Privacy Policy
Privacy Policy
Last updated: February 20, 2026
At Startup Blueprint, we are committed to protecting your privacy and being transparent about how we collect, use, and safeguard your information. This Privacy Policy explains our data practices for the Startup Blueprint platform.
Information We Collect
We collect information in the following categories: (1) Account Data — email address, password hash (bcrypt), OAuth provider ID and tokens when you sign in with Google; (2) Profile Data — display name (required), and optionally bio, location, company, role, interests, website URL, LinkedIn URL, and GitHub username; (3) Discovery & AI Session Data — your 8-question interview responses, conversation history, AI-generated business solutions (title, summary, pain points, ICP, business model, TAM/SAM/SOM, go-to-market plan, feature lists), generated PRDs, landing page HTML in English and any translated versions (Finnish, Swedish, French, Spanish), design configuration, outreach messages, and AI token usage metrics; (4) Messaging Data — content of messages and conversations between users; (5) Waitlist Submissions — email address, IP address, and browser user-agent of visitors who join a public solution's waitlist; (6) Feedback Data — bug reports and feature requests including description, page URL, email, and user-agent; (7) Contact Sales Data — email address and billing period preference; (8) Technical & Usage Data — IP address, browser type, device information, session timestamps, and feature interaction patterns collected via cookies and server logs.
How We Use Your Information
Your information is used to: (1) Power the AI-driven discovery chat using Google Gemini models (gemini-2.5-flash, gemini-2.5-pro, gemini-2.5-flash-lite) to generate personalized business solutions, PRDs, and landing pages; (2) Enable AI editing of landing pages via Google Gemini and OpenRouter-hosted models; (3) Translate landing pages into Finnish, Swedish, French, and Spanish using Google Gemini; (4) Generate AI-powered outreach messages based on your solution data; (5) Manage your account, authentication, and session continuity (including linking anonymous sessions to your permanent account when you sign up); (6) Enable direct messaging and collaboration between users; (7) Display your selected public solutions on the Wall feature; (8) Send transactional emails — welcome email and a drip campaign sequence (up to 12 scheduled emails over approximately 12 weeks) via Resend; (9) Notify solution owners when someone joins their waitlist; (10) Notify administrators of bug reports, feature requests, and contact sales inquiries; (11) Analyze usage patterns to improve the platform; and (12) Comply with legal obligations.
AI Processing and Third-Party AI Services
Startup Blueprint uses multiple AI services to power its features. Google Gemini (via Google Cloud AI) is used for the discovery chat interview, business solution generation, PRD generation, landing page HTML generation, landing page translation, and outreach message generation. OpenRouter is used for AI-powered landing page editing, providing access to multiple models including free-tier models from various providers. Your discovery responses, solution data, and landing page HTML are sent to these services for processing. Google Cloud AI processes data transiently and does not retain it beyond the processing session per Google's API terms. OpenRouter requests include your landing page HTML and edit prompts. We do not use your data to train AI models. The AI-generated content is stored in our database and associated with your account.
Email Communications
When you create an account, we send a welcome email via Resend. We also enroll you in a drip email campaign consisting of up to 12 scheduled emails delivered over approximately 12 weeks, designed to help you get the most out of Startup Blueprint. When someone joins the waitlist for your public solution, we send you a notification email. All emails are sent from our domain via Resend. You may opt out of marketing emails by contacting us at support@startupblueprint.dev. Transactional emails related to your account cannot be opted out of while your account is active.
Waitlist Data
When a visitor submits their email to join the waitlist for a publicly shared solution on a project landing page, we collect their email address, IP address, and browser user-agent. This data is stored in our database and associated with the relevant solution. The solution owner is notified of new waitlist signups and can view the list of subscriber emails in their dashboard. Waitlist data is retained for as long as the associated solution exists. Visitors who join a waitlist may contact us at support@startupblueprint.dev to request removal of their email from a waitlist.
Anonymous Users and Session Linking
When you visit Startup Blueprint without an account, we automatically create a temporary anonymous session via Supabase Auth. Anonymous users can complete the discovery chat and have their session data temporarily stored. Anonymous session data is retained for 30 days. If you sign up or log in during or after an anonymous session, your anonymous discovery sessions and solutions are automatically migrated and linked to your new permanent account. Once linked, the data is subject to the retention policies for registered accounts.
Data Sharing and Third-Party Services
We share your data with the following trusted service providers: (1) Supabase — authentication, database hosting in the EU-West region, with AES-256 encryption at rest and TLS 1.2+ in transit, and Row Level Security policies; (2) Google Cloud AI — Gemini models for transient AI inference (discovery chat, solution generation, PRD generation, landing page generation, translation, outreach); (3) OpenRouter — AI inference for landing page editing using various hosted models; (4) Resend — transactional and marketing email delivery; (5) Vercel — hosting infrastructure with global CDN. We do not sell your personal information to third parties. Administrators of Startup Blueprint have elevated access to all user data for support and moderation purposes.
Cookies and Local Storage
We use essential cookies for authentication (Supabase auth tokens) and session management. These are strictly necessary for the platform to function. We use browser local storage to save your pending chat input and user interface preferences. We use Google Analytics to collect anonymized usage data including page views, session duration, and feature interactions. You can control cookies through your browser settings, but disabling essential cookies will prevent you from using authenticated features. Disabling analytics cookies will not affect platform functionality.
Data Retention
We retain data as follows: Account data — retained while your account is active, deleted within 30 days of account deletion (backups retained for an additional 90 days); Discovery sessions and solutions (including generated HTML, PRDs, and all AI-generated content) — retained until deleted by you or until account deletion; Anonymous session data — 30 days; Message history — retained indefinitely until deleted by users or upon account closure; Waitlist submissions — retained for the lifetime of the associated solution; Drip campaign email events — retained for the duration of the campaign sequence; Bug reports and feature requests — retained for 2 years; Audit logs — retained for 2 years for security purposes; Aggregated and anonymized analytics data — may be retained indefinitely.
Your Rights and Choices
You have the right to access, update, or delete your personal information through your profile settings. You can delete individual discovery sessions, solutions, messages, and generated documents directly from the platform. You may request full account deletion by contacting support@startupblueprint.dev, which will remove your personal data within 30 days (backups retained for an additional 90 days). You can download your generated landing pages and documents at any time. Waitlist visitors may request removal of their email from a specific waitlist by contacting us. For EU residents, additional rights are detailed in our GDPR Notice.
Security
We implement industry-standard security measures including: TLS 1.2+ encryption for all data in transit; AES-256 encryption for data at rest via Supabase; bcrypt password hashing with salts for email/password accounts; Row Level Security (RLS) policies in our PostgreSQL database ensuring users can only access their own data; role-based access controls with a separate admin role; secure OAuth 2.0 implementation via Supabase Auth for Google sign-in; and regular security monitoring. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.
Children's Privacy
Startup Blueprint is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately at support@startupblueprint.dev, and we will delete such information without undue delay.
International Data Transfers
Your primary data is stored in Supabase's EU-West region. However, data processing may involve transfers to the United States through Google Cloud AI (Gemini), OpenRouter, Resend, and Vercel infrastructure. For transfers outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission and contractual commitments with sub-processors to uphold applicable data protection standards.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last Updated" date. For significant changes, we may also notify you by email. Your continued use of Startup Blueprint after changes are posted constitutes acceptance of the updated policy.
Questions or Concerns?
If you have any questions about this Privacy Policy or our data practices, please contact us at support@startupblueprint.dev