Bluewoo

Your data is protected by Swiss hosting, strong encryption, tenant isolation, and full GDPR compliance. Here is exactly how we do it.

Last updated: February 2026

Data Hosting

Hosted on Google Cloud Platform (GCP) with primary region in Zurich, Switzerland (europe-west6). Full Swiss and EU data sovereignty — your data never leaves compliant jurisdictions.

Switzerland has been recognized by the European Commission as providing an adequate level of data protection, ensuring seamless cross-border data flows within the EU framework.

Encryption

- TLS 1.3 for all data in transit

- AES-256 encryption for all data at rest

- Google-managed encryption keys with automatic rotation

- End-to-end encryption for sensitive fields (passwords, tokens)

- Certificate pinning for API communications

Tenant Isolation

- Row-level security (RLS) enforced at the database level

- Per-tenant data boundaries ensure no cross-tenant data access

- Complete audit trail of all data access and modifications

- Automated security testing for isolation verification

Authentication & Access Control

- Google OAuth 2.0 with OpenID Connect for secure SSO

- Session-based authentication with secure HTTP-only cookies

- Role-based access control (RBAC) with principle of least privilege

- Automatic session expiration and token rotation

- CSRF protection on all state-changing operations

- Rate limiting on authentication endpoints

Google API Services — User Data Disclosure

Bluewoo uses Google OAuth for authentication and, optionally, for HeyBlue HR features. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Sign-in scopes (Bluewoo HRMS):

- openid — for secure authentication via OpenID Connect

- email — to identify your Bluewoo account

- profile — to display your name and profile image within the platform

HeyBlue scopes (Bluewoo HeyBlue features client, optional, granted only if you choose to connect HeyBlue):

- gmail.send — to send HR communications on your behalf, after you review and approve each draft in Bluewoo's interface

- calendar.readonly — to read your calendar for availability when scheduling HR-related events

- calendar.events — to create HR-related calendar events with your explicit instruction

- drive.file — to create and manage HR documents Bluewoo generates on your behalf; Bluewoo can only access files it created or files you explicitly opened with Bluewoo

- documents — to generate and edit Google Docs created by Bluewoo, such as offer letters, employment contracts, and HR policies

How we use Google user data:

- Creating and authenticating your Bluewoo account

- Displaying your name and profile image within the platform

- Sending account-related communications

- Operating HeyBlue features you have explicitly enabled (sending HR emails you approve, scheduling HR events, generating HR documents in your Drive)

We do not sell, share, or transfer Google user data to any third party (except infrastructure providers under data processing agreements). We do not use Google user data for advertising, retargeting, or to train generalized AI/ML models. Where AI features process Google user data (for example, drafting an email through HeyBlue), the data is sent to our AI provider under enterprise terms that prohibit training on submitted data.

Data Subject Rights (GDPR Articles 15–22)

Under the GDPR and Swiss FADP, you have the following rights regarding your personal data:

- Right of access (Art. 15) — request a copy of all your personal data

- Right to rectification (Art. 16) — correct inaccurate personal data

- Right to erasure (Art. 17) — request deletion of your personal data

- Right to data portability (Art. 20) — receive your data in a structured format

- Right to restriction (Art. 18) — limit how we process your data

- Right to object (Art. 21) — object to processing based on legitimate interest

- Right to withdraw consent — withdraw consent at any time without affecting prior processing

- Right to lodge a complaint with your local data protection authority (FDPIC in Switzerland, or your EU/EEA supervisory authority)

To exercise any of these rights, contact us at privacy@bluewoo.com. We will respond within 30 days.

Legal Basis for Processing

- Contractual necessity (Art. 6(1)(b)) — account creation, service delivery, and billing

- Legitimate interest (Art. 6(1)(f)) — security monitoring and platform improvement

- Consent (Art. 6(1)(a)) — analytics cookies and optional communications

- Legal obligation (Art. 6(1)(c)) — financial record-keeping and regulatory compliance

You may withdraw consent at any time without affecting the lawfulness of prior processing.

Data Retention

We retain your data only as long as necessary for the purposes described:

- Active account data — duration of active account

- Data after account deletion — deleted within 30 days (backup recovery window)

- Server logs and error reports — 90 days

- Financial and billing records — 10 years (per Swiss commercial law, Art. 958f CO)

- Backup data — 30 days (rolling)

After retention periods expire, data is securely deleted or anonymized.

International Data Transfers

Our primary data hosting is in Switzerland (adequacy decision by the EU Commission). Where sub-processors operate outside the EU/EEA (Stripe, Resend, OpenAI), we rely on EU Standard Contractual Clauses (SCCs) and verify that each provider maintains appropriate technical and organizational safeguards.

Google Analytics data is processed only with your explicit consent under Google Consent Mode v2.

Sub-Processors

Google Cloud Platform — Infrastructure & hosting (Zurich, Switzerland)

Stripe — Payment processing (EU / US)

Resend — Transactional email (US)

OpenAI — AI processing (US)

Google Analytics — Website analytics (US)

Cookies & Consent

We use cookies in accordance with our Cookie Policy and GDPR requirements:

- Strictly necessary cookies — essential for platform functionality (always active)

- Analytics cookies — Google Analytics 4, only with your explicit consent

- Personalization cookies — theme preferences and language settings

Breach Notification

- 72-hour notification to supervisory authorities as required by GDPR Art. 33

- Immediate internal escalation and incident response procedures

- Prompt notification to affected data subjects when required by GDPR Art. 34

- Post-incident review and preventive measures implementation

Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected such data, we will delete it promptly.

Data Protection Officer

For any privacy-related questions or to exercise your data protection rights, contact our Data Protection Officer:

Data Protection Officer: privacy@bluewoo.com

Myszkowski CX Consulting, Switzerland

Need a Data Processing Agreement?

We provide Data Processing Agreements (DPAs) for all customers who need them. Enterprise customers can receive customized DPAs tailored to their specific requirements.