Privacy Policy
1. Who we are
Building Startups (sole proprietor), registered address Kibbutz Givat Oz 1922500, Israel (“Company,” “we,” “our,” “us”), operates the website buildingstartups.net and provides an Investor Outreach Service (“Service”). We act as Data Controller for founders’ data and as Data Controller / Data Exporter for the personal data of prospective investors we source and email on your behalf.
Israel enjoys an EU adequacy decision, so transfers of EU personal data to our Israeli systems are permitted under GDPR Art.45. Where we onward-transfer data to the United States, we rely on Standard Contractual Clauses (SCCs) supplemented by technical and organisational safeguards.
2. Contact for privacy matters
Email: avinoam@buildingstartups.net
Subject line: “Privacy Request”
3. What personal data we collect
|
Category
|
Examples
|
Source
|
Legal basis (GDPR Art.6)
|
|---|---|---|---|
|
Client account data
|
Name, email, company, billing details
|
Client
|
Contract (Art. 6 §1 b)
|
|
Investor profile data
|
Name, email, role, investment focus, public social links
|
Open sources / paid databases
|
Legitimate interests (Art. 6 §1 f) — matching startups & investors
|
|
Email content & delivery logs
|
Drafts, sent copy, opens, bounces, replies
|
Client & mail server
|
Contract (Art. 6 §1 b)
|
|
Site analytics & cookies
|
IP, device, pages, events
|
GA4, Meta Pixel, Hotjar
|
Consent (Art. 6 §1 a)
|
|
Marketing preferences
|
Newsletter opt-in, unsubscribe status
|
Client
|
Consent (Art. 6 §1 a)
|
4. How we use the data
Provide the Service – match investors, draft one personalised email per investor, send once, and deliver performance stats.
Site operations & security – log files, anti-spam, load-balancing.
Analytics & product improvement – aggregated traffic reports from GA4, Meta Pixel, Hotjar.
Direct marketing – occasional newsletters or product updates (opt-out any time).
Legal & compliance – bookkeeping, tax, fraud prevention, enforcing Terms & Conditions.
We do not perform automated decision-making that produces legal or similarly significant effects on data subjects. Our investor-matching algorithm is always human-supervised.
5. Sub-processors & international transfers
|
Provider
|
Purpose
|
Location
|
Safeguard
|
|---|---|---|---|
|
Upress.co.il
|
Web hosting
|
Israel
|
Israel adequacy
|
|
Airtable
|
Data storage
|
USA/EU
|
SCCs + encryption at rest
|
|
Postmark (ActiveCampaign LLC)
|
Transactional email
|
USA
|
SCCs
|
|
n8n.io
|
Workflow automation
|
-
|
-
|
|
Google Analytics 4
|
Site analytics
|
USA
|
SCCs + IP-anonymisation
|
|
Meta Pixel
|
Marketing analytics
|
USA
|
SCCs
|
|
Hotjar Ltd.
|
UX analytics
|
EU
|
SCCs
|
We will delete or anonymise data after the period unless legal obligations require longer storage.
6. Cookies & tracking technologies
We use:
Essential cookies – site security, session management (cannot be disabled).
Analytics cookies (GA4, Hotjar) – help us understand traffic.
Marketing cookies (Meta Pixel) – measure ad performance.
On your first visit you will see a cookie banner allowing you to accept or reject non-essential cookies. You can later withdraw consent via the banner or your browser settings.
7. Email marketing & opt-out
We send promotional updates to founders who:
(a) expressly opted-in, or (b) purchased a Service (soft opt-in).
Every email includes an unsubscribe link. You may also email us to opt out.
8. Data retention
|
Data set
|
Retention period
|
Rationale
|
|---|---|---|
|
Client & investor records
|
12 months from campaign end
|
Re-runs, bookkeeping
|
|
Email delivery logs & content
|
30 days
|
Debug & deliverability
|
|
Financial records & invoices
|
7 years
|
Israeli tax law
|
|
Opt-out lists
|
Stored indefinitely
|
Supress future mail
|
9. Security measures
TLS 1.2+ in transit; AES-256 at rest (Airtable).
Two-factor authentication on all admin accounts.
Role-based access; least-privilege principle.
Nightly encrypted backups; 30-day retention.
Annual security review aligned with Israel PPL Data-Security Regulations 2017.
10. Your rights
Under GDPR/UK GDPR:
Access, rectification, erasure, restriction, objection, data portability, withdraw consent, lodge a complaint with your Supervisory Authority (e.g., EDPB).
Under Israel Privacy Protection Law 1981:
Right to review and correct data held in our registered database # [ pending registration number if required ].
To exercise any right: email avinoam@buildingstartups.net. We may verify identity before acting. We will respond within 30 days (Israel) / 1 month (GDPR).
11. No children
Our Service targets only persons 18 years or older and accredited or professional investors. We do not knowingly collect data from anyone under 16. If you believe a child has provided data, contact us for immediate deletion.
12. EU representative & DPO
We currently process EU data only occasionally and on a small scale; therefore Article 27 GDPR representation is not required at this time. We monitor volumes annually and will appoint an EU rep if thresholds change. No mandatory Data Protection Officer is required under Art. 37(1).
13. Changes to this policy
We may update this Policy to reflect legal or operational changes. An updated version will be posted with a new “Last updated” date. Material changes will be announced via email to active Clients.
14. Contact
Questions, requests or complaints?
Building Startups
Kibbutz Givat Oz 1922500, Israel
Email: avinoam@buildingstartups.net