Last updated: May 2026

Privacy Policy

This Privacy Policy explains how we — Builderz GmbH — process personal data when you visit builderzworld.com, voicedna.builderzworld.com, and any subdomains (collectively, the "Sites"), apply for our cohort programs, sign up for our email list, or use our Voice DNA tool.

We have written this in plain language. Where it matters, we cite the legal basis under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) so you can see exactly why and how we process your data.

1. Controller

The controller responsible for the processing of your personal data on the Sites is:

Builderz GmbH
Ohmstraße 9
80802 München
Germany

Email: kontakt@builderz.org
Represented by: Bernhard Neumann, Geschäftsführer

For full company details, see our Imprint.

2. Data Protection Officer

We have not appointed a Data Protection Officer because we are not legally required to do so under Art. 37 GDPR or § 38 BDSG. For all data protection matters, please contact us at kontakt@builderz.org.

3. Your Rights at a Glance

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15 GDPR) — you can ask us what data we hold about you.
Right to rectification (Art. 16 GDPR) — you can ask us to correct inaccurate data.
Right to erasure / "right to be forgotten" (Art. 17 GDPR) — you can ask us to delete your data.
Right to restriction of processing (Art. 18 GDPR).
Right to data portability (Art. 20 GDPR) — you can receive your data in a portable format.
Right to object (Art. 21 GDPR) — in particular against processing based on legitimate interests or for direct marketing.
Right to withdraw consent at any time (Art. 7(3) GDPR), without affecting the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

To exercise any of these rights, email us at kontakt@builderz.org. We will respond within one month.

The competent supervisory authority for us is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
www.lda.bayern.de

4. General Information on Data Processing

4.1 Principles

We only process personal data to the extent necessary for the purposes described in this policy, on a valid legal basis under Art. 6 GDPR, and we apply the principles of data minimization and storage limitation.

4.2 Storage and Deletion

We delete personal data as soon as the purpose for which it was collected no longer applies, unless statutory retention obligations (in particular under §§ 147 AO and 257 HGB — generally 6 to 10 years for tax-relevant business records) require longer storage. Specific retention periods are listed under the relevant section below.

4.3 No Automated Decision-Making

We do not use your personal data for automated decision-making within the meaning of Art. 22 GDPR (decisions producing legal or similarly significant effects).

5. When You Visit the Sites (Server Log Files)

When you load any page on our Sites, your browser automatically transmits certain technical information to our hosting provider. This includes:

Your IP address (anonymized where possible)
Date and time of the request
The specific page or file requested
HTTP status code
Amount of data transferred
Referrer URL (the page you came from)
Browser type and version
Operating system

Purpose: Delivering the website, ensuring stability, security, and integrity of our systems, and defending against attacks.

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in operating a secure and functional website.

Retention: Log files are typically deleted or anonymized within 7 days, unless they are required for security investigations.

5.1 Hosting (Vercel)

The Sites are hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Vercel automatically processes the technical data described above on our behalf in order to deliver the Sites.

Vercel is a US-based provider. Data may therefore be processed in the United States or other countries outside the European Economic Area. To safeguard this transfer, we have entered into a Data Processing Agreement with Vercel that incorporates the European Commission's Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR. Vercel is also certified under the EU–U.S. Data Privacy Framework, providing an adequacy basis under Art. 45 GDPR.

Vercel's privacy policy: vercel.com/legal/privacy-policy
Vercel's DPA: vercel.com/legal/dpa

6. Cookies and Local Storage

We use only strictly necessary cookies and similar technologies that are required to deliver the Sites and the services you actively request (e.g., session cookies, security tokens). These do not require consent under § 25(2) TDDDG.

We do not currently use marketing cookies, advertising cookies, or third-party analytics cookies that track you across websites. Should we introduce such technologies in the future, we will obtain your prior consent through a cookie banner in line with § 25(1) TDDDG and Art. 6(1)(a) GDPR, and update this policy.

7. Application Calls (Cohort Application via Google Calendar)

To apply for the Builderz World cohort, you can book a call through a Google Calendar appointment scheduling link embedded on our Sites.

Data processed: Name, email address, time zone, the time slot you select, and any information you voluntarily provide in the booking form.

Purpose: Scheduling and conducting your application call, evaluating your fit for the cohort, and follow-up communication.

Legal basis:

Art. 6(1)(b) GDPR — pre-contractual measures taken at your request.
Art. 6(1)(f) GDPR — our legitimate interest in efficient scheduling.

Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (with Google LLC as a US-based affiliate). When you load the Google Calendar embed or open the calendar link, your browser connects to Google's servers, and Google processes your data under its own privacy policy (policies.google.com/privacy). Google relies on SCCs and the EU–U.S. Data Privacy Framework for data transfers to the United States.

Retention: Booking and call data are retained for as long as your application is active, plus up to 24 months for follow-up. After that, we delete or anonymize the records, subject to statutory retention obligations.

8. Email Newsletter and Voice DNA Lead Magnet

8.1 What we collect

When you sign up for Voice DNA at voicedna.builderzworld.com (or for any other Builderz mailing list), we collect:

Your first name
Your work email address
The date and time of your sign-up and the IP address used (for proof-of-consent under Art. 7 GDPR)
Engagement data (whether you open emails or click links)

8.2 Purpose

We use this data to:

Deliver access to the Voice DNA tool and your generated Voice DNA file;
Send you the email updates from Builderz World you signed up for;
Measure the effectiveness of our emails (open rates, click rates).

8.3 Legal basis

Sending you marketing emails: Art. 6(1)(a) GDPR — your explicit consent, given at the moment of sign-up. You can withdraw this consent at any time, with effect for the future, by clicking the unsubscribe link in any email or by contacting us at kontakt@builderz.org.
Storing your IP and timestamp: Art. 6(1)(c) GDPR — to comply with our accountability obligations under Art. 5(2) and Art. 7(1) GDPR.
Engagement tracking: Art. 6(1)(a) GDPR — included in your initial consent.

8.4 Service provider: Kit (formerly ConvertKit)

We use Kit (operated by ConvertKit LLC, P.O. Box 761, Boise, Idaho 83701, USA) to manage subscribers and send emails. Kit processes the data described above on our behalf as a processor under Art. 28 GDPR.

Data is transferred to the United States. Safeguards in place:

Data Processing Addendum incorporating the EU Standard Contractual Clauses (SCCs) under Art. 46 GDPR;
Kit's certification under the EU–U.S. Data Privacy Framework (Art. 45 GDPR adequacy decision).

Kit's privacy policy: kit.com/privacy
Kit's DPA: kit.com/dpa

8.5 Retention

We retain your subscriber data for as long as you are subscribed. If you unsubscribe, we delete your active subscriber record without undue delay. We may retain a minimal "do-not-contact" record (your hashed email and unsubscribe timestamp) on the basis of Art. 6(1)(f) GDPR — our legitimate interest in not contacting you again.

9. Voice DNA — AI Processing of Your Writing Samples

The Voice DNA tool at voicedna.builderzworld.com is the most data-sensitive part of our offering, so we explain it in detail.

9.1 What happens

You enter or paste writing samples (e.g., emails, posts, notes, drafts you have written) into the Voice DNA interface.
We send those writing samples, together with our system prompt, to an AI model operated by xAI (the "Grok" model family) via xAI's API.
xAI processes the input and returns an output — your "Voice DNA" file (voice summary, writing patterns, do/don't rules, prompt block).
We display this file to you and let you copy or download it.

You should only paste content you are comfortable sharing with us and with xAI. Do not paste anything containing trade secrets, special categories of personal data (e.g., health data, political opinions, religious beliefs), banking or financial details, or third-party confidential information.

9.2 Data processed

The writing samples you paste — these may contain personal data about you and, depending on what you paste, about third parties.
The output generated by the AI model.
Technical metadata necessary to process the request (e.g., request timestamps, technical identifiers).

9.3 Purpose

To generate your Voice DNA file as the service you actively requested.

9.4 Legal basis

Art. 6(1)(b) GDPR — performance of a service (the Voice DNA tool) you have requested.
For any data of third parties incidentally contained in your samples: Art. 6(1)(a) GDPR — your warranty that you have the right to share that content with us, and Art. 6(1)(f) GDPR — our legitimate interest in delivering the requested service. You are responsible for ensuring you have the right to submit any third-party content you paste.

9.5 Sub-processor: xAI (Grok)

The AI processing is performed by X.AI LLC, 1450 Page Mill Rd, Palo Alto, CA 94304, USA. xAI acts as our processor under Art. 28 GDPR.

Important properties of this processing — confirmed by xAI's enterprise terms:

No training on your data. xAI does not use API inputs (your writing samples) or outputs (your Voice DNA file) to train its AI models.
Short retention. xAI automatically deletes API inputs and outputs within 30 days, unless legally required to retain them or unless content is flagged for safety or policy violations.
No selling or sharing for advertising. xAI does not sell your data or share it with third parties for marketing or advertising.
Limited human review. A small number of authorized xAI personnel may review data only when legally required, e.g., to investigate security incidents or potential misuse.

xAI is a US-based provider. The transfer of personal data to the United States is safeguarded by:

xAI's Data Processing Addendum incorporating the EU Standard Contractual Clauses (Art. 46 GDPR);
Supplementary technical and organizational measures (encryption in transit and at rest, access controls).

xAI privacy policy: x.ai/legal/privacy-policy
xAI Enterprise Terms: x.ai/legal/terms-of-service-enterprise
xAI DPA: x.ai/legal/data-processing-addendum

9.6 Retention on our side

We do not store your writing samples or your generated Voice DNA file on our servers after the session ends, unless you explicitly choose to save it via your Kit subscriber profile. The output is generated for your in-browser use. You are responsible for downloading and storing your own copy.

If you wish to delete any record of your usage, contact us at kontakt@builderz.org.

9.7 AI transparency notice

In line with Article 50 of the EU AI Act (effective from August 2026): you are interacting with an AI system. The Voice DNA file is generated by a machine learning model. The output may contain inaccuracies, hallucinations, or content that does not perfectly reflect your actual writing voice. Treat the output as a starting point, not a final product.

10. Email Communication

When you contact us by email (e.g., at kontakt@builderz.org), we process your name, email address, message content, and any other details you provide.

Purpose: To respond to your inquiry.

Legal basis: Art. 6(1)(b) GDPR (if your inquiry relates to a contract or pre-contractual matters) or Art. 6(1)(f) GDPR (our legitimate interest in handling inquiries).

Retention: Inquiries are typically retained for up to 24 months after the matter is resolved, unless statutory retention obligations apply.

11. Cohort Participation (Paying Customers)

If you are accepted into a Builderz World cohort and become a paying participant, we additionally process:

Billing details (name, address, VAT ID if applicable);
Payment confirmation data from our payment processor;
Cohort participation data (attendance, contributions, the assets you create during the program).

Purpose: Performing the cohort contract, billing, and meeting tax and commercial-law retention obligations.

Legal basis:

Art. 6(1)(b) GDPR — performance of contract;
Art. 6(1)(c) GDPR — compliance with legal obligations (tax law).

Retention: Tax-relevant records are retained for the statutory period (generally 10 years under § 147 AO and § 257 HGB). Other cohort-related data is deleted within 24 months after cohort completion, unless you remain in our community structures.

12. International Data Transfers — Summary

Several of our processors are based in the United States. Every transfer of personal data outside the European Economic Area is safeguarded by at least one of the following mechanisms:

An adequacy decision by the European Commission (Art. 45 GDPR), in particular the EU–U.S. Data Privacy Framework where the recipient is certified;
Standard Contractual Clauses adopted by the European Commission (Art. 46 GDPR), incorporated into our Data Processing Agreements with each processor;
Where required, supplementary measures such as encryption and access controls.

A current list of our key processors and the safeguards in place is summarized in this policy. You can request a copy of the relevant SCCs by emailing kontakt@builderz.org.

13. Data Security

We use industry-standard technical and organizational measures to protect your personal data, including TLS encryption for data in transit, access controls, and the careful selection of processors who meet recognized security standards (e.g., ISO 27001, SOC 2). No method of transmission over the internet is 100% secure, but we work to keep the risk as low as reasonably possible.

14. Children

The Sites and our services are intended for adults — specifically, professionals with significant work experience. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

15. Links to Third-Party Websites

The Sites may contain links to external websites. We are not responsible for the privacy practices or content of these third parties. Please consult their respective privacy policies.

16. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, our processors, or applicable law. The "Last updated" date at the top of this page indicates when the latest version was published. For material changes, we will notify subscribers by email and/or with a prominent notice on the Sites.

17. Contact

For any question about this Privacy Policy or to exercise your data protection rights, contact:

Builderz GmbH
Ohmstraße 9
80802 München
Germany
kontakt@builderz.org