Privacy Policy
Builders Studio B.V. · Last updated: 11 June 2026
Builders Studio B.V. Last updated: 11 June 2026
This Privacy Policy describes how Builders Studio B.V. ("Builders", "we", "us") processes personal data in connection with the VSI (Venture Studio Intelligence) platform at vsi.builders.studio (the "Service"). It applies to everyone who uses the Service: members of customer organisations, venture founders and their conversation partners whose data is processed in the Service.
Builders Studio B.V. is registered in the Netherlands at Stationsplein 45, D3.118, 3013 AK Rotterdam, Chamber of Commerce number 62682466.
1. Our role: controller and processor
- For your account data (who you are, how you log in, how you use the Service), Builders is the controller.
- For Customer Data (conversations, recordings, transcripts and everything derived from them) that we process on behalf of a customer organisation, Builders is the processor and the customer organisation is the controller. A data processing agreement governs that processing. If you have questions about content processed on behalf of your organisation, your first point of contact is that organisation.
2. What we process
Account and identification data. Name, e-mail address, organisation, role, profile information, authentication data (we never see your password in plain text) and workspace membership.
Conversation content. Call recordings, meeting transcripts and notes that you or your organisation submit to the Service or connect through integrations, and everything the Service derives from them: speaker identification, summaries, extracted learnings, signals, artifacts, reflections and memory entries.
Conversation partners. Conversations naturally include other participants. Their names, voices, statements and contact details (when shared) are part of the processed content. The organisation submitting a recording is responsible for having a valid legal basis, consent or notification for recording and processing it.
Uploaded documents and connected sources. Files you upload and content from integrations you choose to connect (such as Google Calendar, Google Meet, Google Drive, Read.ai or Notion).
Usage data and logging. Technical logs, usage statistics and audit trails needed to operate, secure and improve the Service.
We do not ask for, and you should not submit, special categories of personal data (such as health or religious data) unless your organisation has made specific written arrangements with us.
3. Google user data
If you connect a Google account, the Service requests access to specific Google data. We use this access only as described here:
| Google data | What we use it for |
|---|---|
| Calendar (read-only) | Detecting your meetings so call recordings can be matched to the right conversation and venture |
| Google Meet recordings / Drive (read-only and per-file access) | Discovering and importing meeting recordings that you or your organisation choose to process |
| Contacts and directory (read-only) | Matching conversation participants to known contacts and suggesting attendees |
| Basic profile (e-mail, name) | Identifying the connected account |
Limited Use disclosure. VSI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular:
- We only use Google user data to provide and improve the user-facing features described above.
- We do not use Google user data for advertising of any kind.
- We do not sell Google user data.
- We do not allow humans to read Google user data, except with your explicit consent, where necessary for security or to comply with applicable law, or where the data has been aggregated and anonymised.
- We do not use Google user data to train generalised artificial intelligence or machine learning models.
You can disconnect Google at any time in the Service settings. Disconnecting deletes the stored access tokens; already imported recordings and derived content remain part of your organisation's Customer Data.
4. Why we process (purposes and legal bases)
| Purpose | Legal basis |
|---|---|
| Providing the Service: transcription, speaker identification, summaries, signals, artifacts, reflections | Performance of the agreement with your organisation (as processor on its documented instructions) |
| Account management and authentication | Performance of the agreement |
| Support and communication about the Service | Performance of the agreement / legitimate interest |
| Security, abuse prevention, logging and auditing | Legitimate interest / legal obligation |
| Service improvement using aggregated, anonymised statistics | Legitimate interest |
We do not use personal data for marketing without your consent and we do not perform automated decision-making with legal effects on you.
5. AI processing
The Service uses third-party Large Language Models (Anthropic Claude and Google Gemini) to deliver intelligence features such as conversation analysis, signal extraction, artifact generation and reflection synthesis. We select API configurations that exclude training of foundation models on Customer Data wherever the provider offers that option. Processing by LLM providers is short-lived inference: no long-term data retention takes place at the provider under the enterprise or API terms we use. All transmission to LLM providers goes over HTTPS.
AI-generated output can contain inaccuracies and should be reviewed before being relied upon.
6. Where your data lives
The Service runs in the Frankfurt region (eu-central-1): application and API hosting on Vercel, a managed PostgreSQL database on Supabase and file storage on AWS S3, all in Frankfurt, Germany. Customer Data is stored and processed within the European Economic Area (EEA), in line with EU data residency requirements and the GDPR.
Some sub-processors are established in the United States. Where access from outside the EEA could occur, we rely on the EU Standard Contractual Clauses, supplemented with technical and organisational measures such as encryption in transit and at rest and access restrictions.
7. Sub-processors
| Sub-processor | Location | Purpose | Transfer mechanism |
|---|---|---|---|
| Vercel Inc. | US (hosting in Frankfurt, DE) | Application and API hosting | EU Standard Contractual Clauses |
| Supabase Inc. | US (database in Frankfurt, DE) | Managed PostgreSQL database | EU Standard Contractual Clauses |
| Amazon Web Services EMEA SARL | Luxembourg (storage in Frankfurt, DE) | S3 object storage for uploaded files and artifacts | Within EEA |
| Anthropic PBC | US | LLM inference (Claude), short-lived, no long-term retention | EU Standard Contractual Clauses |
| Google Cloud EMEA Limited | Ireland | LLM inference (Gemini), short-lived, no long-term retention | Within EEA |
| Assembly AI Inc. | US | Speech-to-text transcription of call recordings | EU Standard Contractual Clauses |
| OpenAI LLC | US | Embedding generation for search and signal matching | EU Standard Contractual Clauses |
| Cohere Inc. | Canada | Search result reranking | Adequacy decision (Canada) |
Customer organisations are notified of intended additions or replacements of sub-processors in accordance with their data processing agreement.
8. Security
Security and privacy are a core part of how the platform is built and operated:
- Encryption in transit (TLS 1.2+) and at rest, enabled by default on all data storage layers.
- Role-based access control and multi-factor authentication for administrative access to production systems.
- Logical separation between customer workspaces at the database and application level.
- Logging of access to production systems and periodic review.
- Least-privilege access controls on internal systems and automated dependency scanning before deployment.
- Periodic backups and a documented recovery process.
9. Retention
We process Customer Data for the duration of the customer's subscription. After termination, Customer Data is available for export in a common machine-readable format for at least thirty (30) days, after which it is deleted or returned in accordance with the data processing agreement, unless a statutory retention obligation requires us to keep specific data longer. Account data is deleted or anonymised when no longer needed for the purposes above.
10. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, port and object to the processing of your personal data. You can exercise these rights by e-mailing dpo@builders.studio.
Where your data is processed on behalf of a customer organisation (as described in Section 1), we will forward your request to that organisation and support it in responding, unless the organisation instructs otherwise or the law requires us to act directly.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.
11. Data breaches
We notify affected customer organisations without undue delay, and at the latest within forty-eight (48) hours of discovery, of a personal data breach, including the nature of the breach, the categories and estimated number of affected persons and records, the likely consequences and the measures taken or proposed.
12. Cookies
The Service uses only functional cookies that are necessary to operate the platform: session and authentication cookies and security-related cookies. We do not use advertising or cross-site tracking cookies in the Service.
13. Children
The Service is intended for professional use and is not directed at children under 16. We do not knowingly process data of children.
14. Changes
We may update this Privacy Policy from time to time. Material changes will be announced via the Service or by e-mail before they take effect. The "Last updated" date at the top reflects the most recent version.
15. Contact
Builders Studio B.V. Stationsplein 45, D3.118 3013 AK Rotterdam, the Netherlands Chamber of Commerce: 62682466
Data Protection Officer: dpo@builders.studio Compliance: compliance@builders.studio