Privacy Policy
Controller: Yassine Rajallah (operating as BlazeHive)
Last Updated: 6th April 2026
Version: 2.0
1. Who We Are and How to Reach Us
The data controller responsible for your personal data is:
Yassine Rajallah
Bergener Str. 12
10439 Berlin, Germany
Email: contact@blazehive.io
Data Protection Officer: We are not legally required to appoint a Data Protection Officer. For all privacy matters, contact us directly at the address above.
Supervisory Authority: You have the right to lodge a complaint with our competent supervisory authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin, Germany
mailbox@datenschutz-berlin.de | www.datenschutz-berlin.de
We would, however, appreciate the opportunity to address your concern before you contact the authority. Please reach out to us first at contact@blazehive.io.
2. Scope of This Policy
This policy applies to all personal data we process in connection with your use of the BlazeHive service ("Service"), our website, and any communications with us. It is provided pursuant to Article 13 and Article 14 of the General Data Protection Regulation (GDPR) and applicable German data protection law.
3. Personal Data We Process and Why
We process personal data only where a lawful basis exists under Article 6 GDPR. The table below sets out each processing activity, the data involved, and the legal basis.
3.1 Account Registration and Management
| Data | Legal Basis |
|---|---|
| Name, email address | Art. 6(1)(b) GDPR - necessary to perform the contract |
| Password (stored as a one-way hash) | Art. 6(1)(b) GDPR - contract performance |
| Account preferences and settings | Art. 6(1)(b) GDPR - contract performance |
3.2 Service Delivery
| Data | Legal Basis |
|---|---|
| Website URL(s) you provide | Art. 6(1)(b) GDPR - contract performance |
| Content preferences and configuration | Art. 6(1)(b) GDPR - contract performance |
| Generated content drafts and published pages | Art. 6(1)(b) GDPR - contract performance |
| Third-party platform credentials you connect (encrypted) | Art. 6(1)(b) GDPR - contract performance |
| Search performance data (if Google Search Console is connected) | Art. 6(1)(b) GDPR - contract performance; read-only access granted solely by you |
3.3 Billing and Payments
| Data | Legal Basis |
|---|---|
| Subscription status, plan type, billing history | Art. 6(1)(b) GDPR - contract performance |
| Payment transaction records (no card numbers stored by us) | Art. 6(1)(c) GDPR - legal obligation (§ 147 AO, German tax retention law) |
3.4 Service Improvement and Security
| Data | Legal Basis |
|---|---|
| Usage metrics, feature interaction logs, session data | Art. 6(1)(f) GDPR - legitimate interests (to improve reliability and features) |
| Error logs, performance data | Art. 6(1)(f) GDPR - legitimate interests (to maintain security and stability) |
| Fraud and abuse detection signals | Art. 6(1)(f) GDPR - legitimate interests (to protect the Service and other users) |
Legitimate interests balancing: We have assessed that our interests in operating a reliable and secure service are not overridden by your interests or fundamental rights, given that: (a) processing is limited to the minimum necessary; (b) we implement appropriate safeguards; (c) you would reasonably expect this processing as part of using a commercial SaaS product.
3.5 Communications
| Data | Legal Basis |
|---|---|
| Transactional emails (billing, account, security) | Art. 6(1)(b) GDPR - contract performance |
| Support correspondence | Art. 6(1)(b) GDPR - contract performance |
| Service announcements (new features, policy updates) | Art. 6(1)(f) GDPR - legitimate interests in communicating material changes |
| Optional marketing emails | Art. 6(1)(a) GDPR - consent (you can withdraw at any time) |
3.6 Analytics (Cookies)
See Section 10 for full cookie details.
| Data | Legal Basis |
|---|---|
| Essential session cookies | Art. 6(1)(b) GDPR - necessary for service function |
| Analytics cookies | Art. 6(1)(a) GDPR - consent via cookie banner |
4. AI Processing and Generated Content
The Service uses third-party AI infrastructure providers to process inputs you supply and generate content on your behalf. The following applies:
- We contractually require that providers do not use your data to train, fine-tune, or improve their models.
- Inputs processed by AI providers may temporarily reside on their infrastructure during generation; they are not retained beyond the processing window.
- All generated content belongs to you. BlazeHive claims no intellectual property rights over any content produced for you through the Service.
- We are not responsible for the factual accuracy, originality, or legal compliance of AI-generated output. You are responsible for reviewing all content before it is published.
This processing involves AI systems. In accordance with the EU AI Act (Regulation (EU) 2024/1689), we use AI for content generation purposes. No AI systems we employ are classified as high-risk under that regulation.
5. Third-Party Integrations and Credential Storage
When you connect a third-party platform (such as a CMS, website builder, or publishing platform), we:
- Store your access credentials in encrypted form at rest
- Use those credentials exclusively to publish content on your behalf, as directed by you
- Do not share credentials with any party other than the platform they authenticate to
- Delete credentials immediately and permanently upon your disconnection of that integration
You are responsible for ensuring that connecting a third-party platform through our Service complies with that platform's own terms.
6. Sub-Processors and Third-Party Service Providers
We engage third-party data processors under Article 28 GDPR data processing agreements. Categories of sub-processors include:
| Category | Purpose | Data Shared |
|---|---|---|
| Cloud infrastructure provider | Hosting, database, file storage | All user data stored in the platform |
| Payment processor | Subscription billing | Name, email, billing history (no full card numbers) |
| AI content generation provider | Generate content from your inputs | Your URLs, content inputs, settings |
| Email delivery provider | Transactional and account emails | Name, email address |
| Application monitoring & logging | Error tracking, performance | Anonymized usage events, error data |
| Analytics provider | Aggregate usage patterns | Anonymized behavioral data (consent-gated) |
All sub-processors are contractually bound to: (a) process data only on our documented instructions; (b) implement appropriate technical and organizational security measures; (c) assist us in fulfilling your data subject rights; (d) delete or return data upon contract termination.
An up-to-date list of sub-processors is available upon request at contact@blazehive.io.
7. International Data Transfers
All personal data we process - including AI content generation - is processed exclusively within the European Union. Our infrastructure is hosted in the EU (Frankfurt, Germany region). We do not transfer your personal data to third countries outside the EEA.
In the event we add any sub-processor that processes data outside the EEA in future, we will update this policy and ensure adequate protections are in place before any such transfer occurs.
8. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.
| Data Category | Retention Period |
|---|---|
| Account data (name, email) | Duration of account + 90 days after closure |
| Generated content | Until you delete it or close your account |
| Integration credentials | Deleted immediately upon disconnection |
| Usage analytics (raw) | 12 months, then anonymized or deleted |
| Billing records | 10 years (§ 147 AO - German fiscal retention requirement) |
| Support correspondence | 2 years from resolution |
| Security logs | 90 days |
| Consent records | 3 years from withdrawal or account closure |
After retention periods expire, data is securely deleted or irreversibly anonymized.
9. Your Rights Under GDPR
You have the following rights under Chapter III GDPR:
| Right | Description |
|---|---|
| Access (Art. 15) | Obtain confirmation of processing and a copy of your personal data |
| Rectification (Art. 16) | Have inaccurate data corrected without undue delay |
| Erasure (Art. 17) | Request deletion where data is no longer necessary, consent is withdrawn, or processing is unlawful |
| Restriction (Art. 18) | Restrict processing while accuracy is contested or an objection is pending |
| Portability (Art. 20) | Receive your data in a structured, commonly used, machine-readable format |
| Object (Art. 21) | Object at any time to processing based on legitimate interests (Art. 6(1)(f)) |
| Withdraw Consent (Art. 7(3)) | Withdraw consent at any time; withdrawal does not affect prior lawful processing |
| Complaint (Art. 77) | Lodge a complaint with the supervisory authority listed in Section 1 |
How to submit a request: Email contact@blazehive.io with subject line "Data Subject Request" and describe your request. We will respond within one (1) month of receipt. For complex or numerous requests, we may extend this by a further two months and will inform you of any extension within the first month.
We do not charge a fee for requests unless they are manifestly unfounded or excessive. In such cases, we will inform you before proceeding.
We may request proof of identity before processing a request to protect against unauthorized access.
10. Cookies and Tracking Technologies
We use cookies and similar technologies in accordance with the German Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG) and the GDPR.
Consent is required for all non-essential cookies. You will be asked for consent via our cookie banner on first visit and may change your preferences at any time through the cookie settings accessible in the footer.
| Category | Purpose | Legal Basis | Examples |
|---|---|---|---|
| Strictly necessary | Authentication, session management, security | Art. 6(1)(b) / TDDDG § 25(2) | Session token, CSRF token |
| Functional/Preferences | Remembering settings and preferences | Art. 6(1)(a) - consent | Language preference |
| Analytics | Aggregate usage measurement | Art. 6(1)(a) - consent | Page views, feature usage |
We do not use advertising cookies or share cookie data with advertisers.
11. Automated Decision-Making and Profiling
Pursuant to Article 22 GDPR, we inform you that:
- We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.
- We use automated processes to generate content (AI generation) and to deliver the Service (scheduling, publishing), but these are operational functions, not decisions about individuals that produce legal effects.
- No profiling for advertising or credit/risk scoring takes place.
12. Children's Privacy
The Service is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately at contact@blazehive.io and we will delete it without undue delay.
13. Security
We implement appropriate technical and organizational measures to protect personal data against accidental loss, unauthorized access, alteration, or disclosure, including:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption at rest for sensitive credentials
- Role-based access controls with principle of least privilege
- Continuous monitoring and intrusion detection
- Regular security assessments
- Employee access controls and confidentiality obligations
Data Breach Notification: In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR). If the breach is likely to result in a high risk, we will also notify you without undue delay (Art. 34 GDPR).
14. Business-to-Business Users and Data Processing Agreements
If you use BlazeHive on behalf of a business and the Service processes personal data of your own customers or end users (for example, if your website contains personal data that our systems access), you may be acting as a data controller and we as your data processor. In that case, an Article 28 GDPR Data Processing Agreement (DPA) is required. Please contact contact@blazehive.io to execute a DPA.
15. California Privacy Rights (CCPA / CPRA)
If you are a California resident, in addition to your GDPR rights you have the right to:
- Know what categories of personal information we collect and why
- Request deletion of your personal information
- Opt out of any "sale" or "sharing" of personal information (we do not sell or share personal information as defined under CCPA)
- Non-discrimination for exercising these rights
- Correct inaccurate personal information
To exercise California rights, contact: contact@blazehive.io
16. Changes to This Policy
We may update this policy to reflect changes in our practices or legal obligations. For material changes, we will notify you by email or in-app notification at least 14 days before the change takes effect. The updated policy will always be available at blazehive.io/privacy-policy with the "Last Updated" date at the top.
17. Contact
To exercise your rights, ask questions, or report a concern:
Yassine Rajallah
Bergener Str. 12, 10439 Berlin, Germany
Email: contact@blazehive.io
For complaints, you may also contact the supervisory authority named in Section 1.