Privacy Policy

1. Who we are

Building Startups (sole proprietor), registered address Kibbutz Givat Oz 1922500, Israel (“Company,” “we,” “our,” “us”), operates the website buildingstartups.net and provides an Investor Outreach Service (“Service”). We act as Data Controller for founders’ data and as Data Controller / Data Exporter for the personal data of prospective investors we source and email on your behalf.

Israel enjoys an EU adequacy decision, so transfers of EU personal data to our Israeli systems are permitted under GDPR Art.45. Where we onward-transfer data to the United States, we rely on Standard Contractual Clauses (SCCs) supplemented by technical and organisational safeguards.

2. Contact for privacy matters

Email: avinoam@buildingstartups.net
Subject line: “Privacy Request”

3. What personal data we collect

Category
Examples
Source
Legal basis (GDPR Art.6)
Client account data
Name, email, company, billing details
Client
Contract (Art. 6 §1 b)
Investor profile data
Name, email, role, investment focus, public social links
Open sources / paid databases
Legitimate interests (Art. 6 §1 f) — matching startups & investors
Email content & delivery logs
Drafts, sent copy, opens, bounces, replies
Client & mail server
Contract (Art. 6 §1 b)
Site analytics & cookies
IP, device, pages, events
GA4, Meta Pixel, Hotjar
Consent (Art. 6 §1 a)
Marketing preferences
Newsletter opt-in, unsubscribe status
Client
Consent (Art. 6 §1 a)

4. How we use the data

  1. Provide the Service – match investors, draft one personalised email per investor, send once, and deliver performance stats.

  2. Site operations & security – log files, anti-spam, load-balancing.

  3. Analytics & product improvement – aggregated traffic reports from GA4, Meta Pixel, Hotjar.

  4. Direct marketing – occasional newsletters or product updates (opt-out any time).

  5. Legal & compliance – bookkeeping, tax, fraud prevention, enforcing Terms & Conditions.

We do not perform automated decision-making that produces legal or similarly significant effects on data subjects. Our investor-matching algorithm is always human-supervised.

5. Sub-processors & international transfers

Provider
Purpose
Location
Safeguard
Upress.co.il
Web hosting
Israel
Israel adequacy
Airtable
Data storage
USA/EU
SCCs + encryption at rest
Postmark (ActiveCampaign LLC)
Transactional email
USA
SCCs
n8n.io
Workflow automation
-
-
Google Analytics 4
Site analytics
USA
SCCs + IP-anonymisation
Meta Pixel
Marketing analytics
USA
SCCs
Hotjar Ltd.
UX analytics
EU
SCCs

We will delete or anonymise data after the period unless legal obligations require longer storage.

6. Cookies & tracking technologies

We use:

  • Essential cookies – site security, session management (cannot be disabled).

  • Analytics cookies (GA4, Hotjar) – help us understand traffic.

  • Marketing cookies (Meta Pixel) – measure ad performance.

On your first visit you will see a cookie banner allowing you to accept or reject non-essential cookies. You can later withdraw consent via the banner or your browser settings.

7. Email marketing & opt-out

We send promotional updates to founders who:
(a) expressly opted-in, or (b) purchased a Service (soft opt-in).
Every email includes an unsubscribe link. You may also email us to opt out.

8. Data retention

Data set
Retention period
Rationale
Client & investor records
12 months from campaign end
Re-runs, bookkeeping
Email delivery logs & content
30 days
Debug & deliverability
Financial records & invoices
7 years
Israeli tax law
Opt-out lists
Stored indefinitely
Supress future mail

9. Security measures

  • TLS 1.2+ in transit; AES-256 at rest (Airtable).

  • Two-factor authentication on all admin accounts.

  • Role-based access; least-privilege principle.

  • Nightly encrypted backups; 30-day retention.

  • Annual security review aligned with Israel PPL Data-Security Regulations 2017.

10. Your rights

  • Under GDPR/UK GDPR:

    • Access, rectification, erasure, restriction, objection, data portability, withdraw consent, lodge a complaint with your Supervisory Authority (e.g., EDPB).

    Under Israel Privacy Protection Law 1981:

    • Right to review and correct data held in our registered database # [ pending registration number if required ].

    To exercise any right: email avinoam@buildingstartups.net. We may verify identity before acting. We will respond within 30 days (Israel) / 1 month (GDPR).

11. No children

Our Service targets only persons 18 years or older and accredited or professional investors. We do not knowingly collect data from anyone under 16. If you believe a child has provided data, contact us for immediate deletion.

12. EU representative & DPO

We currently process EU data only occasionally and on a small scale; therefore Article 27 GDPR representation is not required at this time. We monitor volumes annually and will appoint an EU rep if thresholds change. No mandatory Data Protection Officer is required under Art. 37(1).

13. Changes to this policy

We may update this Policy to reflect legal or operational changes. An updated version will be posted with a new “Last updated” date. Material changes will be announced via email to active Clients.

14. Contact

Questions, requests or complaints?
Building Startups
Kibbutz Givat Oz 1922500, Israel
Email: avinoam@buildingstartups.net