We understand that trusting a third-party product with your data—especially when AI is involved—requires confidence and transparency. This document answers the most common questions about how we handle your data when you use AI-powered features in Built.
Our core commitment: Your data is never used to train public AI models, and our AI features can be used without sending personally identifiable information (PII) to AI providers.
Data Usage and Training
Q: Is my data used to train AI models?
A: No. Your data is never used to train any public large language models (LLMs). The prompts you submit and the responses you receive remain exclusively yours and are not fed into model training pipelines.
Q: Could my inputs be used to improve the underlying AI model over time?
A: No. We have explicit agreements with our AI providers that prohibit the use of customer data for model training or fine-tuning. Your data is processed solely to generate a response for you and is not retained for any model improvement purposes.
Q: Does Anthropic, OpenAI, or any other AI provider have access to my data?
A: When you use our AI features, AI providers have access to your prompt and any limited data required to generate a response—this is necessary for the feature to work. However, these providers operate under strict data processing agreements that prevent them from using your data for training, storing it beyond the immediate request, or sharing it with third parties.
PII and Sensitive Data
Q: Does your product send Personally Identifiable Information (PII) to AI models?
A: Our product is designed to avoid sending PII to AI providers by anonymizing data that would be considered PII. That said, users have the ability to type anything into a prompt—if you manually include personal information in your prompt text, that content will be sent to the AI provider as part of processing your request.
Q: What happens if I accidentally include PII in my prompt?
A: If PII is included within a user-written prompt, it will be transmitted to the AI provider to process the request. The AI provider is contractually prohibited from storing or using this data beyond fulfilling the immediate request. We recommend avoiding including sensitive personal information in AI prompts as a best practice.
Q: Is the feature compliant with GDPR and other privacy regulations?
A: Yes, our AI features are designed with regulatory compliance in mind. Our AI providers act as data processors under applicable data protection laws (including GDPR), meaning they process data on your behalf and under your instruction only. We maintain Data Processing Agreements (DPAs) with all AI providers. If your organization has specific compliance needs (e.g., HIPAA, SOC 2), please contact us to discuss your requirements.
AI Behavior and Oversight
Q: Will the AI do things I don’t ask it to do?
A: No. The AI operates within the scopes it has been explicitly granted. It does not act outside those scopes, and consequential actions remain accountable to a human.
Q: Does the AI make decisions about my people on its own?
A: No. The AI can analyze workforce data and produce recommendations, but it does not make employment decisions autonomously. Hiring, termination, compensation changes, and similar outcomes remain human decisions.
Q: Can the AI send my data anywhere outside Built?
A: No. The AI's actions run through Built's standard application layer with the same permissions and audit trails as any user action. Any computation the AI performs on your data happens in isolated sandboxed environments without external network access.
Q: Will I know when something is AI-generated?
A: Yes. AI-generated content is identified in the product so users can distinguish it from data retrieved from your system of record.
Q: What permissions does the AI operate with?
A: The AI operates within the permissions of the user or role it is acting on behalf of. It cannot see or act on anything that the user or role is not already authorized for.
Data Security and Transmission
Q: How is my data protected when it’s sent to the AI?
A: All data transmitted between our product and AI providers is encrypted in transit using TLS 1.2 or higher—the same standard used for online banking. We also enforce API-level authentication with our AI providers, ensuring requests can only originate from our systems.
Q: Is my AI conversation data encrypted at rest?
A: Yes. In addition to full database-level encryption at rest, AI conversation content and tool call records carry an additional layer of application-level encryption, with keys held in a dedicated key management service.
Q: Is my data stored by the AI provider after a request is processed?
A: Our agreements with AI providers specify that prompt data is not stored, logged, or retained beyond what is required to complete your request.
Q: Where is my data processed geographically?
A: AI requests are processed in data centers that comply with industry security standards (SOC 2 Type II, ISO 27001). We work with providers whose infrastructure is primarily hosted in the United States and the European Union. If you have specific data residency requirements, please reach out to our team.
Q: Do you have a SOC 2 Type II report?
A: Yes. We always maintain a completed, current SOC 2 Type II audit and report, which independently verifies that our security controls meet the AICPA's Trust Services Criteria for security, availability, and confidentiality. Our report is available to customers and prospects under NDA.
Access, Control, and Transparency
Q: Can I opt out of AI features entirely?
A: Yes. AI features are optional. Administrators can disable AI functionality for their organization at any time from the settings panel. Individual users can also choose not to use AI-powered features—all core product functionality remains fully available without AI.
Q: Who inside your organization can see my AI prompts and responses?
A: Access to customer data—including AI prompt history—is strictly limited to authorized personnel with a legitimate business need (such as for support or compliance). All access is logged and subject to internal review. We do not permit employees to browse customer AI activity for any non-essential purpose.
Q: Do you maintain logs of AI interactions?
A: We maintain limited operational logs for security monitoring, debugging, customer support, and abuse prevention purposes. These logs are subject to our standard data retention and deletion policies. You can request deletion of your data at any time in accordance with our Privacy Policy.
Q: How will I be notified if your AI security practices change?
A: Any material changes to how we handle data in connection with AI features will be communicated via email and reflected in an updated Privacy Policy and Security documentation. We will provide advance notice before implementing changes that affect your data rights.
Vendor and Third-Party Risk
Q: Which AI providers do you use?
A: We currently partner with OpenAI.
Please contact our Customer Success Team for additional assistance.