Privacy Policy

1. Introduction

Blue House Technologies Sp. z o.o., a limited liability company registered in Poland with its registered office at Wspólna 17, 16-300 Augustów, Poland ("Company", "we", "us", or "our"), operates the RizzeUp service ("Service").

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Service. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR).

For the purposes of the GDPR, the Company is the data controller for personal data collected through your use of the Service, except for billing and payment data, which is controlled by Paddle.com Market Limited as described below.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

• Name
• Email address
• Company name (if applicable)
• Password (stored in hashed form)

2.2 Billing and Payment Data

All billing and payment information is collected and processed by Paddle.com Market Limited ("Paddle"), which acts as the Merchant of Record for all transactions. Paddle is an independent data controller for billing and payment data.

We receive limited billing information from Paddle (such as subscription status and transaction IDs) but do not have access to your complete payment card details. For information about how Paddle processes your payment data, please refer to Paddle's Privacy Policy at https://www.paddle.com/legal/privacy.

2.3 Usage Data

We automatically collect information about how you use the Service, including:

• Features accessed and actions performed
• Token usage and consumption patterns
• Date and time of access
• Browser type, IP address, and device information
• Pages visited and navigation patterns

2.4 Integration Data

When you authorize the Service to connect with third-party platforms (Shopify and Klaviyo), we access and process:

• Store information and product data (from Shopify)
• Email campaign data and subscriber lists (from Klaviyo)
• Analytics and performance metrics from connected platforms

We only access data that you explicitly authorize and that is necessary to provide the Service functionality.

2.5 AI-Generated Content

When you use AI-powered features, we process:

• Your prompts and inputs
• Generated content (strategies, campaigns, flows, audits)
• Context from your store and Klaviyo account (as necessary)

This data is processed by OpenAI's API to generate AI-powered recommendations. OpenAI acts as a data processor on our behalf.

2.6 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to maintain your session, remember your preferences, and analyze usage patterns. You can control cookie settings through your browser preferences.

3. How We Use Your Data

We use your personal data for the following purposes:

3.1 To Provide the Service (Legal Basis: Contract)

• Create and manage your account
• Provide access to Service features and functionality
• Process and fulfill your requests
• Communicate with you about your account and the Service

3.2 To Operate and Improve the Service (Legal Basis: Legitimate Interests)

• Monitor and analyze usage patterns and trends
• Improve Service functionality and user experience
• Develop new features and capabilities
• Ensure security and prevent fraud or abuse
• Troubleshoot technical issues

3.3 Billing and Compliance (Legal Basis: Legal Obligation)

• Process payments and manage subscriptions (via Paddle)
• Comply with tax and accounting requirements
• Comply with legal obligations and respond to lawful requests

3.4 Marketing (Legal Basis: Consent, where required)

• Send you product updates, newsletters, and promotional materials (with your consent)
• You may opt out of marketing communications at any time

4. How We Share Your Data

We share your personal data only as described below:

4.1 Service Providers and Processors

• Paddle - Payment processing and billing. Paddle acts as Merchant of Record and is an independent data controller for billing and payment data.
• OpenAI - AI-powered content generation. OpenAI processes prompts and generates content on our behalf as a data processor.
• Supabase - Database hosting and infrastructure. Supabase stores your account data and usage information as a data processor.
• Shopify and Klaviyo - You authorize these integrations, and we access only the data you explicitly permit.

4.2 Legal Requirements

We may disclose your data if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity.

5. International Data Transfers

Your data may be transferred to and processed in countries outside of the European Economic Area (EEA) or Poland, including the United States, where some of our service providers are located.

When we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions where applicable.

6. Data Retention

We retain your personal data for as long as your account is active or as necessary to provide the Service. After you close your account, we may retain certain data for a limited period to comply with legal obligations, resolve disputes, enforce agreements, and for backup and archival purposes.

Usage data and aggregated analytics may be retained indefinitely in anonymized form.

7. Data Security

We implement reasonable technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption, access controls, secure data storage, and regular security assessments.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee its absolute security.

8. Your Rights (GDPR)

Under the GDPR and applicable data protection laws, you have the following rights:

• Right of Access - Request a copy of the personal data we hold about you
• Right to Rectification - Request correction of inaccurate or incomplete data
• Right to Erasure - Request deletion of your personal data (subject to legal retention requirements)
• Right to Restriction - Request that we limit the processing of your data in certain circumstances
• Right to Data Portability - Request a copy of your data in a structured, machine-readable format
• Right to Object - Object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent - Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at pd@bluehouse.tech. We will respond to your request within 30 days.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. We will notify you of material changes by email or through a notice on the Service. The "Last updated" date at the top of this policy indicates when it was last revised.

Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

11. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Blue House Technologies Sp. z o.o.
Wspólna 17
16-300 Augustów, Poland
Email: pd@bluehouse.tech