Privacy Policy
Last updated: March 11, 2026
At Buena.ai, we are committed to protecting your privacy and ensuring transparency about how we handle your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use and share it, and what rights you have regarding your data.
This policy applies to all personal data processed through our website (buena.ai), our AI-powered sales intelligence platform, and any related services. It is designed to comply with the EU General Data Protection Regulation (GDPR), applicable U.S. privacy laws, and ISO 42001 standards for AI management systems.
1. Data Controller
Who We Are
Buena AI, Inc. ("Buena.ai", "we", "us", "our") is the data controller responsible for your personal data. We are committed to protecting and respecting your privacy in accordance with the General Data Protection Regulation (GDPR), applicable U.S. privacy laws, and ISO 42001 standards for responsible AI governance.
Contact Information
For any questions about this policy or your personal data, contact our Data Protection team at privacy@buena.ai. Our registered address is available upon request.
2. Categories of Personal Data We Collect
Identity & Contact Data
Full name, email address, phone number, company name, and job title — collected when you fill out forms, request demos, sign up for newsletters, or contact us.
Technical & Device Data
IP address, browser type and version, operating system, device identifiers, referring URLs, pages viewed, click patterns, and timestamps of your visits — collected automatically through server logs and cookies.
Usage & Analytics Data
Information about how you interact with our website and services, including pages visited, features used, session duration, and navigation paths — collected via analytics tools (PostHog).
Marketing & Communications Data
Your preferences for receiving marketing communications, newsletter subscription status, UTM campaign parameters, and your communication history with us.
Transaction Data
Details of services you have subscribed to, payment information (processed by third-party payment processors — we do not store full payment card details), and billing history.
3. Lawful Bases for Processing
Consent (Article 6(1)(a) GDPR)
We process your data based on your explicit consent for: marketing communications and newsletters, non-essential cookies and analytics tracking, and optional data sharing with partners. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Contractual Necessity (Article 6(1)(b) GDPR)
We process your data where necessary to perform a contract with you or to take steps at your request before entering into a contract, including: providing our AI-powered sales intelligence platform, managing your account and delivering requested services, processing demo requests and responding to inquiries.
Legitimate Interest (Article 6(1)(f) GDPR)
We process your data based on our legitimate interests, balanced against your rights, for: improving and optimizing our website and services, detecting and preventing fraud or spam, internal analytics and business intelligence, ensuring network and information security. You have the right to object to processing based on legitimate interests.
Legal Obligation (Article 6(1)(c) GDPR)
We process your data where required to comply with legal obligations, including: tax and accounting requirements, responding to lawful requests from regulators or law enforcement, maintaining records as required by applicable law.
4. How We Use Your Data
Service Delivery & Support
To provide, maintain, and improve our AI-powered B2B sales intelligence platform; to process your requests, demos, and inquiries; to manage your account; and to provide technical support.
Communications
To send transactional emails related to your account or requests; to send marketing communications where you have opted in; to respond to your inquiries. You can unsubscribe from marketing emails at any time via the link in each email.
Analytics & Improvement
To analyze usage patterns and improve our website and services; to conduct A/B testing and feature development; to generate aggregated, anonymized insights. We use PostHog for analytics, configured to respect Do Not Track signals and GDPR cookie consent preferences.
Security & Fraud Prevention
To detect, prevent, and respond to security incidents, fraud, spam, and abuse; to maintain audit logs for compliance; to enforce our terms of service.
5. How We Share Your Data
Service Providers (Data Processors)
We share data with third-party service providers who process data on our behalf under data processing agreements (DPAs): MongoDB Atlas (database hosting, US), Resend / AWS SES (email delivery, US), PostHog (analytics, EU/US), Vercel (website hosting, US). All processors are contractually bound to process data only on our instructions and maintain appropriate security measures.
Legal Requirements
We may disclose your data if required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, privacy, safety, or property of Buena.ai, our users, or the public.
Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred. We will notify you via email and/or prominent notice on our website of any change in ownership and your choices regarding your data.
No Sale of Personal Data
We do not sell, rent, or trade your personal data to third parties for their marketing purposes.
6. Data Retention
Retention Periods
Lead and contact data: retained for 24 months from last interaction, then anonymized or deleted. Account data: retained for the duration of your account plus 12 months after closure. Analytics data: aggregated and anonymized after 26 months. Marketing consent records: retained for 5 years for compliance documentation. Transaction records: retained for 7 years as required by tax law.
Deletion & Anonymization
When data reaches the end of its retention period, it is either securely deleted or irreversibly anonymized so it can no longer be linked to you. You may request earlier deletion at any time (see Your Rights below).
7. Your Rights as a Data Subject
Right of Access (Article 15 GDPR)
You have the right to obtain confirmation of whether we process your personal data, and to request a copy of the data we hold about you, free of charge.
Right to Rectification (Article 16 GDPR)
You have the right to request correction of inaccurate personal data or completion of incomplete data we hold about you.
Right to Erasure / Right to Be Forgotten (Article 17 GDPR)
You have the right to request deletion of your personal data where: it is no longer necessary for the purposes it was collected, you withdraw consent (where consent was the basis for processing), you object to processing and there are no overriding legitimate grounds, or the data has been unlawfully processed. Use the Data Request Form below to submit a deletion request.
Right to Restrict Processing (Article 18 GDPR)
You have the right to request restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
Right to Data Portability (Article 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller without hindrance.
Right to Object (Article 21 GDPR)
You have the right to object to processing based on legitimate interests or direct marketing at any time. Where you object to direct marketing, we will stop processing your data for that purpose immediately.
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. You may also contact us first and we will endeavor to resolve your concern.
How to Exercise Your Rights
To exercise any of these rights, use the Data Request Form at the bottom of this page, or email privacy@buena.ai. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.
8. Cookies and Tracking Technologies
Cookie Categories
We use four categories of cookies: Necessary (essential for site functionality — no consent required), Analytics (help us understand how visitors use our site — requires consent), Marketing (used to deliver relevant advertisements — requires consent), and Functional (enable enhanced features and personalization — requires consent).
Cookie Consent
For visitors in GDPR-regulated regions, we display a cookie consent banner before placing any non-essential cookies. You can manage your cookie preferences at any time through our cookie consent banner. Your choices are stored locally and respected across sessions.
9. International Data Transfers
Transfer Mechanisms
Your data may be transferred to and processed in the United States or other countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including: Standard Contractual Clauses (SCCs) approved by the European Commission, data processing agreements with all service providers, and adequacy decisions where applicable.
10. Data Security
Technical Measures
We implement encryption in transit (TLS/SSL) and at rest, access controls and authentication, regular security assessments, and secure development practices. Our infrastructure providers maintain SOC 2 certifications.
Organizational Measures
Access to personal data is restricted to authorized personnel on a need-to-know basis. All staff with access to personal data are bound by confidentiality obligations. We maintain incident response procedures and will notify affected individuals and authorities of any data breach within 72 hours as required by GDPR.
11. Children's Privacy
Age Restrictions
Our services are B2B enterprise tools not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@buena.ai and we will delete it promptly.
12. Stakeholder Rights & Obligations (ISO 42001)
Customers
As a customer, you have the right to transparent information about how our AI systems process your data, the ability to request human review of automated decisions, clear documentation of our AI capabilities and limitations, and access to support channels for privacy concerns.
Regulators
We maintain compliance documentation, conduct regular impact assessments, and cooperate with supervisory authorities. We proactively monitor changes in privacy and AI regulation to ensure ongoing compliance.
Society & Public Interest
We are committed to responsible AI development and deployment. We assess the broader impact of our AI systems on society, maintain transparency about our AI practices, and ensure our systems do not produce discriminatory outcomes. Our AI governance framework aligns with ISO 42001 standards for AI management systems.
Employees & Partners
Our employees and partners are trained in data protection practices, bound by confidentiality agreements, and required to report any potential data protection issues. We maintain clear policies and procedures for handling personal data throughout our organization and supply chain.
13. Changes to This Policy
Updates
We will update this Privacy Policy when our practices change or when required by law. Material changes will be communicated via email to registered users and through a prominent notice on our website at least 30 days before they take effect. The 'Last Updated' date at the top of this page indicates when the policy was most recently revised. Previous versions are available upon request.
Data Subject Request Form
Use this form to exercise your data rights under GDPR, including data deletion, access, rectification, portability, or restriction of processing. All requests are logged, tracked, and processed within 30 days.
Contact Our Data Protection Team
If you have any questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us:
See also: Terms of Service