Privacy Policy — Bluewoo | Payload Website Template

This Privacy Policy applies to bluewoo.com and all its subdomains (including hrms.bluewoo.com where the Bluewoo HRMS application is hosted). It governs both the marketing site and the product application.

Last updated: February 24, 2026

Myszkowski CX Consulting, doing business as Bluewoo ("we", "our", "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, process, use, share, and protect your personal data in accordance with the Swiss Federal Act on Data Protection (FADP/nDSG), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws. This policy applies to all users of bluewoo.com and associated Bluewoo services.

1. Data Controller

Myszkowski CX Consulting, Schutzenstrasse 4, 6003 Luzern, Switzerland, is the data controller responsible for processing your personal data through bluewoo.com and associated services. Contact: privacy@bluewoo.com.

2. Data We Collect

We may collect the following categories of personal data:

- Contact information: Name, email address, company name when you fill out our contact form or sign up for our services.

- Account data: Full name, email, organization name, role, and password (hashed) when you create an account on any Bluewoo product.

- Google OAuth data: If you sign in with Google, we receive your Google account name, email address, profile image (if permitted), and Google account ID. We request only the email, profile, and openid scopes. We do not access Gmail, Google Drive, Google Calendar, or any other Google services.

- Usage and technical data: IP address, browser type and version, device information, access timestamps, referring URLs, and log data. This is collected automatically and is necessary for security, abuse prevention, and performance optimization.

- Communication data: Content of messages you send us through our contact form or support channels.

- Payment data: Processed via Stripe, Inc. We do not store full credit card numbers or CVVs. We only retain Stripe customer ID and basic transaction metadata (amount, date, status).

3. Google API Services Compliance

Bluewoo's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We use Google user data solely for:

- Creating and authenticating your Bluewoo account

- Displaying your name and profile image within the platform

- Communicating about your account

We do not:

- Sell, share, or transfer Google user data to any third party (except infrastructure providers listed in Section 7)

- Use Google user data for advertising or retargeting

- Use Google user data to train generalized artificial intelligence or machine learning models

You can revoke Bluewoo's access to your Google account at any time via Google Account Permissions

4. How We Use Your Data

We use your personal data for the following purposes and legal bases:

- Account creation and authentication — Contractual necessity (Art. 6(1)(b) GDPR)

- Providing and operating our services — Contractual necessity (Art. 6(1)(b) GDPR)

- Responding to inquiries and support — Contractual necessity (Art. 6(1)(b) GDPR)

- Security, abuse prevention, performance monitoring — Legitimate interest (Art. 6(1)(f) GDPR)

- Payment and subscription billing — Contractual necessity (Art. 6(1)(b) GDPR)

- AI-powered features — Contractual necessity (Art. 6(1)(b) GDPR) and consent where required

- Website analytics (with consent) — Consent (Art. 6(1)(a) GDPR)

- Compliance with legal obligations — Legal obligation (Art. 6(1)(c) GDPR)

5. Data Storage and Security

Your data is hosted on Google Cloud Platform (GCP) with primary region in Zurich, Switzerland (europe-west6) and secondary in Belgium, EU (europe-west1). We implement comprehensive security measures including:

- TLS/HTTPS encryption for all data in transit

- Encryption at rest for all stored data

- Role-based access controls with principle of least privilege

- Multi-tenant data isolation with row-level security

- Comprehensive audit logging

- Automated daily backups with encryption

- Regular security audits

- DDoS protection and web application firewall

- Vulnerability scanning and penetration testing

6. GDPR Compliance and Your Rights

As a Swiss company, we comply with the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). You have the right to:

- Access your personal data

- Rectify inaccurate data

- Request deletion of your data (right to be forgotten)

- Restrict processing of your data

- Object to processing

- Data portability

- Withdraw consent at any time

To exercise any of these rights, contact us at privacy@bluewoo.com. We will respond within 30 days. You also have the right to lodge a complaint with the FDPIC (Switzerland) or your local EU/EEA supervisory authority.

7. Sub-Processors and Third-Party Services

We use the following carefully selected service providers, each bound by data processing agreements:

- Google Cloud Platform: Application hosting, database, storage. Data location: EU (Zurich, Belgium).

- Stripe, Inc.: Payment processing and subscription billing. Data location: US (with Standard Contractual Clauses).

- Resend: Transactional email delivery. Data location: US (with Standard Contractual Clauses).

- OpenAI: AI-powered features. Data location: US (with Standard Contractual Clauses). OpenAI does not use API data for model training per enterprise terms.

- Google Analytics (GA4): Website analytics on marketing pages only, with consent. Data location: US (with Standard Contractual Clauses).

We never sell personal data. We do not sell, rent, or trade personal data to any third party for marketing, advertising, or any other commercial purpose.

8. International Data Transfers

For US-based sub-processors (Stripe, Resend, OpenAI), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as adequate safeguards under GDPR Chapter V. Switzerland is recognized by the European Commission as providing adequate data protection. For Swiss transfers to third countries, we rely on the FDPIC list of adequate countries and contractual safeguards.

9. Data Retention

We retain your data for the following periods:

- Active account data: duration of active account

- Data after account deletion: deleted within 30 days (backup recovery window)

- Server logs and error reports: 90 days

- Financial and billing records: 10 years (per Swiss commercial law, Art. 958f CO)

- Backup data: 30 days (rolling)

After retention periods expire, data is securely deleted or anonymized.

10. AI and Automated Processing

Our AI features provide automated suggestions, analysis, and recommendations. These outputs are advisory only and do not constitute automated decision-making with legal or similarly significant effects under GDPR Art. 22. Final decisions always remain with authorized human users. When data is processed via AI providers, we apply data minimization and strip personal identifiers where feasible.

11. Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify the affected data subjects without undue delay in accordance with GDPR Art. 34. We maintain documented incident response procedures and conduct post-incident reviews to prevent recurrence.

12. Children's Data

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected such data, we will delete it promptly.

13. Cookies

We use strictly necessary cookies for platform functionality and optional analytics cookies (Google Analytics 4) that are only set with your explicit consent. For full details, please see our Cookie Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via our website or email. The "Last updated" date above reflects the current version.

15. Contact

For any privacy-related questions or to exercise your data protection rights, please contact our Data Protection Officer:

Data Protection Officer: privacy@bluewoo.com

Myszkowski CX Consulting, Schutzenstrasse 4, 6003 Luzern, Switzerland