Privacy Policy

Last updated: 2026-04-13

Build In HK Limited (“we”, “us”) is the data user under the PDPO for personal data we collect or control in operating the screenshot-x402 Service (the “Service”). This Personal Information Collection Statement (PICS) explains what we may collect, why, who we share with, and your rights.

1. Data we may process

Depending on how you use the Service, we may process:

• Technical and operational data: IP address, HTTP request metadata, timestamps, error traces, and observability logs via Cloudflare (Workers, Durable Objects). This may include MCP session routing and tool names invoked. Our Worker configuration enables Cloudflare observability sampling (see wrangler.toml).
• Tool arguments (often not personal data): URLs you submit, viewport width/height, full-page flag, image format, colour scheme, device scale factor, CSS selectors to hide, cache TTL, delays, and vision prompts. These may incidentally contain personal data if you put it in a URL, selector, or prompt — avoid submitting personal data you do not need.
• Cache keys and cached images: When caching is enabled, we store screenshots in Cloudflare R2 under a key derived from a JSON blob that includes the target URL and render options (dimensions, full page, format, colour scheme, device scale factor, sorted hide selectors). Anyone with access to your Worker logs or R2 could infer what was captured; treat cache TTL and access controls accordingly.
• Payment-related data: x402 settlement involves public blockchain addresses, transaction references, and metadata processed by facilitators. We do not require or store your wallet private keys; never send them to us.
• Vision (multimodal) processing: For analyze_screenshot, a JPEG of the page and your prompt may be sent to OpenRouter (default base https://openrouter.ai/api/v1) if OPENROUTER_API_KEY is configured, or to OpenAI if only OPENAI_API_KEY is set — or to another OpenAI-compatible endpoint if you set VISION_API_BASE. Those providers act as independent data users for their own processing; see their privacy policies.

2. Purposes and PDPO principles

We process personal data only for purposes that are lawful and fair under the PDPO Data Protection Principles (DPPs), including:

• Providing, securing, and troubleshooting the Service (DPP1 — purpose).
• Enforcing our Terms, billing via x402, and meeting legal obligations (DPP1).
• Improving reliability and abuse detection where consistent with minimisation (DPP1, DPP3).

Where we rely on consent (e.g. optional marketing — we currently do not run marketing from this Service), you may withdraw consent; core Service delivery may then be limited. If we ever send direct marketing communications, we will provide a clear opt-out mechanism (e.g. unsubscribe link) as required under PDPO.

3. Subprocessors and cross-border transfers

Material categories of recipients include:

• Cloudflare, Inc. and affiliates — edge compute (Workers), object storage (R2), Browser Rendering (managed browser), Durable Objects, logging/observability. Data may be processed in Cloudflare’s global network; see Cloudflare’s privacy policy and data processing terms.
• OpenRouter / OpenAI (if enabled) — multimodal API processing for analyze_screenshot. Providers are typically US-based; transfer is for performance of the Service you request. Review OpenRouter and OpenAI policies.
• x402 facilitators and public blockchains — payment authorisation and settlement; data on-chain is public and immutable by design.

Where we transfer personal data outside Hong Kong, we rely on your consent by using the Service, or we ensure adequate safeguards (such as standard contractual clauses) are in place where required by PDPO.

4. Retention

• Logs: Retained for no longer than 30 days unless required for legal or security incident investigation.
• R2 cached screenshots: Retained according to client-controlled TTL (maximum 7 days unless extended by client configuration).
• On-chain data (blockchain): Not erasable by design. You should not include personal data in on-chain transactions.
• We do not operate a separate customer-relationship database for this Service unless you add one. If we no longer need personal data for the purpose collected, we will delete or anonymise it within a reasonable time.

5. Security

We implement reasonable technical and organisational measures (access control on secrets, HTTPS, separation of vision keys in Workers secrets). No transmission or storage is perfectly secure. Protect API keys and wallet keys in your own environment — see our Terms on agent secrets.

6. Your rights (PDPO)

Subject to the PDPO and our ability to verify identity, you may request access to personal data we hold about you and correction of inaccurate data (DPP6). Certain exemptions apply. To exercise rights, contact hello@buildinhk.com. We will respond within a reasonable time (ordinarily within 40 days for access requests where the PDPO applies, unless extended lawfully).

You may lodge a complaint with the Hong Kong Office of the Privacy Commissioner for Personal Data (pcpd.org.hk).

7. Cookies and tracking

We do not use cookies, local storage, or any client-side tracking mechanisms in the Service. Cloudflare may set necessary security or performance cookies at the edge; these are strictly functional and not used for tracking.

8. Changes

We may update this policy; the Last updated date at the top of this page will change. Material changes may be posted here and, where required, notified.

9. Contact

Privacy and data protection: hello@buildinhk.com. Written requests for our company registration number and registered office address may be sent to hello@buildinhk.com or to our registered office address (available upon request via that email).