GDPR
General Data Protection Regulation (GDPR) Notice
Last updated: February 20, 2026
Startup Blueprint is committed to transparent, privacy-first product development. This notice outlines how we comply with the European Union's GDPR when processing your data as you explore customer discovery ideas through our platform.
Data Controller
Startup Blueprint operates as the data controller for personal data processed through the platform. For all data protection inquiries, to exercise your rights, or to file a complaint, contact us at support@startupblueprint.dev.
Purpose and Legal Basis for Processing
We process your personal data under the following legal bases: (1) Article 6(1)(b) GDPR — Performance of contract: processing your account data, discovery session data, messaging data, and generated content to provide the Startup Blueprint service you have requested; (2) Article 6(1)(f) GDPR — Legitimate interests: sending drip campaign emails to help you use the platform, analytics to improve the service, security monitoring, and notifying solution owners of waitlist signups; (3) Article 6(1)(a) GDPR — Consent: where we rely on consent for optional data collection such as optional profile fields (bio, location, company, role, interests, social links). You may withdraw consent for optional data at any time by updating your profile or contacting us. Withdrawal does not affect the lawfulness of prior processing.
Data Categories and Minimization
We collect only data necessary for service provision. The categories are: (1) Account Data — email address, bcrypt password hash, Google OAuth provider ID and tokens; (2) Profile Data — display name (required), and optionally bio, location, company, role, interests, website URL, LinkedIn URL, GitHub username; (3) Discovery & AI Session Data — 8-question interview responses, conversation history, AI-generated business solutions (title, summary, pain points, ICP, business model, TAM/SAM/SOM, go-to-market plan, feature lists), generated PRDs, landing page HTML in English and translated versions (Finnish, Swedish, French, Spanish), design configuration, visual style configuration, outreach messages, and AI token usage metrics; (4) Messaging Data — content of direct messages and conversations between users; (5) Waitlist Submission Data — email address, IP address, and browser user-agent of visitors who join a public solution's waitlist; (6) Feedback Data — bug reports and feature requests including description, page URL, email, and user-agent; (7) Contact Sales Data — email address and billing period preference; (8) Email Campaign Data — drip campaign event records including scheduled send times, send status, and template metadata; (9) Technical Data — IP address, browser type, device information, session timestamps, and feature interaction patterns.
Sub-processors and Data Location
Startup Blueprint relies on the following sub-processors, each selected for GDPR compliance: (1) Supabase — database and authentication, EU-West region, AES-256 encryption at rest, TLS 1.2+ in transit, Row Level Security policies; (2) Google Cloud AI — Gemini models (gemini-2.5-flash, gemini-2.5-pro, gemini-2.5-flash-lite) for transient AI inference including discovery chat, solution generation, PRD generation, landing page generation, translation, and outreach message generation. Data is processed transiently and not retained by Google beyond the processing session per Google's API data processing terms; (3) OpenRouter — AI model routing for landing page editing, providing access to multiple hosted models. Your landing page HTML and edit prompts are sent to OpenRouter for processing; (4) Resend — transactional and marketing email delivery, including welcome emails, drip campaign emails, and waitlist notification emails; (5) Vercel — hosting infrastructure with global CDN; (6) Google Analytics — anonymized usage analytics. All sub-processors maintain appropriate technical and organizational security measures.
International Data Transfers
Your primary data is stored in Supabase's EU-West region. However, data processing involves transfers to the United States through Google Cloud AI (Gemini), OpenRouter, Resend, Vercel, and Google Analytics. For transfers outside the European Economic Area, we rely on: Standard Contractual Clauses (SCCs) as approved by the European Commission; Transfer Impact Assessments (TIAs) where required; and contractual commitments with sub-processors to uphold GDPR standards. We continuously monitor legal developments regarding international data transfers.
Data Subject Rights (Articles 15–22 GDPR)
As an EU/EEA resident, you have the following rights: Right of Access (Article 15) — request a copy of your personal data we hold; Right to Rectification (Article 16) — correct inaccurate or incomplete data through your profile settings or by contacting us; Right to Erasure (Article 17) — request deletion of your data (right to be forgotten); Right to Restriction of Processing (Article 18) — limit how we process your data under certain circumstances; Right to Data Portability (Article 20) — receive your data in a structured, machine-readable format; Right to Object (Article 21) — object to processing based on legitimate interests, including the drip email campaign; Right to Withdraw Consent — for processing based on consent (optional profile fields), without affecting prior processing; Right to Lodge a Complaint — with your national supervisory authority. To exercise any of these rights, email support@startupblueprint.dev. We respond within 30 days (extendable by 60 days for complex requests). We do not charge for the first copy of your data. Many rights can be exercised directly through the platform (deleting sessions, solutions, messages; updating profile data).
Data Retention and Deletion
We retain personal data only as long as necessary for the stated purpose: Account data — retained while your account is active, deleted within 30 days of account deletion (backups retained for an additional 90 days); Discovery sessions, solutions, and all AI-generated content (PRDs, landing pages, translations, outreach messages) — retained until deleted by you or upon account deletion; Anonymous session data — 30 days; Message history — retained indefinitely until deleted by users or upon account closure; Waitlist submissions — retained for the lifetime of the associated solution; Drip campaign email events — retained for the duration of the campaign sequence; Bug reports and feature requests — retained for 2 years; Audit logs — retained for 2 years for security purposes; Aggregated and anonymized analytics data — may be retained indefinitely. You can delete specific content (sessions, solutions, messages, generated documents) at any time through the platform.
Data Security Measures (Article 32 GDPR)
We implement appropriate technical and organizational measures pursuant to Article 32 GDPR: Encryption — TLS 1.2+ for all data in transit, AES-256 for data at rest via Supabase; Access Controls — Row Level Security (RLS) policies in PostgreSQL ensuring users can only access their own data, role-based access controls with a separate admin role; Authentication Security — bcrypt password hashing with salts for email/password accounts, secure OAuth 2.0 implementation via Supabase Auth for Google sign-in; Infrastructure Security — secure hosting via Vercel, regular security updates, firewall protection; Monitoring — security monitoring for intrusion attempts, audit logging; Data Minimization — anonymous session option, optional profile fields, minimal data collection per feature.
Automated Decision-Making and AI Processing (Article 22 GDPR)
Startup Blueprint uses AI extensively to generate content: Google Gemini processes your 8-question discovery interview to generate 3 business solution suggestions, PRDs, and landing pages. Google Gemini and OpenRouter-hosted models process your landing page HTML to apply AI-requested edits. Google Gemini translates landing page HTML into Finnish, Swedish, French, and Spanish. Google Gemini generates outreach messages based on your solution data. This automated processing does not constitute automated decision-making with legal or similarly significant effects under Article 22 GDPR. All AI-generated content is informational and advisory only — you retain full control over whether to use, modify, or disregard any AI output. No automated profiling for marketing, creditworthiness, employment, or similar high-stakes purposes is performed. We do not use your data to train AI models.
Waitlist Data and Third-Party Visitors
When a visitor submits their email to join the waitlist for a publicly shared solution, we collect their email address, IP address, and browser user-agent under Article 6(1)(b) GDPR (performance of the waitlist service requested by the visitor). This data is stored in our EU-West database and associated with the relevant solution. The solution owner (a registered Startup Blueprint user) is notified and can view waitlist subscriber emails. Visitors who join a waitlist may exercise their right to erasure by contacting support@startupblueprint.dev. Solution owners who use waitlist data to contact subscribers are independently responsible for compliance with applicable email marketing laws (GDPR, CAN-SPAM, CASL) for those communications.
Email Marketing and Drip Campaigns
Upon account creation, we enroll registered users in a drip email campaign of up to 12 scheduled emails over approximately 12 weeks, processed under Article 6(1)(f) GDPR (legitimate interests in helping users get value from the platform). You have the right to object to this processing at any time by contacting support@startupblueprint.dev, and we will cease sending campaign emails. Transactional emails (welcome email, waitlist notifications) are processed under Article 6(1)(b) GDPR as part of the service. All emails are delivered via Resend.
Breach Notification (Articles 33–34 GDPR)
In the event of a personal data breach, we comply with Articles 33 and 34 GDPR: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms. If the breach poses a high risk to your rights and freedoms, we will notify affected individuals directly without undue delay. Notifications will include the nature of the breach, likely consequences, measures taken or proposed, and recommended steps for affected individuals. We maintain incident response procedures and conduct regular security assessments to minimize breach risks.
Children's Data
Startup Blueprint is not directed at children under 16 years of age (or the applicable age of digital consent in your EU member state). We do not knowingly collect or process personal data of children. If you believe we have inadvertently collected data from a child, contact us immediately at support@startupblueprint.dev, and we will delete such information without undue delay.
Data Protection Officer and Supervisory Authority
We do not currently have a designated Data Protection Officer, as we are not required to appoint one under Article 37 GDPR. All privacy and data protection inquiries are handled by our team at support@startupblueprint.dev. You have the right to lodge a complaint with your national data protection supervisory authority if you believe our processing of your personal data violates GDPR. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.