ContentBuilder — Privacy Policy (v1.2)

1) Overview

ContentBuilder is a platform for creating educational and media content using AI (e.g., slides, videos, voice, avatars). We respect your privacy and process personal data in accordance with applicable laws.

This Privacy Policy explains how SmartExpert Inc. (“ContentBuilder,” “we,” “our”) collects, uses, discloses, and protects personal data when you use our websites (e.g., www.contentbuilder.ai, app.contentbuilder.ai) and our applications, APIs, software, tools, data, and documentation (together, the “Services”).

Controller vs. Processor.

• We act as a processor for personal data we process on behalf of Enterprise/Team customers under a Data Processing Addendum (“DPA”).
• We act as a controller for data we process for our own purposes (e.g., account, billing, security, product improvement, marketing) as described below.

If you do not agree with this Policy, please discontinue use of the Services.

2) Scope

This Policy applies to personal data we collect about users of the Services, including individuals using the Services on behalf of organizations.

This Policy does not apply to data we process as a processor for Enterprise/Team customers under a separate contract/DPA—please contact the relevant customer for their privacy practices.

It also does not cover third-party websites, platforms, or content linked from our Services. Those are governed by their own policies.

3) Data We Collect

A. Data You Provide

• Account & contact. Name, email, password; where applicable: phone, company, role/title, address, social handles.
• Billing & transactions. Plan type, invoices, payment status. Card data is stored by our payment processor (e.g., Stripe/Paddle); we receive tokens/statuses only.
• User Input & content. Text, scripts, voice, images, video, documents, datasets, prompts and related metadata provided to generate Output (e.g., slides, video, avatars).
• Workspaces & collaboration. Comments, templates, shared files, team membership, roles.
• Support & communications. Requests, emails, chat transcripts, demo forms, feedback.

Biometric/likeness data (when used).

Certain features (e.g., voice cloning, face/pose for avatars) may process voice/face/likeness. Details are provided in our Biometric Notice at /legal/biometric-notice (types, purposes, retention, deletion, consent).

B. Data Collected Automatically

• Usage & device. IP address, device/OS, browser, language, timestamps, pages/features used, error logs, performance metrics, referrers/exit URLs, approximate location (from IP).
• Cookies & similar tech. See Section 7 (Cookies).

C. Data From Third Parties

• Integrations. If you connect Google Drive, Notion, Slack, Zapier, S3, etc., we receive data per your authorization.
• SSO/identity providers. Basic profile data (e.g., name, email, profile ID).
• Marketing & social. Interactions with our pages (e.g., YouTube, TikTok, Instagram), analytics and ad partners, lead sources.

4) How We Use Personal Data (Purposes & Legal Bases)

We use personal data to:

• Provide and operate the Services (account, auth, generation, collaboration, billing). (Contract)
• Personalize and improve features, templates, recommendations. (Legitimate interests / Contract)
• Support & communications (respond to requests, notices/updates). (Legitimate interests / Contract)
• Security & abuse prevention (fraud, audit, logs, incident response). (Legitimate interests / Legal obligation)
• Analytics & development (product usage insights, debugging, new features). (Legitimate interests)
• Model improvement & AI features. We may use de-identified or aggregated data to improve the Services and models. You may opt out of model/feature improvement by contacting [email protected] or via in-product controls (where available). (Legitimate interests; opt-out)
  • Enterprise/Team: Unless otherwise agreed in writing, Inputs/Outputs of Enterprise/Team workspaces are not used to train our models beyond what is necessary to provide and secure the Services.
• Marketing (news, offers, events) with the ability to unsubscribe at any time. (Consent / Legitimate interests)
• Legal compliance & protection (comply with law, enforce terms, prevent harm). (Legal obligation / Legitimate interests)

5) How We Share Personal Data

We share data only as described below:

• Vendors & service providers. Payments (PCI-DSS), hosting, storage, compute, analytics, security, communications, CRM, moderation—under data protection agreements.
• At your direction or with consent. Sharing content/templates, integrations, social widgets, public community features.
• Affiliates. Within our corporate group.
• Legal. To comply with law, court orders, or protect rights/safety.
• Business transfers. In a merger, acquisition, asset sale, or bankruptcy, with continued protections.

We may share aggregated/de-identified statistics (usage, performance) that do not identify individuals.

Subprocessor list: /legal/subprocessors.

We do not “sell” or “share” personal data as those terms are defined under CCPA/CPRA.

6) Business Transfers

If we undergo a merger, acquisition, asset sale, or bankruptcy, personal data may be transferred to a successor subject to comparable protections. We will notify you where required by law.

7) Cookies & Similar Technologies

We use cookies, SDKs, pixels, and similar tech for session management, preferences, analytics, performance, security, and (where permitted) advertising/measurement.

• Your choices. Most browsers allow blocking/deleting cookies; some features may not function without them.
• EU/UK consent. We obtain consent for non-essential cookies via a consent banner/CMP.
• Do Not Track / GPC. We honor applicable Global Privacy Control signals for opt-out choices where required by law.

Details: /legal/cookies.

8) Data Retention

We retain personal data for as long as necessary to provide the Services and for legitimate purposes (security, accounting/tax, disputes).

Operational logs (including API logs) are typically retained up to 30 days for abuse detection and system integrity, unless a longer period is required by law or contract.

Upon account or workspace deletion, deletion or anonymization begins within a reasonable time, considering backups and legal requirements.

9) Security

We maintain administrative, technical, and physical safeguards (e.g., encryption in transit, access controls, auditing, vulnerability management).

No system is 100% secure—please keep credentials confidential and report suspicious activity.

Security overview: /security.

10) Workspaces & Administrator Access

Workspace ownership & visibility. Workspace owners/admins may access member names, emails, roles/seats, activity logs, metadata, and usage analytics (e.g., generations, storage, connectors) within their workspace for management, billing, and security.

We process such data solely to support workspace operations as described in this Policy and the Terms of Use.

11) Your Privacy Rights

Depending on your location, you may have the right to:

• Access / portability (receive a copy of your data).
• Rectification (correct inaccuracies).
• Deletion (request deletion).
• Restriction / objection (e.g., to marketing or model-improvement processing).
• Opt-out of marketing (unsubscribe link or email us).
• Limit use/disclosure of sensitive personal data (where applicable).
• Withdraw consent (where processing relies on consent).
• Not be subject to solely automated decisions that produce legal or similarly significant effects without suitable safeguards (we do not engage in such decisions without notice and additional controls).

To exercise rights, contact [email protected]. We may verify your identity (e.g., via email or government ID) and you may appoint an authorized agent where permitted. We will not discriminate against you for exercising your rights.

Appeal instructions (where required by law) will be provided in our response.

12) Children’s Privacy

The Services are intended for users 18+ and not directed to children under 13.

We do not knowingly collect such data. If you are a parent/guardian and believe a child provided data, contact us to request deletion.

13) International Data Transfers

We are based in the United States. Your data may be processed in the U.S. and other countries with different protection standards.

We use Standard Contractual Clauses (SCCs) and, as applicable, participate in the Data Privacy Framework (DPF).

• SCCs: /legal/scc
• DPF details (upon certification): /legal/dpf

Where required, we implement additional safeguards and transfer impact assessments.

14) US State Notices (CCPA/CPRA and Similar Laws)

For residents of California, Colorado, Connecticut, Virginia, and other U.S. states with privacy laws:

• Categories collected (as defined by law): identifiers; commercial information; internet/electronic activity; geolocation (coarse/IP); communications; account credentials; biometrics/likeness (when features used); inferences (for personalization).
• Sources, purposes, retention — see Sections 3–8.
• Sale/Share. We do not sell or share personal data as defined by CPRA.
• Rights. Right to know/access, delete, correct, portability; opt-out of targeted advertising or certain profiling; limit use/disclosure of sensitive data; non-discrimination.
• Verification & authorized agents. We verify requests and honor authorized agents as provided by law.
• Appeals. If we deny a request, you may appeal within the timeframe we provide.

Detailed U.S. notice: /legal/us-privacy-notice.

15) Subprocessors & Third-Party Content

Subprocessors list: /legal/subprocessors.

Third-party sites/services are governed by their own terms; we are not responsible for their practices.

16) Biometric / Likeness Data (When Used)

If you use features involving biometrics or likeness (e.g., voice clone, facial/pose capture), we provide a Biometric Notice describing data types, purposes, retention, deletion, and consent requirements. We obtain consent where required by law and prohibit impersonation without permission.

More: /legal/biometric-notice.

18) Complaints & Dispute Resolution

Questions or concerns? Contact [email protected] and we will try to resolve them.

You may also lodge a complaint with your data protection authority (EU/UK/CH).

If we participate in the DPF, information about independent dispute resolution will be available at /legal/dpf.

19) Contact

Email: [email protected]

Mail: SmartExpert Inc. (d/b/a “ContentBuilder”), 690 Saratoga Ave, 1st floor, San Jose, CA 95129, United States