Privacy Policy

Last updated: March 2026

1. Data Controller

The controller responsible for data processing on this platform within the meaning of the General Data Protection Regulation (GDPR) is:

Blzzr LLC
30 N Gould ST STE R
Sheridan, WY 82801, USA
Email: info@brandblizz.com

(hereinafter referred to as “Provider”, “we”, or “us”)

2. Overview of Data Processing

We process personal data only to the extent necessary to provide a functional platform and to deliver our services. The processing of personal data occurs regularly only with the consent of the user or where processing is permitted by statutory regulations.

Types of Data Processed

  • Account data – email address, name, password hash, authentication method
  • Usage data – session identifiers, pages visited, features used, timestamps
  • Device & access data – IP address (anonymized), browser type, operating system, device type, approximate location (country/city level)
  • Payment data – email address shared with Stripe; credit card and billing details are processed exclusively by Stripe and never stored on our servers
  • Content data – brand information, business descriptions, and other inputs submitted by the user for AI-powered analysis

Purposes of Processing

  • Provision and operation of the platform
  • User authentication and account management
  • Processing of payments
  • Delivery of AI-powered brand analysis and related services
  • Sending transactional emails (e.g., confirmations, magic links)
  • Newsletter delivery (with explicit consent)
  • Web analytics for service improvement (first-party, consent-based)
  • Compliance with legal obligations

3. Legal Basis for Data Processing

We process personal data on the following legal bases under the GDPR:

  • Art. 6(1)(a) GDPR – Consent: Where the user has given explicit consent to the processing of their personal data for one or more specific purposes (e.g., newsletter subscription, analytics cookies).
  • Art. 6(1)(b) GDPR – Performance of a contract: Where processing is necessary for the performance of a contract to which the user is a party, or in order to take steps at the request of the user prior to entering into a contract (e.g., account registration, service delivery, payment processing).
  • Art. 6(1)(f) GDPR – Legitimate interest: Where processing is necessary for the purposes of legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the user (e.g., platform security, fraud prevention, service improvement).

4. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. These include:

  • Transport Layer Security (TLS): All data transmitted between the user’s browser and our servers is encrypted using TLS/HTTPS.
  • Row Level Security (RLS): Database-level access controls ensure that each user can only access their own data.
  • Data minimization: We collect and process only the data strictly necessary for the respective purpose.
  • Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. Administrative access is protected by multi-factor authentication.
  • Password security: User passwords are never stored in plaintext; only cryptographic hashes are retained.

5. Data Processing Agreements & International Transfers

We have concluded Data Processing Agreements (DPAs / Auftragsverarbeitungsverträge, “AVVs”) in accordance with Art. 28 GDPR with all third-party processors that handle personal data on our behalf. These agreements ensure that all processors are contractually bound to process data in compliance with GDPR requirements.

Where personal data is transferred to processors located outside the European Economic Area (EEA), we ensure an adequate level of data protection through one or more of the following safeguards:

  • EU-US Data Privacy Framework (DPF): For US-based processors that are certified under the DPF, the European Commission has recognized an adequate level of data protection.
  • Standard Contractual Clauses (SCCs): For transfers to third countries without an adequacy decision, we rely on the Standard Contractual Clauses adopted by the European Commission as supplementary safeguards.

6. Hosting & Infrastructure

Vercel Inc.

Our platform is hosted on Vercel Inc. (440 N Baxter St, Suite 4060, Los Angeles, CA 90036, USA). Vercel provides the frontend hosting, serverless functions, and edge network delivery for our platform. Vercel is certified under the EU-US Data Privacy Framework (DPF).

When you access our platform, your IP address and technical metadata (browser type, operating system) are processed by Vercel’s servers for the purpose of delivering the website. This processing is based on Art. 6(1)(b) and Art. 6(1)(f) GDPR.

Supabase Inc.

Our database and authentication services are provided by Supabase Inc. (970 Toa Payoh North #07-04, Singapore 318992). Our Supabase project is hosted in the EU region (eu-west-2), meaning that all user data stored in our database remains within the European Union. Supabase processes data on our behalf under a Data Processing Agreement in accordance with Art. 28 GDPR.

7. Cookies & Consent

Our platform uses cookies and similar technologies. Cookies are small text files stored on your device by your browser. We categorize our cookies as follows:

CategoryCookie NamePurpose
Essentialsb-*Supabase authentication session cookies, required for login and secure access
Essentialbb-consentStores your cookie consent preferences
Analyticsbb-session-idFirst-party session identifier for anonymous usage analytics; set only with your consent
Functionalbb-chat-sessionMaintains the state of the AI chat assistant within a session
Analytics / Marketing_fbpMeta Pixel – identifies the browser for ad attribution (90 days)
Analytics / Marketing_fbcMeta Pixel – stores the click ID when a user clicks a Meta ad (90 days)

Essential cookies are strictly necessary for the operation of the platform and are set without consent in accordance with Art. 6(1)(b) and Art. 6(1)(f) GDPR. Analytics and functional cookies are only set after you have given your explicit consent via our cookie banner, in accordance with Art. 6(1)(a) GDPR. You may withdraw your consent at any time by adjusting your preferences through the cookie banner.

8. Registration & Authentication

To use the platform, you must create a user account. During registration, we collect and process the following data:

  • Email address
  • Full name
  • Password hash (for password-based authentication; the password itself is never stored)

We offer the following authentication methods:

  • Magic Link: A one-time login link is sent to your email address via our transactional email provider.
  • Google OAuth: Authentication via your Google account. We receive your name and email address from Google; we do not access any other Google account data.
  • Password: Traditional email and password authentication. Passwords are cryptographically hashed before storage.

The legal basis for processing registration data is Art. 6(1)(b) GDPR (performance of a contract).

9. Newsletter

You may subscribe to our newsletter to receive updates about new features, brand strategy insights, and platform announcements. We use a double opt-in procedure: after entering your email address, you will receive a confirmation email with a verification link. Your subscription is only activated once you click this link.

The newsletter may include product updates, feature announcements, brand strategy tips, educational content related to brand development, and promotional offers related to Brandblizz services.

You may unsubscribe at any time by clicking the unsubscribe link included in every newsletter email, or by contacting us at info@brandblizz.com.

The legal basis for processing your email address for newsletter purposes is Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to the withdrawal.

10. Payment Processing

Payment processing for paid services is handled by Stripe Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA). When you make a purchase, your email address is shared with Stripe to facilitate the transaction and send payment receipts.

All payment card data (credit card numbers, expiration dates, CVV codes) is processed exclusively by Stripe and is never transmitted to or stored on our servers. Stripe is PCI-DSS compliant (Payment Card Industry Data Security Standard), ensuring the highest level of security for payment data.

Stripe is certified under the EU-US Data Privacy Framework. For more information, please refer to Stripe’s Privacy Policy.

The legal basis for sharing data with Stripe is Art. 6(1)(b) GDPR (performance of a contract).

11. AI-Powered Services

Our platform uses artificial intelligence to deliver brand analysis, strategic recommendations, and creative content. The following AI providers are integrated:

OpenAI

OpenAI, L.L.C. (3180 18th Street, San Francisco, CA 94110, USA) is used for brand analysis, strategy generation, and creative content creation. User inputs related to brand information are submitted to OpenAI for processing. Data is used for processing only and is not stored permanently by OpenAI under our API agreement. OpenAI does not use data submitted via our API to train its models.

Google Gemini

Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) provides the Gemini AI model used for competitive research and market analysis. Data submitted for processing is not stored permanently and is used solely for generating the requested analysis results.

Important note: Data submitted to AI providers is used exclusively for the purpose of generating the requested analysis or content. It is not stored permanently by the AI providers and is not used for training purposes under our enterprise/API agreements.

The legal basis for this processing is Art. 6(1)(b) GDPR (performance of a contract).

12. Third-Party Services

Resend

We use Resend Inc. for sending transactional emails (e.g., magic link authentication, password reset, email verification, payment confirmations). Your email address and name are shared with Resend for this purpose. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

Firecrawl

We use Firecrawl for web analysis as part of our competitive research features. Firecrawl crawls and analyzes publicly available website data. No personal data is transmitted to Firecrawl; only publicly accessible URLs are submitted for analysis.

13. Web Analytics

For analysing the usage of our website we use a first-party, self-hosted analytics system. In addition, we use the Meta Pixel (Facebook Pixel) to measure the effectiveness of our advertising (see Section 13a).

First-Party Analytics

Our analytics are session-based and do not track individual users across sessions. We collect anonymized usage data such as pages visited, features used, session duration, and device type to improve our platform.

Analytics data is only collected with your explicit consent via our cookie banner. If you do not consent, no analytics data is collected.

We respect the Do Not Track (DNT) signal sent by your browser. If your browser sends a DNT header, no analytics data will be collected regardless of your cookie consent status.

The legal basis for analytics processing is Art. 6(1)(a) GDPR (consent).

13a. Meta Pixel / Conversions API

Provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (Privacy Policy).

Purpose: We use the Meta Pixel and Meta Conversions API (CAPI) to measure the effectiveness of our advertising on Instagram and Facebook, create audiences, and track conversions.

Data Collected & Events

Browser-side (Meta Pixel):

  • PageView (page visits)
  • Lead (contact enquiries)
  • InitiateCheckout (start of the purchase process)
  • Purchase (completed purchase)
  • CompleteRegistration (sign-up)

Server-side (Conversions API): The same events are additionally sent to Meta server-side. The following data is transmitted in hashed form: email address, first name, last name. Transmitted unhashed: IP address (anonymised), user agent, click ID (fbc), and browser ID (fbp). A shared event ID (event_id) is used for deduplication.

Cookies

  • _fbp – Identifies the browser for ad attribution (retention: 90 days)
  • _fbc – Stores the click ID when a user clicks a Meta ad (retention: 90 days)

Consent: The Meta Pixel is loaded only after your explicit consent via our cookie banner. Without your consent, no data is transmitted to Meta and no cookies are set. We also respect the Do Not Track signal sent by your browser.

Withdrawal: You can withdraw your consent at any time via the cookie banner (accessible from the website footer). You can also adjust your ad preferences directly with Meta: Meta Ad Preferences.

International transfer: Meta Platforms, Inc. is based in the USA. Data transfers are carried out on the basis of the EU-U.S. Data Privacy Framework (DPF), for which Meta is certified.

Legal basis: Art. 6(1)(a) GDPR (consent).

14. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data concerning you is being processed, and to access that data.
  • Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data.
  • Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data, subject to statutory retention obligations.
  • Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of processing under certain circumstances.
  • Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 GDPR): You have the right to object to the processing of your personal data based on legitimate interests at any time.

In-app options: You can exercise several of these rights directly within the platform. Your account settings allow you to export your data and to permanently delete your account and all associated data.

To exercise any of your rights, you may also contact us at info@brandblizz.com.

15. Withdrawal of Consent

Where we process your data based on consent (Art. 6(1)(a) GDPR), you have the right to withdraw that consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out based on consent before its withdrawal.

You may withdraw your consent through the following means:

  • Cookie banner: Adjust your cookie preferences at any time by reopening the cookie consent banner.
  • Account settings: Manage your communication preferences and data processing consents within your account dashboard.
  • Email: Contact us at info@brandblizz.com to withdraw any consent.

16. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR).

A list of supervisory authorities in Germany is available from the Federal Commissioner for Data Protection and Freedom of Information (BfDI): www.bfdi.bund.de

17. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in our data practices, legal requirements, or platform features. In the event of material changes, we will notify registered users by email.

Last updated: March 2026