Privacy Policy
Last updated: March 2026
1. Who We Are
Bizblox ("we", "us", "our") is a SaaS platform for AI-powered business model analysis. This policy describes how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and Norwegian data protection law.
2. Data We Collect
| Data Category | Examples | Legal Basis |
|---|---|---|
| Account data | Username, email, hashed password | Contract performance |
| Canvas content | Business model blocks, workshops, analyses | Contract performance |
| Usage data | Feature usage, session duration, AI call counts | Legitimate interest |
| Payment data | Processed by Stripe; we store only tier and status | Contract performance |
| Technical data | IP address, browser type, device info (via server logs) | Legitimate interest |
3. How We Use Your Data
- Provide the Service: Store and process your canvases, run AI analyses, generate dossiers
- AI Processing: Canvas content is sent to OpenAI's API for analysis. OpenAI's data usage policy applies to these interactions. We do not use your data to train AI models.
- Billing: Manage subscriptions via Stripe. We do not store credit card numbers.
- Improve the Service: Aggregate, anonymized usage statistics to improve features
- Communication: Service notifications, security alerts, product updates (opt-out available)
4. Data Isolation
Your business model data is strictly isolated. Other users cannot access your canvases, workshops, or strategic analyses. Our multi-tenant architecture enforces user-level data boundaries at the database query level.
5. Third-Party Processors
| Processor | Purpose | Data Shared |
|---|---|---|
| OpenAI | AI analysis & suggestions | Canvas block content (anonymized of PII where feasible) |
| Stripe | Payment processing | Email, subscription tier |
| Hosting provider | Infrastructure | All data (encrypted at rest) |
6. Data Retention
- Active accounts: Data retained while account is active
- Deleted accounts: Data removed within 30 days of account deletion
- Soft-deleted canvases: Recoverable for 30 days, then permanently purged
- Server logs: Retained for 90 days for security purposes
7. Your Rights (GDPR)
As a data subject, you have the right to:
- Access: Request a copy of all data we hold about you
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your account and data
- Portability: Export your canvas data in a structured format
- Object: Object to data processing based on legitimate interest
- Withdraw consent: Where processing is based on consent
To exercise these rights, contact privacy@bizblox.ai. We will respond within 30 days.
8. Cookies
We use a session cookie (bizblox_token) to maintain your authenticated session. We do not use third-party tracking cookies or advertising cookies.
9. Security
- Passwords are hashed with bcrypt
- API communication over HTTPS
- JWT-based authentication with expiry
- Database encryption at rest (hosting-provider level)
- Regular security audits
10. International Transfers
Your data may be processed in regions where our hosting and AI providers operate. We ensure adequate safeguards per GDPR Chapter V, including Standard Contractual Clauses where applicable.
11. Children
Bizblox is not intended for users under 16. We do not knowingly collect data from children.
12. Changes to This Policy
We may update this policy periodically. Material changes will be communicated via email. Continued use constitutes acceptance.
13. Contact & Data Protection Officer
For privacy inquiries:
- Email: privacy@bizblox.ai
- Data Protection Authority: Datatilsynet (Norway)