Short version
We collect the minimum we need to operate the platform: account email, business profile data you publish, escrow transaction data required by our payments partner, and message content needed for the concierge to translate. We never sell data. We never share message content beyond the original recipient. We never use your messages to train external models. The platform runs entirely on EU infrastructure.
Data controller
| Controller | Mayk Biletti (Einzelunternehmer) |
|---|---|
| Address | Sportplatzgasse 32b, 2443 Leithaprodersdorf, Austria |
| Contact for data requests | blun.ai.app@gmail.com |
What we collect, why, and how long we keep it
| Category | Examples | Legal basis | Retention |
|---|---|---|---|
| Account | Email, password hash, name, locale | Art. 6(1)(b) contract | Until account deletion + 30 days |
| Usage | Search queries, listings viewed, inquiries sent | Art. 6(1)(f) legitimate interest (operate platform) | 12 months rolling |
| Technical | IP-address (truncated), user-agent, referrer | Art. 6(1)(f) security & fraud prevention | 30 days |
| Payment | Card token (held by Stripe), invoice, escrow ledger | Art. 6(1)(c) tax law (§ 132 BAO) | 7 years |
| Messages | Buyer-seller inquiry threads, concierge translations | Art. 6(1)(b) contract | Until account deletion + 90 days |
| Marketing consent | Newsletter opt-in flag, source | Art. 6(1)(a) consent | 3 years from last interaction |
Sub-processors
We share specific categories of data with the following processors, each bound by a Data Processing Agreement (Art. 28 GDPR):
| Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting, storage, backups | Germany (EU) |
| Stripe Payments Europe Ltd. | Card processing, subscription billing | Ireland (EU) |
| Mangopay S.A. | Trade Assurance escrow wallet, e-money institution | Luxembourg (EU) |
| 17track | Shipment tracking lookups | EU endpoint, fall-back China |
| Postal (self-hosted) | Transactional email delivery | Germany (EU), our infrastructure |
| Google Workspace | Operator email correspondence (blun.ai.app@gmail.com) | Ireland (EU) |
| Apple / Google / Expo Push | Mobile push notifications when the app is offered | Outside EU; opt-in only, content not in payload |
| BLUN AI gateway (in-house) | Translation, concierge AI, dispute mediation | Hetzner DE — our own GPU cluster, not external LLM providers |
What we do NOT do
- We do not sell or rent your data.
- We do not share message content with third parties beyond the original recipient.
- We do not use your messages or listings to train external LLMs (OpenAI, Anthropic, etc.). The concierge runs on our in-house BLUN AI stack.
- We do not transfer personal data outside the EU (except mobile-push tokens you opt into).
Your rights (GDPR Art. 15-22)
- Access (Art. 15): request an export of all data we hold about you.
- Rectification (Art. 16): correct inaccurate data.
- Erasure (Art. 17): delete your account; payment records subject to § 132 BAO retention.
- Restriction (Art. 18): limit processing while a dispute is open.
- Portability (Art. 20): receive your data in machine-readable JSON.
- Object (Art. 21): object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)): opt out of newsletter or any consent-based processing at any time, no impact on other rights.
Send any request to blun.ai.app@gmail.com with the subject "GDPR request". We respond within 30 days (Art. 12(3)).
Complaints
You have the right to lodge a complaint with the Austrian Data Protection Authority:
Datenschutzbehörde
Barichgasse 40-42, 1030 Wien, Austria
dsb.gv.at
Cookies & analytics
Strictly necessary cookies only (session, CSRF, locale). No third-party analytics, no advertising trackers. We measure aggregate usage on the server side from access logs (truncated IP, no user identifier).
Changes to this policy
Material changes are announced 30 days in advance via account email. Minor clarifications (typos, broken links) are made silently. Each version is timestamped at the top.