BuildITSmrtBITS
Home  /  Privacy Policy

Privacy Policy

What we collect, what we do with it, and the rights you have over it. We try to keep this in plain language. If anything's unclear, ask.

Effective: May 8, 2026  ·  Last updated: May 8, 2026

1. Who we are

This site, builditsmrt.com, is operated by BuildITSmrt, LLC, a limited liability company organized under the laws of the State of Wisconsin (the "Company," "we," "us," or "our"). This Privacy Policy explains how we handle personal information collected through this website and through inquiries you send us.

This policy covers our website, our marketing materials, and inquiries you send us. It does not cover information we hold about you under a separate written agreement (e.g., a Master Services Agreement, MSP service agreement, or development contract); the privacy terms in those agreements control for that data.

2. Who this policy applies to

We currently serve customers based in the United States. The website is reachable from anywhere, but we do not knowingly market services to, or contract with, customers outside the United States, and we do not target the website to residents of the European Economic Area, the United Kingdom, or other regions outside the U.S. If you are outside the United States, please do not submit personal information through this site.

3. Information we collect

3.1 Information you give us

When you fill out a contact form, the form sends us:

  • Your name
  • Your email address
  • Your phone number, if you provide one
  • Your company name, if you provide one
  • The category of your inquiry (e.g., software, managed IT, privacy)
  • The free-text message you write

We don't ask for, and don't want, anything more sensitive than that on a marketing-site form. Don't paste passwords, Social Security numbers, payment-card numbers, or similar into the message field.

3.2 Information collected automatically

When you visit any page or submit a form, our infrastructure automatically records:

  • Your IP address
  • The page or endpoint requested
  • Timestamp and basic request metadata (browser user-agent, referrer header)
  • For form submissions, your IP is recorded so we can rate-limit abuse and respond if needed

3.3 Cookies and similar technologies

This site does not currently set any first-party cookies and does not use behavioral analytics. The only third-party requests it makes are:

  • Google Fonts — to load the typeface used on the site. Google may log your IP address when your browser fetches a font.
  • Cloudflare — our DNS and CDN provider; Cloudflare may set short-lived security cookies (e.g., __cf_bm) to identify abusive traffic.

If we add analytics or other client-side trackers in the future, we'll update this section before they go live.

4. How we use information

We use the information we collect only to:

  • Reply to your inquiry and follow up with you about it
  • Provide the services you've contracted us for (under a separate written agreement)
  • Operate, secure, and improve the website (e.g., rate-limiting, abuse prevention)
  • Comply with legal obligations and respond to lawful requests
  • Maintain ordinary business records

We do not sell, rent, or trade your personal information. We do not use it for cross-context behavioral advertising.

5. How we share information

We share information only with service providers who help us run the business, and only to the extent they need to provide their service:

  • Cloudflare, Inc. — DNS and edge proxy.
  • Maileroo — sends transactional email (e.g., your contact-form submission to us).
  • GitHub, Inc. — source-code hosting for the site itself; does not receive your personal information through normal site use.
  • Hostinger — virtual-server provider hosting the production and test environments.

We may also disclose information when required by law (e.g., a valid subpoena), to enforce our agreements, or to protect rights, property, or safety. We will tell you about a disclosure unless we're legally barred from doing so.

If we ever sell or transfer the business, your information may be part of that transfer, and the acquirer will be bound by this Privacy Policy or one with materially similar protections.

6. How long we keep information

  • Sales and contact-form inquiries that don't become engagements — up to 24 months from your last contact, then deleted or anonymized.
  • Customer records (when you become a paying customer) — for the duration of the engagement plus 7 years afterward, to match the statute of limitations on contract claims and standard accounting retention.
  • Email correspondence — typically up to 7 years, to match accounting and tax records.
  • Server access logs and rate-limit data — up to 90 days.

We may retain information longer if required by law, or shorter if you ask us to delete it (see Section 8 below).

7. How we protect information

We use commercially reasonable safeguards: TLS/HTTPS for all traffic, key-only SSH access to servers, principle-of-least-privilege within our infrastructure, automatic security updates on hosts, and isolated environments for test vs. production. No system is perfectly secure; if a breach affects you, we will notify you in line with applicable Wisconsin and federal law.

8. Your privacy rights

8.1 Everyone

Regardless of where you live, you can ask us to:

  • Confirm whether we have any personal information about you
  • Send you a copy of that information
  • Correct it if it's wrong
  • Delete it (subject to legal retention requirements)
  • Stop using it for marketing purposes

To exercise any of these, use the contact form and select "Privacy / data request" as the category. We'll respond within 30 days. We may need to verify your identity before acting on the request.

8.2 California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you specific rights regarding your personal information:

  • Right to know. What categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties we share with.
  • Right to delete. Personal information we have collected, subject to limited exceptions.
  • Right to correct. Inaccurate personal information.
  • Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising; if that ever changes, we will provide a "Do Not Sell or Share My Personal Information" link before doing so.
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond those reasonably necessary to provide our services.
  • Right to non-discrimination. We will not deny services, charge a different price, or provide a different level or quality of service because you exercised any of these rights.

You may use an authorized agent to make a request on your behalf; we will require written authorization and may verify directly with you.

8.3 Other state privacy laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Utah (UCPA), and other states with comprehensive privacy laws may have similar rights to access, correct, delete, and opt out of certain processing. Use the same contact path described in Section 8.1; we will respond consistent with the applicable state law's requirements and timeframes.

9. Children

This website is not directed at children under 13, and we do not knowingly collect personal information from children. If you believe a child has submitted personal information through the site, contact us and we'll delete it.

10. Third-party links

The website may contain links to third-party websites or services we don't operate. We're not responsible for their content or privacy practices. Read their privacy policies before submitting information.

11. Changes to this policy

We will update this policy when our practices change. The "Last updated" date at the top reflects the most recent version. Material changes will be highlighted on the website for at least 30 days before they take effect.

12. How to contact us

To exercise a privacy right, ask a question about this policy, or report a concern, please use our contact form and select "Privacy / data request" as the inquiry category:

Submit a privacy request

A mailing address is available on request through the contact form.

13. MaintBlocks SaaS subscriptions

This section adds to (and where there's a conflict, controls over) the rest of this Privacy Policy for personal information processed in connection with a paid or trial subscription to MaintBlocks SaaS — the hosted backend at api.builditsmrt.com, the customer dashboard, and the MaintBlocks desktop agent that connects to that backend. Sections 1–12 above continue to apply to anyone who uses the marketing site without subscribing.

13.1 Information you give us when you sign up

The signup form at builditsmrt.com/pricing collects:

  • Your work email address (used as your account login and as the verification destination)
  • A password you choose, which we store only as a salted, industry-standard hash (BCrypt) — we never see, store, or transmit the cleartext after you submit the form
  • Your organization's name (becomes the tenant name on your account)
  • The number of devices you intend to enroll (becomes your initial seat cap; you can change it later)
  • The billing period you select (monthly, annual, or two-year)

You may optionally enable two-factor authentication after signup. If you do, we additionally store your TOTP shared secret (encrypted at rest) and the hashes of any single-use recovery codes you generate.

13.2 Information collected by the MaintBlocks desktop agent

When you install MaintBlocks on a device and enroll it against your subscription, the desktop agent transmits the following information to our backend on enrollment, and on each subsequent heartbeat (typically once per 24 hours):

  • Device identity — a stable hardware fingerprint, the device's machine name (hostname), an installation GUID (per-install identifier), and the version of MaintBlocks you have installed
  • Operating-system basics — Windows version and build number, last-boot time, total installed RAM, total installed disk capacity, CPU model
  • Recent activity — outcomes of the most recent maintenance actions you have run (action ID, timestamp, success/failure outcome, and any human-readable message the action produced)
  • Installed software inventory — the list of programs and applications installed on the device, as reported by Windows (typically the same list visible in Settings → Apps → Installed apps). Includes name, publisher, and version for each entry.
  • Services inventory — the Windows services configured on the device (name, display name, startup type, current status). Does not include the contents of those services or their data.
  • Local user accounts — the Windows local user accounts on the device (account name, account flags such as "disabled" or "admin-group member"). We do not collect passwords, password hashes, profile data, files in user folders, browser history, or any other content under user profiles.
  • Network adapters — installed network interfaces (adapter name, type, MAC address, IPv4/IPv6 addresses currently bound). We do not collect packet contents or traffic logs.
  • BIOS / firmware — manufacturer, firmware version, and serial number reported by the device's UEFI/BIOS, used to verify hardware lineage between heartbeats.

This inventory is stored against your tenant on our backend and is visible to administrators of your tenant. We use it to populate your device list, surface health and maintenance status, and fulfill the operational purpose of the product. We do not sell, share for advertising, or otherwise repurpose this inventory data.

We do not collect, through the agent: keyboard input, screen contents (except when you explicitly invoke the screenshot maintenance action and choose to attach the resulting file to a support ticket — at which point you control whether the screenshot is sent), email or messaging content, files in user-profile folders, browser history, or the contents of installed applications' databases.

13.3 Information collected through billing

Payments for paid subscriptions are processed by Stripe Payments Company ("Stripe"). When you check out, Stripe collects your payment-card information directly — that data is transmitted from your browser to Stripe's servers and never passes through ours. We receive from Stripe:

  • A Stripe Customer ID (an opaque token Stripe uses to refer to you)
  • A Stripe Subscription ID and the high-level state of your subscription (active, trialing, past due, canceled, etc.)
  • The seat quantity and billing period you've selected
  • Webhook events Stripe sends us when those values change (a payment succeeds, a subscription renews, a card fails, etc.)

We do not receive — and have no way to access — your full card number, CVV, or your card's expiration date except as Stripe surfaces them in the customer portal. To change your card, update billing details, or download invoices, use the "Manage subscription" link in your dashboard, which redirects you to Stripe's hosted Customer Portal.

Stripe's privacy practices are governed by their own privacy policy at stripe.com/privacy.

13.4 Cookies and authentication on the customer dashboard

When you sign in to the customer dashboard at api.builditsmrt.com/Account/Login, we set:

  • An authentication cookie (name mb.auth, HttpOnly, SameSite=Lax, Secure when served over HTTPS) that identifies your signed-in session. It expires after 8 hours of inactivity, with a sliding refresh.
  • An antiforgery token cookie set by ASP.NET Core to prevent cross-site request forgery on dashboard form submissions.

Both cookies are first-party, signed and encrypted server-side, and used only to keep you signed in and to protect the forms you submit. They are not used for analytics, tracking, or any cross-site purpose. You can sign out at any time from the dashboard, which deletes the cookies server-side and instructs your browser to discard them.

13.5 How long we keep subscriber information

  • Account credentials and profile — for the duration of your subscription. If you cancel, we retain the account record for up to 90 days in case you reactivate, then delete it.
  • Device inventory and heartbeats — the most recent inventory snapshot per device for the duration of the subscription. Older heartbeat history is retained for up to 12 months and then aggregated or deleted.
  • Maintenance-run records — for the duration of the subscription, then deleted within 90 days of cancellation.
  • Issued license tokens — audit records of which device received which license token (and when) are retained for 24 months for security review.
  • Billing and invoice records — retained for 7 years to match standard accounting and tax requirements.
  • Pending signup records (you started signup but never verified your email or completed checkout) — retained for 90 days, then deleted.

You can also request earlier deletion using the privacy-rights process in Section 8, subject to legal retention requirements (notably the 7-year billing window).

13.6 Sub-processors for MaintBlocks SaaS

In addition to the providers listed in Section 5, the MaintBlocks SaaS service uses:

  • Stripe Payments Company — payment processing, subscription management, and the customer billing portal
  • Maileroo — transactional email (signup verification, billing notices, password reset, trial-ending warnings, welcome emails)
  • Hostinger — virtual-server provider hosting the production SaaS environment in the United States

Each sub-processor has access only to the data needed to perform its function. We will update this list before adding any new sub-processor that processes personal information of subscribers, and the change will be marked on this policy for at least 30 days before it takes effect.

13.7 Data location and transfers

All MaintBlocks SaaS data — accounts, device inventory, license-issuance records, billing metadata — is stored on servers physically located in the United States. We do not transfer subscriber data outside the United States in the course of normal operation. Sub-processors (notably Stripe and Cloudflare) may operate globally; their handling of personal data is governed by their own privacy policies and the contracts we have with them.

13.8 Security

In addition to the safeguards in Section 7, the MaintBlocks SaaS environment uses: per-tenant isolation in a single database, BCrypt-hashed passwords (work factor 12), Ed25519-signed license tokens, encrypted-at-rest authentication cookies, TOTP and recovery-code support for two-factor authentication, brute-force lockout after repeated failed sign-ins, hostname-bound TLS for the public API and dashboard, and isolated test and production environments.

13.9 Account deletion and data export

You can cancel your subscription at any time from the dashboard's billing page or via Stripe's Customer Portal. After cancellation, you may request export or deletion of the data we hold for your tenant by submitting a privacy request as described in Section 8 — we'll provide a JSON export of your tenant's account, device inventory, and run history, and delete the same data subject to the retention requirements above.

13.10 Children and MaintBlocks SaaS

MaintBlocks SaaS is sold for use by businesses and IT teams. It is not intended for, and not directed at, individuals under 18. Don't use the service to manage devices belonging to minors without an appropriate role (e.g., school IT administering school-issued endpoints) and consistent with applicable child-privacy laws.