Privacy Policy

FoxBuild – a service of Cypher Technology Analytics GmbH

As of: April 2026

1. Controller and Contact Details

The controller responsible for the processing of personal data in connection with the FoxBuild service is:

Cypher Technology Analytics GmbH

Neubaugasse 25/1/6, 1070 Vienna, Austria

Authorised representative: Alexander Reiter

E-Mail: office@foxbuild.io

Phone: +43 662 282828

2. Overview and Scope

This Privacy Policy informs you of how we collect, process, and protect your personal data when you use our website, our FoxBuild app, and all associated digital services. It applies to all online presences, mobile applications, e-mail communications, and social media channels through which we interact with you.

It is important to us that you understand what data we collect and why. We have therefore drafted this statement to be as clear and transparent as possible.

3. Legal Bases for Processing

We process personal data exclusively on the basis of a valid legal ground. These include in particular:

Consent (Art. 6 Abs. 1 lit. a DSGVO): Where you have expressly given us your consent to process certain data, for example by submitting a contact form or signing up for a newsletter.

Performance of a contract (Art. 6 Abs. 1 lit. b DSGVO): Where processing is necessary to perform a contract with you or to take pre-contractual steps — for example in the context of using our SaaS service FoxBuild.

Legal obligation (Art. 6 Abs. 1 lit. c DSGVO): Where we are required by law to process data, for example in the area of accounting or statutory retention obligations.

Legitimate interests (Art. 6 Abs. 1 lit. f DSGVO): Where processing is necessary to pursue our legitimate business interests and your fundamental rights do not override those interests — for example to operate and secure our website.

In addition, the Austrian Data Protection Act (DSG) and, where applicable, the German Federal Data Protection Act (BDSG) apply.

4. What Data We Collect

4.1 When Using the FoxBuild Service

FoxBuild is an AI-assisted software solution for automated construction site documentation. When using the service, the following data may be processed:

• Voice recordings that you create via the app

• Transcriptions and construction site reports or documentation generated from them

• E-mail addresses to which reports are automatically sent

• Access credentials (username, e-mail address, password)

• Usage data (time and frequency of use, features used)

• Technical data (IP address, device type, operating system, app version)

Voice recordings are processed for transcription and AI-assisted analysis. The construction site reports generated are stored within your user account and may be sent by e-mail to recipients designated by you.

4.2 When Visiting Our Website

When you access our website, certain technical data is automatically recorded in server log files:

• Pages accessed and time of access

• Browser type and version, and operating system

• Your IP address

• Referrer URL (the page from which you navigated to our site)

This data is collected to ensure secure and stable operation and is generally deleted automatically after two weeks.

4.3 When Contacting Us

If you contact us by e-mail, telephone, contact form, or messenger service, we store the data arising from that contact (name, e-mail address, telephone number, message content) in order to process your enquiry. This data is deleted once the enquiry has been conclusively dealt with and no statutory retention obligations apply.

4.4 Customer Data

In the course of our business relationship, we process data such as name, company name, address, e-mail address, telephone number, payment information, and contract data. This processing is carried out for the performance of the contract and on the basis of Art. 6 Abs. 1 lit. b DSGVO.

4.5 Applicant Data

If you apply for a position with us, we process the data you submit (name, contact details, evidence of qualifications, curriculum vitae) solely for the purpose of the application process. In the event of a successful application, your data will be transferred to your personnel file. Otherwise, we will delete your application documents no later than six months after the conclusion of the process, unless you have given us your consent to retain them for a longer period.

4.6 Registration and Account Use

When registering for FoxBuild, we collect the data you enter, such as first and last name, e-mail address, company name, and address. During account use, usage data is also collected alongside technical information such as IP address and device information processed in the background. This data is stored for the duration of account use and thereafter in accordance with statutory retention obligations.

5. Cookies

Our website uses cookies — small text files stored in your browser. We distinguish between technically necessary cookies required for the operation of the website, and optional cookies used for analytics and marketing purposes.

We use technically necessary cookies on the basis of our legitimate interest (Art. 6 Abs. 1 lit. f DSGVO). All other cookies are only set with your express consent (Art. 6 Abs. 1 lit. a DSGVO), which you can grant via our cookie banner.

You may manage, disable, or delete cookies at any time via your browser settings. Please note that disabling certain cookies may limit the functionality of our website.

6. Web Hosting

Our website is hosted by ALL-INKL.COM – Neue Medien Münnich (Hauptstraße 68, 02742 Friedersdorf, Germany). When you visit our website, the hosting provider automatically processes technical access data in server log files. We have concluded a data processing agreement with ALL-INKL pursuant to Art. 28 DSGVO, which ensures that your data is processed in a manner compliant with data protection law.

Further information can be found in ALL-INKL's privacy policy at https://all-inkl.com/datenschutzinformationen/.

7. Web Analytics and Tracking

7.1 Google Analytics

We use Google Analytics 4 (GA4) by Google Ireland Limited to analyse user behaviour on our website. GA4 uses an event-based data model and records interactions such as page views, clicks, and scrolling behaviour. According to Google, IP addresses are not logged or stored but are used only briefly to derive location information before being deleted.

Use is only made with your consent (Art. 6 Abs. 1 lit. a DSGVO). The default retention period in GA4 is 14 months. You can prevent data collection by Google Analytics via the browser add-on at https://tools.google.com/dlpage/gaoptout?hl=de .

Google participates in the EU-US Data Privacy Framework and additionally uses EU Standard Contractual Clauses to safeguard international data transfers.

7.2 Google Tag Manager

We use Google Tag Manager to manage various tracking and analytics tags centrally. The Tag Manager itself does not store personal data and does not set cookies. Data collection is carried out by the tools integrated via the Tag Manager.

7.3 Facebook Pixel and Conversions API

Our website integrates the Facebook Pixel and the Facebook Conversions API of Meta Platforms Ireland Limited. These tools enable us to measure the effectiveness of our advertisements on Facebook and to define target audiences for our advertising. Data such as IP address, browser information, and interaction data may be collected and transmitted to Meta.

Use is only made with your consent. Meta participates in the EU-US Data Privacy Framework. Further information is available at https://www.facebook.com/privacy/policy.

7.4 Google Site Kit and MonsterInsights

To facilitate the integration and evaluation of analytics data directly within our content management system, we use Google Site Kit and MonsterInsights. Both tools access data from Google Analytics. The same data protection provisions apply as for Google Analytics.

8. E-Mail Marketing

For the sending of newsletters and marketing e-mails, we use the MailChimp service provided by Intuit Inc. (USA). When you subscribe to our newsletter, your e-mail address and, where applicable, further voluntary details are stored with MailChimp. Subscription takes place via a double opt-in process.

MailChimp can analyse whether and when you open a newsletter and whether you click on links contained within it. This data is used for statistical analysis and to optimise our communications.

You may unsubscribe from the newsletter at any time via the unsubscribe link at the bottom of each e-mail. MailChimp participates in the EU-US Data Privacy Framework. Further information is available at https://www.intuit.com/privacy/statement/.

9. Social Media

We maintain a presence on various social media platforms, including Facebook, Instagram, LinkedIn, and TikTok. When you visit our social media profiles or use social media elements embedded on our website, personal data may be processed by the respective platform operators.

We draw your attention to the fact that data may in this context also be processed outside the European Union. Further information can be found in the privacy policies of the respective platforms:

• Facebook/Instagram: https://www.facebook.com/privacy/policy

• TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/en

• LinkedIn: https://www.linkedin.com/legal/privacy-policy

10. Messenger and Communication Services

10.1 WhatsApp

We offer you the option of contacting us via WhatsApp (Meta Platforms). In doing so, your telephone number and message content are processed. WhatsApp encrypts messages end-to-end. Nevertheless, metadata may be collected by WhatsApp. WhatsApp participates in the EU-US Data Privacy Framework. Further information: https://www.whatsapp.com/privacy.

10.2 Aircall

For telephone communications, we use Aircall (Aircall SAS, Paris, France). Call data such as telephone number, time, and duration of the call may be processed. Further information: https://aircall.io/privacy/.

11. Audio and Video Content

Our website embeds YouTube videos by Google Ireland Limited. When a page with an embedded video is accessed, a connection is established to YouTube's servers. Technical data such as IP address and browser information is transmitted to YouTube. If you are logged in to YouTube, YouTube may associate your browsing activity with your profile.

Embedding only takes place with your consent. Google/YouTube participates in the EU-US Data Privacy Framework. Further information: https://policies.google.com/privacy?hl=de.

12. Video Conferencing

We use the following services for online meetings and video conferences:

Microsoft Teams: Microsoft Corporation, USA. Microsoft participates in the EU-US Data Privacy Framework. Privacy policy: https://privacy.microsoft.com/de-de/privacystatement.

Zoom: Zoom Video Communications, USA. Zoom uses EU Standard Contractual Clauses. Privacy policy: https://explore.zoom.us/de/privacy/.

TeamViewer: TeamViewer Germany GmbH, Germany. Privacy policy: https://www.teamviewer.com/de/datenschutzinformation/.

When participating in a video conference, name, e-mail address, IP address, as well as device and usage data may be processed.

13. Cloud Services

For internal data storage and processing, we use cloud services provided by Google (Google Cloud, Google Drive) and Apple (iCloud). Customer data may also be stored on the servers of these providers. Google participates in the EU-US Data Privacy Framework. Apple uses EU Standard Contractual Clauses.

14. Website Builder System and Plugins

Our website is based on WordPress (Automattic Inc.). In the course of its operation, various plugins and themes are used, including Thrive Themes, Borlabs Cookie, Rank Math, and Yoast SEO. When using the website, technical usage data such as browser type, IP address, and page interactions may be processed.

Automattic participates in the EU-US Data Privacy Framework. Further information: https://automattic.com/privacy/.

15. Cookie Consent Management

To manage your cookie consents, we use the AdSimple Consent Manager (AdSimple GmbH, Austria) and Borlabs Cookie. These tools store your consent status in a cookie and allow you to adjust your preferences at any time. Data is stored exclusively within the EU.

16. Fonts

We use Google Fonts, with the fonts hosted locally on our server. This means that no data is transferred to Google's servers when fonts are loaded.

17. Booking Systems

For online appointment scheduling, we use Calendly (Calendly Inc., USA). During the booking process, your name, e-mail address, and any other data you provide may be processed. Calendly participates in the EU-US Data Privacy Framework. Further information: https://calendly.com/privacy.

18. Review Platforms

We are present on the review platforms kununu (New Work SE, Germany) and ProvenExpert (Expert Systems AG, Germany). If you review us through these platforms, the respective privacy policies of the platform operators apply.

19. Security of Data Processing

We implement technical and organisational measures to protect your data against unauthorised access, loss, or manipulation. Our website uses TLS encryption (HTTPS), which secures the transmission of data between your browser and our server. We also deploy firewall and anti-spam systems to protect our infrastructure against cyber attacks.

20. International Data Transfers

Some of the service providers we use are established outside the European Union, in particular in the USA. We ensure that data transfers to third countries take place only in compliance with GDPR requirements. Many of our US-based service providers participate in the EU-US Data Privacy Framework. We additionally rely on Standard Contractual Clauses approved by the European Commission (Art. 46 Abs. 2 and 3 DSGVO).

Further information on the EU-US Data Privacy Framework is available at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

21. Retention Periods

We store personal data in principle only for as long as is necessary for the respective processing purpose. Statutory retention obligations, for example under the Federal Fiscal Code (§ 132 Abs. 1 BAO: seven years) or the Austrian Commercial Code, may require longer storage.

Once the processing purpose no longer applies and any applicable retention periods have expired, your data will be deleted or anonymised.

22. Your Rights

As a data subject, you are entitled to the following rights under the GDPR:

• Right of access (Art. 15 DSGVO): You may request information as to whether and which personal data we process about you.

• Right to rectification (Art. 16 DSGVO): You may request the correction of inaccurate data.

• Right to erasure (Art. 17 DSGVO): Under certain conditions, you may request the deletion of your data.

• Right to restriction of processing (Art. 18 DSGVO): You may request that the processing of your data be restricted.

• Right to data portability (Art. 20 DSGVO): You may request that your data be provided to you in a commonly used format.

• Right to object (Art. 21 DSGVO): You may object to the processing of your data on the basis of legitimate interests.

• Right to withdraw consent: Any consent you have given may be withdrawn at any time with effect for the future.

• Right to lodge a complaint (Art. 77 DSGVO): You may lodge a complaint with a data protection supervisory authority.

The supervisory authority with jurisdiction over us is:

Austrian Data Protection Authority

Barichgasse 40-42, 1030 Vienna

Phone: +43 1 52 152-0

E-Mail: dsb@dsb.gv.at

Website: https://www.dsb.gv.at/

23. Data Processing on Behalf

We work with various service providers who process personal data on our behalf (data processors). We have concluded data processing agreements (DPAs) with all of these partners pursuant to Art. 28 DSGVO, which ensure that your data is processed exclusively in accordance with our instructions and in compliance with the GDPR. Our data processors include, among others, our hosting provider (ALL-INKL), analytics services (Google), e-mail marketing (MailChimp), booking systems (Calendly), and CMS providers (WordPress/Automattic).

24. Contact

If you have questions about data protection or wish to exercise your rights, please contact:

Alexander Reiter

Cypher Technology Analytics GmbH

Neubaugasse 25/1/6, 1070 Vienna, Austria

E-Mail: office@foxbuild.io

Phone: +43 662 282828

Data sharing with subprocessors

We use the following subprocessors (data processors under Art. 28 GDPR). Requests to OpenAI and OpenWeatherMap are made server-side only, via our Supabase Edge Functions; API keys never leave the backend. Audio recordings, transcripts, reports and other content are retained for as long as the customer's account requires — FoxBuild does not auto-delete them. The company, acting as the data controller, sets the retention period in its account settings and can delete content at any time.

OpenAI, L.L.C. (Whisper API) — USA — voice recordings — audio transcription — Art. 6 (1) (b) GDPR

OpenAI, L.L.C. (GPT-4o-mini) — USA — transcript, project name, project number, approximate coordinates — report structuring — Art. 6 (1) (b) GDPR

OpenWeather Ltd. — UK — postal code or coordinates — weather lookup — Art. 6 (1) (b) GDPR

Supabase Inc. — USA with EU hosting — all application data — hosting, database, storage — Art. 6 (1) (b) GDPR

Functions Inc. (Sentry) — USA — crash reports and diagnostics — error monitoring — Art. 6 (1) (f) GDPR

Google Ireland Ltd. (Firebase Cloud Messaging) — Ireland — push token — push notifications — Art. 6 (1) (f) GDPR

International data transfer

OpenAI is based in the United States. The data transfer is governed by the Standard Contractual Clauses (SCCs) of the EU Commission under Art. 46 GDPR. The Data Processing Addendum (DPA) signed with OpenAI is built on these clauses.

Withdrawing consent

Inside the app: Settings → Data & Privacy → "Revoke consent". Without consent, the AI-powered report features are disabled; manual editing of existing reports remains available.

Equal protection across all subprocessors

We have signed Data Processing Agreements (DPAs) with every subprocessor listed above. These DPAs guarantee the same or equal level of data protection as the GDPR. Subprocessors based outside of the EU/EEA are additionally bound by the EU Standard Contractual Clauses (SCCs) issued by the European Commission. Audio recordings, transcripts and any other personal data may be processed strictly for the purposes listed above; reuse for training or advertising is contractually prohibited.

How we collect data

Voice recordings are captured via the device microphone only after you actively start a recording (the "Record" button). Location coordinates are captured via the system geolocation API once you have granted the location permission. Project name and project number you enter yourself inside the app. No passive or background data collection takes place.

Meta Pixel & Conversions API

We use the Meta Pixel and the Meta Conversions API operated by Meta Platforms Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland) to measure ad performance and deliver relevant advertising.

Purposes: conversion measurement of ad campaigns, optimisation of ad delivery, creation of custom and look-alike audiences.

Data processed: hashed email address (SHA-256), IP address, user agent, browser ID (_fbp cookie), Meta click ID (_fbc cookie, derived from the fbclid URL parameter of an ad).

Legal basis is Art. 6(1)(a) GDPR (consent). You give consent via our cookie banner and may withdraw it at any time via the cookie settings. Storage ends with withdrawal, at the latest after 24 months.

Recipient is Meta Platforms Ireland Ltd. with onward transfer to Meta Platforms Inc. in the United States. The transfer is based on the EU-US Data Privacy Framework and Standard Contractual Clauses.

For collection via the pixel, we and Meta Platforms Ireland Ltd. are joint controllers within the meaning of Art. 26 GDPR. The essence of the agreement is available at https://www.facebook.com/legal/controller_addendum.