Privacy Policy

Buildingflow Ltd, trading as Hrvstr Last updated: 12 March 2026

1. Who We Are

Hrvstr is a survey and questionnaire platform operated by Buildingflow Ltd, a company registered in England and Wales. We provide tools for creating, distributing, and analysing surveys for businesses and individuals.

Contact: contact@buildingflow.net

2. Information We Collect

2.1 Account Information

When you register for an Hrvstr account, we collect:

  • Your name and email address
  • A password (stored securely using industry-standard hashing)
  • Optional: two-factor authentication secrets (encrypted)

2.2 Survey Responses

When respondents complete surveys created on our platform, we collect:

  • Answers to survey questions (text, selections, ratings, etc.)
  • Digital signatures, where requested by the survey creator
  • IP address and browser user-agent at the time of signature submission (for audit purposes)
  • Timestamps of survey interactions

2.3 Usage and Analytics Data

We collect information about how you use our platform, including:

  • Pages visited and features used
  • Browser type, device, and operating system
  • Referring URLs and navigation paths

2.4 AI Features

When you use our AI-powered features (e.g., AI questionnaire builder, AI analytics), your prompts and relevant survey data are sent to OpenAI for processing. We do not send personal account information to OpenAI. OpenAI’s data processing is governed by their data processing agreement.

2.5 Payment Information

If you subscribe to a paid plan, payment processing is handled by our third-party payment provider. We do not store your full credit card details on our servers.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our platform
  • Authenticate your identity and secure your account
  • Process and display survey responses to survey creators
  • Generate analytics and insights from survey data
  • Send service-related communications (e.g., password resets, account notifications)
  • Monitor and prevent abuse of our platform
  • Comply with legal obligations

4. Cookies and Tracking

4.1 Essential Cookies

We use a session cookie (_hrvstr_key) that is strictly necessary for the platform to function. This cookie:

  • Stores your authenticated session
  • Is signed and cannot be tampered with
  • Expires when you close your browser or log out
  • Cannot be declined as it is essential for platform operation

4.2 Analytics Cookies

We use Google Analytics 4 and Google Tag Manager to understand how visitors use our platform. These services may set cookies including:

  • _ga — Distinguishes unique users (expires after 2 years)
  • _ga_* — Maintains session state (expires after 2 years)
  • _gid — Distinguishes unique users (expires after 24 hours)
  • _gat — Throttles request rate (expires after 1 minute)

4.3 Cookie Consent

When you first visit our site, you will be presented with a cookie consent banner. You can:

  • Accept all cookies — Enables analytics and any optional cookies
  • Accept only essential cookies — Only the session cookie will be set

Analytics cookies are blocked by default until you provide consent.

4.4 Embedded Surveys

When surveys are embedded on third-party websites via iframes, we do not set analytics or tracking cookies. Only the minimum technical cookies required for the survey to function are used.

5. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Contract — Processing necessary to provide you with our services (account management, survey delivery)
  • Legitimate interests — Analytics, security monitoring, and platform improvement
  • Consent — Analytics cookies and marketing communications (where applicable)
  • Legal obligation — Where we are required to retain data by law

6. Data Sharing

We do not sell your personal data. We share data only with:

Third Party Purpose Data Shared
Google Analytics / GTM Platform usage analytics Anonymised usage data, IP address (anonymised)
OpenAI AI-powered features Survey prompts and question data (no personal account info)
Payment provider Subscription billing Name, email, payment details

We may also disclose information if required by law, regulation, or legal process.

7. Data Retention

  • Account data — Retained while your account is active. Deleted upon account closure, subject to any legal retention requirements.
  • Survey responses — Retained while the associated questionnaire exists. Survey creators can delete responses at any time.
  • Signature audit data (IP, user-agent) — Retained for the lifetime of the signed survey response for legal audit purposes.
  • Analytics data — Retained in accordance with Google Analytics’ data retention settings (currently 14 months).
  • Server logs — Retained for up to 90 days for security and debugging purposes.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encrypted connections (HTTPS/TLS) for all data in transit
  • Secure password hashing using bcrypt
  • Signed and encrypted session cookies
  • Role-based access controls
  • Regular security reviews

9. Your Rights

Under the UK GDPR and Data Protection Act 2018, you have the right to:

  • Access — Request a copy of the personal data we hold about you
  • Rectification — Request correction of inaccurate data
  • Erasure — Request deletion of your data (“right to be forgotten”)
  • Restriction — Request that we limit how we use your data
  • Portability — Request your data in a structured, machine-readable format
  • Object — Object to processing based on legitimate interests
  • Withdraw consent — Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at contact@buildingflow.net.

We aim to respond to all requests within 30 days.

10. International Transfers

Your data may be processed outside the UK where our service providers operate (e.g., OpenAI in the United States, Google in various locations). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

11. Children

Hrvstr is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify registered users of significant changes by email or through an in-platform notification. The “Last updated” date at the top of this page indicates when the policy was last revised.

13. Contact Us

If you have questions about this privacy policy or our data practices, please contact:

Buildingflow Ltd (trading as Hrvstr) Email: contact@buildingflow.net

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

← Back to Hrvstr