GDPR Compliance — Bluewoo | Payload Website Template

This GDPR statement applies to all Bluewoo services, including bluewoo.com and hrms.bluewoo.com.

Your data is protected by Swiss hosting, strong encryption, tenant isolation, and full GDPR compliance. Here is exactly how we do it.

Last updated: February 24, 2026

Data Hosting

Hosted on Google Cloud Platform (GCP) with primary region in Zurich, Switzerland (europe-west6). Full Swiss and EU data sovereignty — your data never leaves compliant jurisdictions.

Switzerland has been recognized by the European Commission as providing an adequate level of data protection, ensuring seamless cross-border data flows within the EU framework.

Encryption

- TLS 1.3 for all data in transit

- AES-256 encryption for all data at rest

- Google-managed encryption keys with automatic rotation

- End-to-end encryption for sensitive fields (passwords, tokens)

- Certificate pinning for API communications

Tenant Isolation

- Row-level security (RLS) enforced at the database level

- Per-tenant data boundaries ensure no cross-tenant data access

- Complete audit trail of all data access and modifications

- Automated security testing for isolation verification

Authentication & Access Control

- Google OAuth 2.0 with OpenID Connect for secure SSO

- Session-based authentication with secure HTTP-only cookies

- Role-based access control (RBAC) with principle of least privilege

- Automatic session expiration and token rotation

- CSRF protection on all state-changing operations

- Rate limiting on authentication endpoints

Google API Services — User Data Disclosure

Bluewoo uses Google OAuth for authentication. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

- email — to identify your account

- profile — to display your name and avatar

- openid — for secure authentication

We do not sell, share, or transfer Google user data to any third party. We do not use Google user data for advertising, retargeting, or to train AI/ML models.

Data Subject Rights (GDPR Articles 15–22)

Under the GDPR and Swiss FADP, you have the following rights regarding your personal data:

- Right of access (Art. 15) — request a copy of all your personal data

- Right to rectification (Art. 16) — correct inaccurate personal data

- Right to erasure (Art. 17) — request deletion of your personal data

- Right to data portability (Art. 20) — receive your data in a structured format

- Right to restriction (Art. 18) — limit how we process your data

- Right to object (Art. 21) — object to processing based on legitimate interest

- Right to withdraw consent — withdraw consent at any time without affecting prior processing

- Right to lodge a complaint with your local data protection authority (FDPIC in Switzerland, or your EU/EEA supervisory authority)

To exercise any of these rights, contact us at privacy@bluewoo.com. We will respond within 30 days.

Legal Basis for Processing

- Contractual necessity (Art. 6(1)(b)) — account creation, service delivery, and billing

- Legitimate interest (Art. 6(1)(f)) — security monitoring and platform improvement

- Consent (Art. 6(1)(a)) — analytics cookies and optional communications

- Legal obligation (Art. 6(1)(c)) — financial record-keeping and regulatory compliance

You may withdraw consent at any time without affecting the lawfulness of prior processing.

Data Retention

We retain your data only as long as necessary for the purposes described:

- Active account data — duration of active account

- Data after account deletion — deleted within 30 days (backup recovery window)

- Server logs and error reports — 90 days

- Financial and billing records — 10 years (per Swiss commercial law, Art. 958f CO)

- Backup data — 30 days (rolling)

After retention periods expire, data is securely deleted or anonymized.

International Data Transfers

Our primary data hosting is in Switzerland (adequacy decision by the EU Commission). Where sub-processors operate outside the EU/EEA (Stripe, Resend, OpenAI), we rely on EU Standard Contractual Clauses (SCCs) and verify that each provider maintains appropriate technical and organizational safeguards.

Google Analytics data is processed only with your explicit consent under Google Consent Mode v2.

Sub-Processors

Google Cloud Platform — Infrastructure & hosting (Zurich, Switzerland)

Stripe — Payment processing (EU / US)

Resend — Transactional email (US)

OpenAI — AI processing (US)

Google Analytics — Website analytics (US)

Cookies & Consent

We use cookies in accordance with our Cookie Policy and GDPR requirements:

- Strictly necessary cookies — essential for platform functionality (always active)

- Analytics cookies — Google Analytics 4, only with your explicit consent

- Personalization cookies — theme preferences and language settings

Breach Notification

- 72-hour notification to supervisory authorities as required by GDPR Art. 33

- Immediate internal escalation and incident response procedures

- Prompt notification to affected data subjects when required by GDPR Art. 34

- Post-incident review and preventive measures implementation

Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected such data, we will delete it promptly.

Data Protection Officer

For any privacy-related questions or to exercise your data protection rights, contact our Data Protection Officer:

Data Protection Officer: privacy@bluewoo.com

Myszkowski CX Consulting, Switzerland

Need a Data Processing Agreement?

We provide Data Processing Agreements (DPAs) for all customers who need them. Enterprise customers can receive customized DPAs tailored to their specific requirements.