browser tab.

8.3 Analytics Cookies (Optional)

We may use analytics tools (such as Google Analytics or similar services) to understand how users interact with our Service. These tools may use cookies to collect:

• Page views and navigation patterns
• Feature usage statistics
• Time spent on pages
• Device and browser information
• General geographic location (country/city level)

Note: Analytics data is used solely to improve our Service and is typically anonymized or aggregated. You can opt-out of analytics tracking through your browser settings or by using browser extensions that block analytics cookies.

8.4 What We DON'T Use

We do NOT use:

• Advertising or marketing cookies for targeted ads
• Social media tracking pixels for advertising purposes
• Cross-site tracking technologies for ad networks
• Behavioral advertising networks
• Data brokers or third-party data selling

9. Data Security

We implement industry-standard security measures to protect your data:

9.1 Encryption

• In transit: All data transmitted over HTTPS/TLS encryption
• At rest: Database encryption provided by MongoDB Atlas
• Passwords: Hashed with bcrypt (10+ salt rounds, irreversible)

9.2 Access Controls

• Role-based access control (user/admin)
• JWT-based authentication with secure, HTTP-only cookies
• Rate limiting on all API endpoints
• Password reset tokens expire after 1 hour
• Purchase intent tokens expire after 5 minutes

9.3 Infrastructure Security

• Database hosted on secure MongoDB Atlas infrastructure
• Redis rate limiting via Upstash (cloud-based, encrypted)
• Payment processing via PCI-DSS compliant Stripe
• Regular security updates and patches

9.4 Fraud Prevention

• Stripe fraud detection and prevention
• Rate limiting to prevent brute-force attacks
• Webhook signature verification
• Account monitoring for suspicious activity

Note: While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your password and reporting any unauthorized access immediately.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

To exercise your rights, please contact us at hello@usegrand.app. We will respond to your request within 30 days as required by GDPR.

11. International Data Transfers

We are based in Hungary (EU), but some of our service providers are located outside the EU:

• Stripe (USA): Covered by Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework
• Resend (USA): GDPR-compliant data processing agreement

We ensure that all international data transfers comply with GDPR requirements through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions for certain countries
• Data processing agreements with GDPR compliance guarantees

12. Children's Privacy

Our Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at hello@usegrand.app. We will delete such information from our records.

13. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours (GDPR requirement)
• Notify affected users without undue delay if the breach poses a high risk
• Provide information about the nature of the breach and remedial actions taken
• Take immediate steps to contain and remediate the breach

14. Automated Decision-Making

We do NOT use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

The only automated processes we use are:

• Rate limiting: Automatic blocking of excessive requests (abuse prevention)
• Fraud detection: Stripe's automated fraud screening (payment security)
• Auto-save: Automatic saving of your work (user benefit)

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we do:

• We will update the "Last Updated" date at the top of this page
• We will notify you of material changes via email or through the Service
• We will provide a prominent notice on our website
• For significant changes, we may require your renewed consent

Your continued use of the Service after changes indicates your acceptance of the updated Privacy Policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

We will respond to your inquiry within 30 days as required by GDPR.