Private builder platform
Privacy Policy
This Privacy Policy explains how CivicAI Solutions Pty Ltd (registered in Victoria, Australia) trading as Virex (we, us,our) collects, uses, shares, and protects personal data when you use the Virex platform at virex.build (theService). This Policy is designed to comply with the Australian Privacy Act 1988 (including the Australian Privacy Principles), the EU General Data Protection Regulation (GDPR), and the Dutch implementation of the GDPR (Uitvoeringswet AVG).
1. Who is the Data Controller
For the purposes of GDPR Article 4(7), the data controller is CivicAI Solutions Pty Ltd (ACN 693 254 965, ABN 92 693 254 965), registered in Victoria, Australia. Contact: VIREX@civicai-solutions.com. We have not appointed a Data Protection Officer (DPO) under GDPR Article 37 because the scale of our processing does not currently meet the mandatory threshold; you may direct privacy queries to the contact email above.
2. What Personal Data We Collect
We collect the following categories of personal data:
- Account data: email address, name (optional), company (optional), website (optional), encrypted password (via Supabase Auth), authentication tokens.
- Billing data: Stripe customer ID, subscription status, current plan, credits balance, billing period end date, last 4 digits of payment method (we never see full card numbers — Stripe handles those).
- Build & usage data: prompts you submit, build outputs (generated zips + preview HTML), timestamps, IP address (last seen), user agent, plan-tier consumption, feature-edit history.
- Security & abuse data: IP addresses associated with account access, failed login attempts, terms-acceptance audit log (timestamp + IP), rate-limit triggers, account-flag history.
- Communications data: emails you send to us, support tickets, feedback submissions.
3. How We Use Personal Data (Purposes)
- Service delivery: authenticate you, run Builds, deliver outputs, store and serve preview content, allow you to manage your account.
- Billing: charge subscriptions via Stripe, send receipts, manage refunds and cancellations.
- Quality improvement: analyse anonymised prompt patterns to improve the build engine, foundation pool, and LLM routing. We do not train external models on your data.
- Security & abuse prevention: detect fraud, rate-limit abuse, AUP violations; block or ban accounts where necessary; investigate security incidents.
- Communications: send transactional emails (build-complete, password reset, subscription renewal, terms updates, security alerts). We do not send marketing emails without your prior opt-in consent.
- Legal compliance: respond to lawful requests from authorities, retain records for tax/accounting obligations, defend legal claims.
4. Legal Basis for Processing (GDPR)
For users in the EU/EEA, our lawful bases under GDPR Article 6 are:
- Article 6(1)(b) — Performance of contract: account, billing, build delivery, transactional communications.
- Article 6(1)(c) — Legal obligation: tax records, GDPR rights handling, responding to lawful authority requests.
- Article 6(1)(f) — Legitimate interests: security monitoring, abuse prevention, anonymised quality analysis, fraud detection. Where we rely on legitimate interests, we have conducted a balancing test and concluded that our interests do not override your fundamental rights.
- Article 6(1)(a) — Consent: optional analytics cookies (see Cookies section), marketing emails (opt-in only). You can withdraw consent at any time.
5. Sub-Processors (Third Parties We Share Data With)
We share personal data only with the sub-processors below, each under contractual data-protection obligations equivalent to or stricter than this Policy. If a sub-processor changes, we will update this list and (where the change is material to EU users) provide reasonable notice.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Auth + database + file storage | EU/US (Frankfurt region) |
| Vercel | Hosting + edge compute + DNS | Global edge (US-Iowa primary) |
| Stripe | Payment processing | Ireland (EU customers), US |
| OpenAI | LLM inference (mini tier) | US |
| Anthropic | LLM inference (Premium/Pro) | US |
| Postmark | Transactional email | US |
| Cloudflare | DNS + domain | Global edge |
| GitHub | Source-code hosting (engine) | US |
| StackBlitz | In-browser preview sandbox | Browser-side (no cloud copy) |
We do not share personal data with advertisers, brokers, or any third party for their independent marketing purposes. We do not sell personal data.
6. International Data Transfers
Several sub-processors are based in the United States (OpenAI, Anthropic, Postmark, parts of Vercel, GitHub, StackBlitz). For EU/EEA users, these constitute "third country transfers" under GDPR Articles 44-49. We rely on the following safeguards:
- EU-U.S. Data Privacy Framework certification where the recipient is certified.
- Standard Contractual Clauses (SCCs) issued by the European Commission as a transfer mechanism with sub-processors not on the DPF.
- Supplementary technical measures: encryption in transit (TLS 1.2+) and at rest where supported by the sub-processor.
On request, we can provide a copy of the relevant transfer-mechanism documentation. Contact VIREX@civicai-solutions.com.
7. Retention
Detailed retention periods are listed in Section 12 of the Terms of Service. In summary:
- Active subscription: build outputs retained for the lifetime of the subscription.
- 30 days after subscription cancellation: build outputs deleted.
- Up to 7 years: account profile, billing records, audit logs (legal/tax obligation).
- Indefinite unless you request erasure: anonymised prompt patterns and build-quality telemetry.
8. Your Rights (GDPR + Australian Privacy Act)
If you are in the EU/EEA, UK, or Australia, you have the following rights regarding your data:
- Access (GDPR Art. 15 / APP 12): get a copy of your personal data.
- Rectification (Art. 16 / APP 13): correct inaccurate data.
- Erasure / "right to be forgotten" (Art. 17): request deletion subject to legal-retention limits.
- Restriction of processing (Art. 18): pause processing while a dispute is resolved.
- Data portability (Art. 20): receive your data in a structured, machine-readable format. Generated Content can be downloaded as zip from your dashboard.
- Objection (Art. 21): object to processing based on legitimate interests.
- Withdraw consent: where processing is based on consent (cookies, marketing).
- Lodge a complaint with your supervisory authority — for Dutch users: the Autoriteit Persoonsgegevens (AP); for Australian users: the Office of the Australian Information Commissioner (OAIC).
To exercise any of these rights, email VIREX@civicai-solutions.com with the subject line "Privacy Request — [right]" and your account email. We will respond within 30 days (extendable by 60 days for complex requests under GDPR Art. 12(3)).
9. Cookies & Local Storage
We use the following categories:
- Strictly necessary (always on, no consent required under EU ePrivacy Directive Art. 5(3) exemption): authentication session token, CSRF protection, terms-acceptance cookie, build-form draft state, theme preference.
- Functional (consent required in EU): UI state for the demo flow, build feed expanded/collapsed.
- Analytics (consent required in EU): aggregate traffic measurements. We do not currently run third-party analytics; if we add Google Analytics or similar in future this section will be updated and we will solicit fresh consent.
- Marketing: Virex does not currently set marketing cookies.
You can manage your cookie preferences via the cookie banner shown on first visit, or by clicking the "Cookie preferences" link in the footer at any time.
10. Your API Keys and Environment Variables
When you provide your own third-party API keys or environment variables (for example a Stripe key, a Supabase service-role key, an OpenAI token) during a build or edit flow, we apply a strict encrypted-at-rest model.
- Plaintext never lands in our database, logs, or telemetry. Values are encrypted with AES-256 GCM using
BYOK_MASTER_KEY— a master key that lives only in our application environment, never committed to source, never visible to staff outside secure infrastructure access. - The encrypted blob lives at
projects/<your-project-id>/env.jsonin Supabase Storage. Sub-processors (Supabase Storage, our hosting, our backup providers) only see opaque ciphertext — they cannot read your keys. - Decryption happens only at runtime, inside the sandbox running your live preview or edit. The decrypted value is held in process memory for the duration of that sandbox session and never written back to disk on our infrastructure.
- The downloaded build zip does NOT contain your keys. Downloads can end up in public repositories; shipping secrets in the zip would be exactly the leak the design prevents. The zip includes
.env.examplelisting the keys you need; you create a local.env.localwith your values after download. - You can rotate, edit, or delete keys at any time via the BYOK panel. Edits overwrite the encrypted blob and immediately replace the value used by the sandbox on next boot. A deletion removes the entry entirely.
If you later need to rotate a key, do so in both places: the vendor (Stripe / Supabase / etc.) AND the BYOK panel in your Virex project. We cannot read or recover a forgotten key — only re-encrypt a fresh value you provide.
12. Security
We protect personal data with industry-standard measures including TLS 1.2+ in transit, encrypted storage at rest in Supabase, hashed passwords (bcrypt), strict role-based access controls, audit logging of admin actions, periodic security reviews, and staff access on a need-to-know basis. No system is perfectly secure; if you believe your account has been compromised, contact us immediately at VIREX@civicai-solutions.com.
13. Data Breach Notification
In the event of a personal-data breach that is likely to result in risk to the rights and freedoms of natural persons (GDPR Art. 33) or serious harm under the Australian Notifiable Data Breaches scheme, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay (GDPR Art. 34) where required by law.
14. Children's Data
The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, contact us and we will delete it.
15. Automated Decision-Making
Virex makes some automated decisions affecting your account: rate-limit blocks, auto-pause for fraud signals, and AUP violation detection. These decisions are reviewable on appeal (see Terms §16). We do not currently use automated profiling for credit, insurance, or employment-related decisions; if that changes, this section will be updated and EU users will be notified of their rights under GDPR Art. 22.
16. Contact & Updates
For privacy questions, data-subject requests, or to report a concern, contact VIREX@civicai-solutions.com. We may update this Policy from time to time. Material changes will be communicated to active users and the version string at the top of this page will be bumped.
Last updated: 2026-04-26. CivicAI Solutions Pty Ltd. All rights reserved.