BulidoBulidoBulido
PricingContact
BulidoBulido
Features
Quote and estimate creatorServices catalogueClients databaseProjectsCompany overviewCompany website
PricingContact

On this page

  • §1. Parties and basis of the Agreement
  • §2. Subject matter, nature, and purpose of processing
  • §3. Categories of data and data subjects
  • §4. Processor obligations
  • §5. Controller obligations
  • §6. Subprocessors
  • §7. Transfers outside the EEA
  • §8. Right of audit
  • §9. Liability
  • §10. Final provisions
  • Annex 1, Technical and organizational measures
  • Annex 2, List of subprocessors

Data Processing Agreement (DPA)

Version:
1.0
Effective date:
April 22, 2026

Annex to the BULIDO Terms of Service Version: 1.0 Effective date: 16 May 2026 Legally binding language version: Polish

Important: This English version is provided for convenience only. In case of any discrepancy, the Polish version prevails. The Agreement is governed by Polish law.

§1. Parties and basis of the Agreement

  1. This Data Processing Agreement (hereinafter: "DPA") is concluded between:
    1. The Client using the BULIDO service, as the Controller of personal data within the meaning of Article 4(7) GDPR,
    2. Entigo Radosław Suchowierski, ul. Bolesława Chrobrego 23, 78-230 Karlino, Poland, Tax ID (NIP): 6721984998, as the Processor within the meaning of Article 4(8) GDPR.
  2. The DPA is an integral part of the BULIDO Terms of Service. Acceptance of the Terms is equivalent to entering into the DPA.
  3. The DPA governs the rules for processing by the Processor of personal data entrusted to it by the Controller in connection with the use of the BULIDO Service.

§2. Subject matter, nature, and purpose of processing

Element Description
Subject matter Personal data entered by the Controller into BULIDO for the purpose of conducting business activity (including data of its end clients, contractors, employees).
Nature of processing Automated and manual operations: storage, organization, modification, disclosure (within Service functions), erasure.
Purpose Providing the BULIDO Service to the Controller in accordance with the Terms.
Duration Term of the Agreement + data retention period under the Terms (up to 90 days after Account expiration).

§3. Categories of data and data subjects

  1. Categories of data subjects:

    1. end clients of the Controller (persons for whom the Controller issues quotes or performs work),
    2. contractors, suppliers of the Controller,
    3. employees or associates of the Controller (if the Controller enters their data into BULIDO).

  2. Categories of personal data:

    1. identification data (name, surname, company name),
    2. contact data (address, e-mail, phone),
    3. business data (Tax ID, REGON),
    4. data related to orders and quotes (scope of work, amounts, deadlines),
    5. other data entered by the Controller.

  3. The Processor is not authorized to process special categories of personal data (Article 9 GDPR) or data on criminal convictions (Article 10 GDPR), unless the Controller informs the Processor of the intention to enter such data. Entering such data into BULIDO is at the sole responsibility of the Controller.

§4. Processor obligations

The Processor undertakes to:

  1. process personal data only on the documented instruction of the Controller, whereby the Controller's use of the BULIDO Service constitutes such an instruction within the scope of the Service's functionality;
  2. ensure that persons authorized to process the data are bound by confidentiality;
  3. implement appropriate technical and organizational measures to ensure data security (in accordance with Article 32 GDPR), described in Annex 1 to the DPA;
  4. assist the Controller in fulfilling its obligations under GDPR, including in responding to requests from data subjects;
  5. promptly notify the Controller of a personal data breach, no later than 48 hours after becoming aware of it;
  6. upon termination of the Agreement, delete the data in accordance with the retention policy described in the Terms (up to 90 days after Account expiration), unless an obligation to retain the data follows from law.

§5. Controller obligations

The Controller undertakes to:

  1. process personal data in accordance with GDPR and other applicable law,
  2. have a valid legal basis for processing data entered into BULIDO,
  3. fulfill information obligations towards data subjects whose data is entered into BULIDO (including Articles 13–14 GDPR),
  4. not enter into BULIDO data whose processing would go beyond the purpose of providing the Service.

§6. Subprocessors

  1. The Controller gives general consent to the Processor's use of the subprocessors listed in Annex 2 to the DPA.
  2. The Processor will inform the Controller of planned changes to subprocessors (addition of a new one, change of an existing one) at least 14 days in advance, by e-mail or via notification in the Account panel.
  3. The Controller may raise a justified objection to a change of subprocessor within 14 days of notification. If no amicable solution can be reached, the Controller may terminate the Agreement in accordance with the Terms.
  4. The Processor ensures that each subprocessor is bound by analogous data protection obligations as those arising from the DPA.

§7. Transfers outside the EEA

  1. Some subprocessors (including OpenAI, Google) process data in third countries (USA).
  2. Data transfers take place on the basis of:
    1. EU-U.S. Data Privacy Framework: for entities that have joined it, or
    2. Standard Contractual Clauses (SCC) approved by the European Commission.
  3. Details of transfers for each subprocessor are set out in Annex 2.

§8. Right of audit

  1. The Controller has the right to audit the Processor's compliance with the DPA.
  2. The audit is conducted at the Controller's expense, after prior agreement of the date with the Processor (at least 30 days before the planned audit), during the Processor's working hours and in a manner minimizing disruption to its operations.
  3. The Processor may fulfill the obligation referred to in paragraph 1 by providing the Controller with reports from external audits, certificates, or other documents confirming compliance with data protection requirements.

§9. Liability

  1. Each Party is liable for damages caused to the other Party as a result of breach of the DPA.
  2. The Processor's liability towards the Controller arising from the DPA is subject to the limitations set out in the BULIDO Terms of Service.
  3. The provisions of paragraph 2 do not limit the Parties' liability towards supervisory authorities or data subjects, arising directly from GDPR.

§10. Final provisions

  1. The DPA enters into force upon acceptance of the Terms and is in force for the term of the Agreement.
  2. Matters not regulated by the DPA are governed by GDPR, the Polish Personal Data Protection Act, and the Terms.
  3. The applicable law is Polish law. Disputes are settled by the court competent for the Processor's registered office.

Annex 1, Technical and organizational measures

The Processor has implemented in particular the following data protection measures:

Technical measures:

  • encryption of data transmission (TLS/HTTPS),
  • encryption of passwords and authentication data,
  • regular updates of software and operating systems,
  • regular data backups within the EEA hosting infrastructure,
  • protection against unauthorized access (firewall, network segmentation),
  • monitoring of security events.

Organizational measures:

  • role-based access control,
  • confidentiality obligations of authorized persons,
  • procedure for handling personal data breaches,
  • ongoing maintenance of data protection documentation.

Annex 2, List of subprocessors

Subprocessor Processing scope Location Transfer basis
DigitalOcean LLC (USA, infrastructure in DE) Application hosting, database, backups, files Frankfurt, Germany (EEA) SCC with provider
Stripe Payments Europe Ltd. Payment processor (processing of Client's payment data) Ireland (EEA) not applicable
Brevo (Sendinblue SAS) Transactional and marketing e-mail France (EEA) not applicable
OpenAI, L.L.C. OCR of accounting documents (receipts, invoices), without using data for model training USA EU-U.S. Data Privacy Framework + SCC
Google Ireland Ltd. (Google Analytics) bulido.com website analytics EU / USA EU-U.S. Data Privacy Framework + SCC

The current list is set out in this DPA and is updated in accordance with §6.

This DPA is drawn up in three language versions: Polish, English, and German. In case of discrepancies, the Polish version prevails.

BulidoBulidoBulido

Bulido is quoting and estimating software for builders, contractors and renovation companies — put together estimates and quotes faster, stay on top of projects and payments, and save time by automating the day-to-day work.

Company details

Entigo

ul. Bolesława Chrobrego 23

78-230 Karlino

VAT: 672 198 49 98

Contact

  • +48 799 201 902
  • contact@bulido.com
  • Blog
  • About us
  • Careers
  • Terms of Service
  • Privacy Policy
  • Help

© 2026 Bulido. All rights reserved.