BUILDING YOUR DREAMS TECH, LLC

Privacy Policy

Effective date: June 20, 2026

This Privacy Policy explains how Building Your Dreams Tech, LLC ("we", "us", or "our") collects, uses, discloses, and protects information when you use our Helios Vision AI platform, websites, and related services (the "Services"). By using the Services, you agree to the terms of this Policy.

1. Information We Collect

  • Account data: name, email address, company details, phone number, and role.
  • Authentication and security data: credentials, OAuth tokens (encrypted at rest), and audit logs.
  • Usage data: application interactions, configuration choices, device and browser metadata, and diagnostics.
  • Content you provide: prompts, messages, uploaded documents, and AI agent configurations.
  • Integration data: when you connect third-party services (see Section 3 below), we access only the minimum data needed to perform the requested actions.

2. How We Use Information

  • Provide, operate, maintain, and improve the Services and AI agents.
  • Secure the platform, detect fraud or abuse, and maintain audit trails.
  • Personalize experiences, recommend configurations, and support users.
  • Send transactional communications (updates, security notices, service messages).
  • Comply with legal obligations and enforce our Terms of Service.

Note: Data obtained from Google APIs is used exclusively to provide and improve the user-facing features described in Section 3 below. Google user data is not used for any other purpose listed in this section.

3. Google API Services — Limited Use Disclosure

Our platform integrates with Google API Services to provide AI-powered automation features. We request only the permissions strictly necessary for each integration:

Google Sign-In (Authentication)

We use Google OAuth for user authentication. We access your basic profile information (name and email address) solely to create and authenticate your account. No additional Google data is accessed through sign-in.

Gmail Sending (gmail.send, gmail.labels)

When a business connects their Gmail account for sending, their AI agents can send emails on behalf of the business. This includes sending appointment confirmations, customer follow-ups, and internal staff notifications about customer interactions. Thegmail.send scope is used exclusively for sending emails that are explicitly initiated by the user or by automated workflows configured by the user within the platform. Thegmail.labels scope is used only to apply or manage labels for messages generated and sent by the platform.

Gmail Inbox (gmail.readonly)

When a business optionally connects their Gmail inbox, the platform reads incoming emails so that its own AI agents can classify, summarize, and draft or send responses to that business's customers. The gmail.readonly scope provides read-only access — the platform cannot modify or delete messages in the connected mailbox. This integration is separate from the Gmail sending integration and must be explicitly enabled by the account administrator.

To power the inbox and automated replies, incoming email content (including message bodies and attachments) is stored in that business's own isolated records within our infrastructure, encrypted at rest and access-controlled so that one business can never see another's data. This content is used solely to provide the inbox and AI-response features to that same business, is never used to train, fine-tune, or improve any AI/ML model, is never sold or used for advertising, and is retained only for as long as the business's plan retention window requires. It is permanently deleted when the business deletes its account, disconnects the integration, or requests deletion (see the Data Retention and Your Rights sections).

Google Calendar Integration (calendar.events)

When a business connects their Google Calendar, their AI agents can check availability and create, update, or cancel calendar events on behalf of the business. This enables automated appointment scheduling when customers interact through WhatsApp, Instagram, Messenger, web chat, email, or voice channels.

AI Processing of Google Data

When you connect Gmail or Google Calendar, your AI agents process the minimum data needed to execute user-initiated actions (e.g., composing an email or scheduling an event). This processing is transient and inference-only: data is sent to the AI provider in real time to fulfill the request, and is not stored, cached, or retained by the AI provider after the response is generated.

We use the following AI services as data sub-processors, strictly under our instructions:

  • OpenAI API — powers conversational AI agents that execute actions such as sending emails or managing calendar events. OpenAI's API data usage policy states that data submitted via the API is not used to train or improve their models.
  • Google Gemini API — powers our knowledge retrieval (RAG) functionality for document-based queries.

No Google user data is used to train, fine-tune, or improve any AI or machine learning model — whether our own, OpenAI's, Google's, or any third party's. Google Workspace data is not used to develop, improve, or train generalized artificial intelligence or machine learning models.

Bring Your Own Key (BYOK) Architecture

Our platform operates on a BYOK model: each business provides and manages their own AI provider API keys. These keys are encrypted at rest and are never shared across tenants. This architecture ensures that each business maintains direct control over their AI provider relationship and data processing.

Google API Services User Data Policy Compliance

Our use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data to provide the user-facing features described above (sending emails, reading inbox messages, managing calendar events, and authenticating accounts). Google user data is not used for any other purpose.
  • Google user data is processed transiently for inference only — it is not stored or retained beyond the immediate request.
  • We do not use Google user data to train, fine-tune, or improve any generalized AI/ML models.
  • We do not sell Google user data to third parties.
  • We do not use Google user data for advertising or to serve ads.
  • The business that connected the account, and the authorized members of its own team, can view that business's own Google data inside the product — this is the user-facing feature they enabled. Beyond that, our own staff do not read a business's Google user data unless: (a) we have the user's affirmative agreement to view specific messages or data; (b) it is necessary for security purposes, such as investigating abuse; (c) it is required to comply with applicable law; or (d) the data is aggregated and anonymized and used for internal operations.

4. Meta Platform Services (Instagram, Messenger, WhatsApp) — Data Use

Our platform integrates with Meta's messaging products so that a business can manage conversations with its own customers on Instagram, Messenger, and WhatsApp. A business connects its own accounts and authorizes the platform to receive and reply to the messages its customers send to those accounts. We request only the permissions strictly necessary for each integration.

Instagram Messaging (instagram_basic, instagram_manage_messages)

When a business connects its Instagram professional account, the platform receives the direct messages (DMs) that the business's customers send to that account and sends replies on the business's behalf — drafted by the AI assistant the business configured, or written by a human team member. We useinstagram_basic only to identify the connected account (id and username) during the one-time connection, andinstagram_manage_messages only to receive and send those conversation messages. We reply only to customers who messaged the business first, within Instagram's messaging policies and time windows.

Messenger (pages_messaging, pages_manage_metadata, pages_show_list, business_management)

The Instagram professional account is linked to a Facebook Page, and Messenger conversations are handled through that Page. We use these permissions to list the business's Pages during connection, subscribe the Page to messaging webhooks, and send/receive messages on the connected account's behalf.business_management is requested only as a required dependency of the messaging permissions, to operate on the assets the business connects. We never message users who did not contact the business first.

WhatsApp Business

When a business connects its WhatsApp Business number, the platform receives the messages its customers send and sends replies on its behalf, the same way as above.

Data We Store and How It Is Used

For each connected business, isolated by row-level security so no business can access another's data, we store: the connected account identifiers and an encrypted access token (encrypted at rest, never stored or logged in plaintext, decrypted only at the moment of an API call); and conversation and message records (the customer's platform-scoped user id, message text, timestamps, and delivery status). This data is used solely to (a) generate the AI reply, (b) display the conversation to the business's own team, and (c) allow a human to take over the conversation. Incoming webhook payloads are verified with anX-Hub-Signature-256 (HMAC‑SHA256) signature before processing.

AI Processing of Meta Platform Data

Message content is processed by AI providers (under our instructions, on a Bring Your Own Key basis) transiently, for inference only, to generate the business's reply. It is not used to train, fine-tune, or improve any AI/ML model — ours or any third party's — and is not retained by the AI provider after the response is generated.

Meta Platform Terms & Developer Policies Compliance

Our use of data received from Meta's platforms (Instagram, Messenger, WhatsApp) adheres to the Meta Platform Terms and Developer Policies. Specifically:

  • We only use messaging data to provide the user-facing feature described above — handling each business's own customer conversations. We do not use it for any other purpose.
  • We do not sell this data, and we do not use it for advertising or to serve ads.
  • We do not use it to train, fine-tune, or improve any generalized AI/ML model.
  • We do not allow humans to read message content except as required for security, to comply with applicable law, or with the user's explicit consent.
  • A business can disconnect an account at any time, which immediately stops processing and deletes the stored access token; associated data is deleted on request — see our Data Deletion page and Section 9 (Data Retention).
  • A customer can stop the business's automated and human replies at any time by replying STOP (or an equivalent unsubscribe phrase) in the conversation, and resume by replying START; we honor this opt-out immediately across both AI and human messaging.

5. OAuth Token Storage and Security

When you connect a third-party service (Google, Microsoft, etc.), the OAuth access and refresh tokens are encrypted at rest before being stored in our database. Tokens are automatically refreshed before expiration and can be revoked by the user at any time from the Integrations settings page. Upon disconnection, tokens are permanently deleted from our systems.

6. Legal Bases for Processing (EEA/UK)

We process personal data based on: performance of a contract (providing the Services), legitimate interests (platform security, fraud prevention), legal obligations, and consent where required (e.g., optional marketing communications or certain cookies).

7. Sharing and Disclosure

  • Service providers and sub-processors: cloud hosting (Vercel, Supabase), AI inference providers (OpenAI, Google Gemini), web search provider (Tavily), communications infrastructure (Twilio), and payment processors (Stripe), each bound by confidentiality obligations and used solely to operate the Services. AI providers process data transiently for inference and do not retain or use it for model training.
  • Integrations you enable: we share only the minimum data needed to perform the requested action (e.g., event details to Google Calendar, email content to Gmail for sending).
  • Legal and safety: to comply with law, protect rights, or respond to lawful requests.
  • Business transfers: in mergers, acquisitions, or asset sales, subject to this Policy.

We do not sell personal information. We do not share personal information with third parties for their own marketing purposes.

8. International Transfers

We may process data in the United States and other locations where our service providers operate. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.

9. Data Retention

We retain information as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. When you delete your account or disconnect an integration, associated data (including OAuth tokens) is permanently removed within 30 days.

10. Security

  • OAuth tokens encrypted at rest using industry-standard encryption.
  • All data transmitted over HTTPS/TLS.
  • SQL queries are read-only (SELECT only), validated by a parser before execution.
  • Input validation and output filtering to prevent prompt injection and data leakage.
  • Per-tenant rate limiting to prevent abuse.
  • Role-based access controls within the platform.

No system is fully secure. We encourage users to use strong passwords, enable multi-factor authentication where available, and protect their credentials.

11. Your Rights and Choices

  • Access and update your account data from your profile settings.
  • Disconnect integrations at any time from the Integrations page — this immediately revokes access and deletes stored tokens.
  • Delete your account by contacting us at the email below. We will remove your data within 30 days.
  • Revoke Google access at any time from your Google Account permissions page.
  • Opt out of non-essential marketing communications.
  • EEA/UK residents: you may exercise rights to object, restrict processing, data portability, or lodge a complaint with a data protection authority.

12. Cookies and Similar Technologies

We use cookies and similar technologies for authentication, security, preferences, and analytics. See our Cookie Policy for details and management options.

13. Third-Party Links

Our Services may contain links to third-party sites. We are not responsible for their privacy practices; review their policies before providing personal information.

14. Children

The Services are not directed to children under 13 (or under the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children.

15. Changes to This Policy

We may update this Policy from time to time. We will post the updated version with a new effective date. Material changes will be communicated via email or in-app notice.

16. Contact Us

Building Your Dreams Tech, LLC

1111B S Governors Ave STE 23576, Dover, DE 19904, USA

Email: admin@buildingyourdreamstech.com

Phone: (302) 415-3063