Bluewoo

Privacy Policy

Last updated: February 24, 2026

Myszkowski CX Consulting, doing business as Bluewoo ("we", "our", "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, process, use, share, and protect your personal data in accordance with the Swiss Federal Act on Data Protection (FADP/nDSG), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws. This policy applies to all users of bluewoo.com and associated Bluewoo services.

1. Data Controller

Myszkowski CX Consulting, Schutzenstrasse 4, 6003 Luzern, Switzerland, is the data controller responsible for processing your personal data through bluewoo.com and associated services. Contact: privacy@bluewoo.com.

2. Data We Collect

We may collect the following categories of personal data:

- Contact information: Name, email address, company name when you fill out our contact form or sign up for our services.

- Account data: Full name, email, organization name, role, and password (hashed) when you create an account on any Bluewoo product.

- Google OAuth data: If you sign in with Google, we receive your Google account name, email address, profile image (if permitted), and Google account ID. If you enable HeyBlue features and connect your Google account, we additionally access Gmail (send-only), Google Calendar (read and create events), and Google Drive/Docs (limited to files created or explicitly opened with Bluewoo). See Section 3 for the complete scope list and usage.

- Usage and technical data: IP address, browser type and version, device information, access timestamps, referring URLs, and log data. This is collected automatically and is necessary for security, abuse prevention, and performance optimization.

- Communication data: Content of messages you send us through our contact form or support channels.

- Payment data: Processed via Stripe, Inc. We do not store full credit card numbers or CVVs. We only retain Stripe customer ID and basic transaction metadata (amount, date, status).

3. Google API Services Compliance

Bluewoo's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes we request

Sign-in (Bluewoo HRMS):

- openid — secure authentication via OpenID Connect

- email — to identify your Bluewoo account

- profile — to display your name and profile image within the platform

HeyBlue features (Bluewoo HeyBlue features client, optional, granted only if you choose to connect HeyBlue):

- gmail.send — to send HR communications (welcome emails, policy reminders, onboarding messages) on your behalf, after you review and approve each draft in Bluewoo's interface

- calendar.readonly — to read your calendar for availability when scheduling HR-related events such as 1:1s, vacation conflicts, and onboarding sessions

- calendar.events — to create HR-related calendar events on your calendar with your explicit instruction

- drive.file — to create and manage HR documents Bluewoo generates on your behalf (offer letters, policies, contracts); Bluewoo can only access files it created or files you explicitly opened with Bluewoo

- documents — to generate and edit Google Docs created by Bluewoo, such as offer letters, employment contracts, and HR policies

How we use Google user data

We use Google user data solely for the purposes described above — operating the HR features you have explicitly enabled in Bluewoo. We do not:

- Sell, share, or transfer Google user data to any third party, except infrastructure providers listed in Section 7 who process data on our behalf under data processing agreements

- Use Google user data for advertising, retargeting, or marketing

- Use Google user data to train generalized AI or machine learning models. Where AI features process Google user data (for example, drafting an email through HeyBlue), the data is sent to our AI provider under enterprise terms that prohibit training on submitted data

- Allow humans to read Google user data, except (a) with your explicit consent, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized

Your control

You can revoke Bluewoo's access to your Google account at any time via your Google Account Permissions at https://myaccount.google.com/permissions. Revoking access removes Bluewoo's ability to call Google APIs on your behalf; previously created data (such as documents Bluewoo generated in your Drive) remains in your Google account under your control.

4. How We Use Your Data

We use your personal data for the following purposes and legal bases:

- Account creation and authentication — Contractual necessity (Art. 6(1)(b) GDPR)

- Providing and operating our services — Contractual necessity (Art. 6(1)(b) GDPR)

- Responding to inquiries and support — Contractual necessity (Art. 6(1)(b) GDPR)

- Security, abuse prevention, performance monitoring — Legitimate interest (Art. 6(1)(f) GDPR)

- Payment and subscription billing — Contractual necessity (Art. 6(1)(b) GDPR)

- AI-powered features — Contractual necessity (Art. 6(1)(b) GDPR) and consent where required

- Website analytics (with consent) — Consent (Art. 6(1)(a) GDPR)

- Compliance with legal obligations — Legal obligation (Art. 6(1)(c) GDPR)

5. Data Storage and Security

Your data is hosted on Google Cloud Platform (GCP) with primary region in Zurich, Switzerland (europe-west6) and secondary in Belgium, EU (europe-west1). We implement comprehensive security measures including:

- TLS/HTTPS encryption for all data in transit

- Encryption at rest for all stored data

- Role-based access controls with principle of least privilege

- Multi-tenant data isolation with row-level security

- Comprehensive audit logging

- Automated daily backups with encryption

- Regular security audits

- DDoS protection and web application firewall

- Vulnerability scanning and penetration testing

6. GDPR Compliance and Your Rights

As a Swiss company, we comply with the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). You have the right to:

- Access your personal data

- Rectify inaccurate data

- Request deletion of your data (right to be forgotten)

- Restrict processing of your data

- Object to processing

- Data portability

- Withdraw consent at any time

To exercise any of these rights, contact us at privacy@bluewoo.com. We will respond within 30 days. You also have the right to lodge a complaint with the FDPIC (Switzerland) or your local EU/EEA supervisory authority.

7. Sub-Processors and Third-Party Services

We use the following carefully selected service providers, each bound by data processing agreements:

- Google Cloud Platform: Application hosting, database, storage. Data location: EU (Zurich, Belgium).

- Stripe, Inc.: Payment processing and subscription billing. Data location: US (with Standard Contractual Clauses).

- Resend: Transactional email delivery. Data location: US (with Standard Contractual Clauses).

- OpenAI: AI-powered features. Data location: US (with Standard Contractual Clauses). OpenAI does not use API data for model training per enterprise terms.

- Google Analytics (GA4): Website analytics on marketing pages only, with consent. Data location: US (with Standard Contractual Clauses).

We never sell personal data. We do not sell, rent, or trade personal data to any third party for marketing, advertising, or any other commercial purpose.

8. International Data Transfers

For US-based sub-processors (Stripe, Resend, OpenAI), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as adequate safeguards under GDPR Chapter V. Switzerland is recognized by the European Commission as providing adequate data protection. For Swiss transfers to third countries, we rely on the FDPIC list of adequate countries and contractual safeguards.

9. Data Retention

We retain your data for the following periods:

- Active account data: duration of active account

- Data after account deletion: deleted within 30 days (backup recovery window)

- Server logs and error reports: 90 days

- Financial and billing records: 10 years (per Swiss commercial law, Art. 958f CO)

- Backup data: 30 days (rolling)

After retention periods expire, data is securely deleted or anonymized.

10. AI and Automated Processing

Our AI features provide automated suggestions, analysis, and recommendations. These outputs are advisory only and do not constitute automated decision-making with legal or similarly significant effects under GDPR Art. 22. Final decisions always remain with authorized human users. When data is processed via AI providers, we apply data minimization and strip personal identifiers where feasible.

11. Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify the affected data subjects without undue delay in accordance with GDPR Art. 34. We maintain documented incident response procedures and conduct post-incident reviews to prevent recurrence.

12. Children's Data

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected such data, we will delete it promptly.

13. Cookies

We use strictly necessary cookies for platform functionality and optional analytics cookies (Google Analytics 4) that are only set with your explicit consent. For full details, please see our Cookie Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via our website or email. The "Last updated" date above reflects the current version.

15. Contact

For any privacy-related questions or to exercise your data protection rights, please contact our Data Protection Officer:

Data Protection Officer: privacy@bluewoo.com

Myszkowski CX Consulting, Schützenstrasse 4, 6003 Luzern, Switzerland