Privacy Policy

Last updated: August 13, 2025

This Privacy Policy explains how Built by Shah LLC (“Built by Shah,” “we,” “us,” or “our”) collects, uses, shares, and safeguards personal information when you visit bodyshopbyshah.com (the “Site”), interact with our ads or emails, or use our products and services (including Google Ads management, custom website design/development, AI agents/automations, and the Built by Shah Command Center) (collectively, the “Services”).

If you do not agree with this Policy, please do not use the Site or Services.

1) Who we are & how to contact us

  • Controller: Built by Shah LLC
  • Email: shah@bodyshopbyshah.com
  • Mailing address: Built by Shah LLC, Attn: Privacy, Legal, 1712 Langley Avenue, Irvine CA 92614

Data protection inquiries (EEA/UK): If you are in the EEA/UK, you may also contact your local Data Protection Authority. If required by law, we will appoint an EU/UK representative and update this Policy.

2) Scope & who this Policy covers

  • Site visitors and prospects who browse our Site, contact us, or receive our marketing.
  • Business customers and their personnel who use our Services.
  • End users/consumers of our customers. For personal data we process on behalf of a business customer via our Command Center or AI/messaging tools, we act as a processor/service provider and that processing is governed by our contract and any data processing addendum (DPA) with the customer. This Policy does not apply to that processing; please refer to the relevant business’s privacy notice.

3) Information we collect

We collect information in the following ways:

3.1 Information you provide

  • Identifiers & contact: name, email, phone number, address, company, job title.
  • Communications: messages you send us; content of support requests; call, SMS, and email content if you use our messaging features.
  • Account & billing: login credentials, subscription details, invoices, limited payment details (processed by our payment processor; we don’t store full card numbers).
  • Uploads: brand assets, images, videos, documents you share for a project.

3.2 Information collected automatically

  • Device & usage: IP address, device/OS, browser type, settings, language, approximate location, referring pages/URLs, pages viewed, links clicked, session duration.
  • Cookies & similar tech: analytics, performance, functional, and advertising cookies/pixels; unique identifiers; event data (e.g., page views, conversions). See §10 Cookies.

3.3 Information from third parties

  • Advertising & analytics partners (e.g., Google Ads/Analytics, social platforms) may provide aggregated insights, conversion data, and audience information.
  • Business customers may provide contact lists and lead data to use our Services (we process this on their behalf).
  • Public & commercial sources (e.g., business directories) and referrals.

Categories of personal information (CPRA/California): identifiers; commercial information; internet or network activity; approximate geolocation; professional information; inferences (for audience/ads optimization); and, if you use our messaging features, communication content. We do not intentionally collect sensitive personal information (as defined by CPRA) unless you provide it to us for a defined purpose; we do not use or disclose sensitive personal information to infer characteristics.

4) How we use information (purposes & legal bases)

We use personal information to:

  • Provide and operate the Services (set up accounts, build campaigns/sites, deliver AI/messaging features, provide support). (GDPR bases: contract, legitimate interests)
  • Measure and improve performance (analytics, troubleshooting, quality assurance, training). (legitimate interests)
  • Personalize content and ads and create audiences for our marketing and to help customers evaluate marketing performance. (consent where required; legitimate interests otherwise)
  • Communicate with you (service notices, security alerts, updates, marketing). (contract; legitimate interests; consent for marketing where required)
  • Process payments and collections. (contract; legal obligation; legitimate interests)
  • Comply with law, enforce terms, protect rights, safety, and prevent fraud/abuse. (legal obligation; legitimate interests)

We do not engage in solely automated decisions that produce legal or similarly significant effects about you without human involvement. Our AI features generate recommendations and drafts; humans remain responsible for final decisions and review.

5) How we share information

We share personal information with:

  • Service providers / processors who help us run the Services (hosting, customer support, analytics, ad tech, communications/SMS, payment processing, security). They must follow our instructions and protect your data.
  • Advertising & analytics partners (e.g., via pixels or SDKs) to measure campaigns, improve the Site, and show relevant ads. This may be considered “sharing” for cross‑context behavioral advertising under California law and, in limited cases, “selling” (e.g., when we make certain audience data available to partners). See §9 Your privacy choices to opt out.
  • Business transfers in a merger, acquisition, or sale of assets.
  • Legal, safety, and compliance when required by law, regulation, or to protect our rights, users, or the public.
  • With your direction or consent.

We do not sell contact lists that customers upload to use our Services.

6) International data transfers

We are based in the United States. If you access the Site from the EEA/UK or other regions with data protection laws, your information may be transferred to, stored, and processed in the U.S. and other countries. Where required, we use appropriate safeguards (e.g., the EU/UK Standard Contractual Clauses) and implement additional measures as appropriate.

7) Retention

We keep personal information for as long as necessary to provide the Services and for legitimate business purposes, including to meet legal, tax, or accounting requirements, resolve disputes, and enforce agreements. Typical retention periods (subject to change):

  • Marketing leads: until you opt‑out or for up to 24 months after your last interaction.
  • Account & contract data: duration of your account plus up to 7 years.
  • Project files & messaging logs: typically 12–24 months after project end or as set in your SOW/DPA.
  • Cookie data: per cookie lifespan (see your cookie settings).

8) Security

We use administrative, technical, and organizational measures designed to protect personal information (e.g., access controls, encryption in transit, role‑based permissions, employee confidentiality). No system is 100% secure; please use strong passwords and keep credentials confidential.

9) Your privacy choices & rights

Marketing communications. You can unsubscribe using the link in our emails or by contacting us.

Cookies & ads. Manage preferences via our cookie banner and your browser or device settings. You may also use industry tools (e.g., NAI/DAA opt‑outs). If you are in California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, or Virginia, you may have the right to opt out of targeted advertising/“sharing.”

Global Privacy Control (GPC). Where required by law, if we detect a valid GPC signal, we will treat it as a request to opt out of “selling”/“sharing” for the browser sending the signal.

California (CPRA) rights. You may have the right to know/access, delete, correct, opt out of selling/sharing, and limit the use of sensitive personal information. We do not use or disclose sensitive personal information for purposes requiring a “Limit” link. We do not knowingly sell or share personal information of consumers under 16.

EEA/UK rights. Where GDPR/UK GDPR applies, you may have the right to request access, rectification, erasure, restriction, portability, and to object to processing based on our legitimate interests, and to withdraw consent where processing is based on consent.

How to exercise your rights. Submit a request to privacy@bodyshopbyshah.com or use [insert web form URL, e.g., /privacy-choices]. We may ask you to verify your identity. Authorized agents may submit requests with proof of authorization. You have the right to lodge a complaint with your local supervisory authority.

10) Cookies & similar technologies

We use:

  • Strictly necessary cookies to operate the Site (security, network management).
  • Analytics/performance cookies to understand usage and improve the Site and Services.
  • Functional cookies to remember choices.
  • Advertising/retargeting cookies to reach interested audiences and measure campaigns.

You can adjust preferences via our cookie banner and your browser/device settings. Blocking some cookies may impact certain features. For mobile apps or SMS features, your device and carrier settings control permissions.

11) SMS/voice & email features

If you opt in to receive SMS/voice messages or use our messaging features:

  • You consent to receive messages (including autodialed or prerecorded) from us or on behalf of our business customers at the number you provide.
  • Message and data rates may apply; message frequency varies.
  • Reply STOP to stop, HELP for help.
  • Keep contact information current; obtain consent from recipients you message through our Services; and comply with applicable laws and carrier rules (e.g., TCPA/CTIA, CAN‑SPAM).
  • We may use filtering, rate limits, or blocks to prevent spam or abuse.

12) Children’s privacy

The Site and Services are not directed to children, and we do not knowingly collect personal information from anyone under 16 (or as defined by local law). If you believe a child has provided personal information, contact us to request deletion.

13) Third‑party links & sites

The Site may include links or integrations to third‑party websites, platforms, and services. Their privacy practices are governed by their own policies; we are not responsible for them. Please review their notices before using those services.

14) State‑specific disclosures (U.S.)

Notice at collection (California). We collect the categories listed in §3 for the purposes described in §4. We may “share” personal information for cross‑context behavioral advertising and, in limited cases, may be deemed to “sell” personal information. We retain information as described in §7. California residents can exercise rights as described in §9 and may use the “Do Not Sell or Share My Personal Information” link in our cookie banner or at [insert URL].

Non‑discrimination. We will not discriminate against you for exercising your privacy rights.

Appeals (e.g., CO/CT/VA). If we decline to act regarding your request, you may appeal by replying to our decision email or writing to privacy@bodyshopbyshah.com with subject “Appeal.”

15) International users

By using the Site or Services, you understand your information may be transferred to and processed in countries that may not provide the same level of protection as your home jurisdiction. Where required, we use appropriate safeguards and will provide copies upon request (subject to confidentiality).

16) Changes to this Policy

We may update this Policy from time to time. The “Last updated” date indicates when this Policy was last revised. Material changes will be highlighted on this page or via notice. Your continued use of the Site or Services after changes means you accept the updated Policy.

17) Contact us

Questions or requests? Email shah@bodyshopbyshah.com. You may also contact us by mail at the address above.

Appendix A — Summary of CPRA categories

Category Examples Sources Purposes Shared/Sold?
Identifiers name, email, phone, IP you; automatic; partners provide services; support; marketing may share for ads
not sold in contact lists
Commercial info records of services purchased you billing; support no
Internet activity browsing/interactions on our Site automatic; partners analytics; security; ads may share for ads
Geolocation (approx.) city/region via IP automatic analytics; localization no
Professional info company, role you; public sources B2B sales; support no
Inferences interest segments for ads partners; analytics personalize content/ads may share for ads
Audio/communications calls/SMS/emails via features you; your end users provide messaging features; support no (processor role where applicable)

We do not knowingly sell or share personal information of consumers under 16.

Appendix B — Processor/Service‑Provider role (for business customers)

When a business customer uses our Services to process personal information about its leads or customers, we act as a processor/service provider and:

  • Process only on documented instructions;
  • Implement appropriate security;
  • Assist with data subject requests and incident notifications as required;
  • Ensure sub‑processors are bound by comparable obligations; and
  • Delete or return personal information at the end of the engagement unless retention is required by law.

These obligations are detailed in our DPA (available on request).

Terms of ServicePrivacy Policy
COPYRIGHT © 2025 BUILT BY SHAH. All RIGHTS RESERVED
Back to Top