Privacy Policy

bl0x is operated by Ideevoog OÜ (registry code 16478761), a private limited company registered in Estonia. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use bl0x.io and related services (the "Service").

We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and Estonian data protection law.

1. Data Controller

The data controller responsible for your personal data is:

Ideevoog OÜ
Registry code: 16478761
Email: [email protected]

2. What Data We Collect

We collect the following categories of personal data:

• Account information: name, email address, and wallet address (if you connect a crypto wallet)
• Payment data: processed securely by Stripe. We do not store your full card details
• Project data: business ideas, content you submit, and assets generated by the AI on your behalf
• Usage data: pages visited, features used, session duration, and interactions with the Service
• Technical data: IP address, browser type, device information, and operating system
• Communication data: messages you send to us via email or the platform
• Outreach data: when you use the outreach feature, we process third-party contact information (names, email addresses, job titles) obtained from public business directories to send emails on your behalf. We also store unsubscribe preferences of email recipients

3. How We Use Your Data

We use your data for the following purposes:

• Providing and operating the Service, including AI-powered idea validation and outreach
• Processing payments and managing your subscription
• Communicating with you about your account, projects, and service updates
• Improving the Service based on usage patterns and feedback
• Preventing fraud and ensuring platform security
• Complying with legal obligations

4. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

• Contract performance: processing necessary to provide the Service you subscribed to
• Legitimate interest: improving the Service, preventing fraud, ensuring security, and processing third-party business contact data for B2B outreach on behalf of users
• Consent: marketing communications (you can withdraw consent at any time)
• Legal obligation: complying with tax, accounting, and regulatory requirements

5. End-to-End Encryption

Commands you send to your AI agent are encrypted in your browser before transmission using NaCl public-key cryptography. Our servers route encrypted messages without the ability to decrypt their contents. Only your dedicated AI sandbox can decrypt and process your instructions.

Status updates and progress events from the AI are not encrypted, as they contain only general progress information (e.g., "Researching competitors..."), not your proprietary business details.

6. Your Project Data

We do not share your business ideas, project content, or generated assets with third parties or other users. Your projects are private by default.

We may use anonymized, aggregated data (such as total number of ideas validated or average grading scores) to improve the Service and for internal analytics. This data cannot be traced back to you or your projects.

7. AI Service Providers

bl0x uses AI models from third-party providers to power the Service. Your project data may be processed by these providers in accordance with their privacy policies:

• Anthropic — anthropic.com/privacy
• OpenAI — openai.com/privacy
• Google (Gemini) — policies.google.com/privacy

We use API access to these providers, meaning your data is not used to train their models.

8. Third-Party Services

We use the following third-party services to operate the platform:

• Stripe: payment processing
• Meta (Facebook): ad campaign execution (only if you opt in to run ads)
• Vercel / Hetzner: hosting infrastructure
• Cloudflare: DNS and CDN services

Each provider processes data in accordance with their own privacy policies.

9. Cookies

We use cookies and similar technologies for:

• Essential cookies: authentication, session management, and security
• Analytics cookies: understanding how visitors use the Service (anonymized)

You can control cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Service.

10. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion, we retain data for up to 90 days for backup and fraud prevention purposes, after which it is permanently deleted.

Payment records are retained for up to 7 years to comply with Estonian tax and accounting requirements.

11. Data Transfers

Your data is primarily stored on servers in the European Union (Germany). Some data may be transferred to the United States through our AI service providers (Anthropic, OpenAI, Google). These transfers are protected by appropriate safeguards, including Standard Contractual Clauses where applicable.

12. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate or incomplete data
• Erasure: request deletion of your personal data ("right to be forgotten")
• Restriction: request that we limit how we process your data
• Portability: receive your data in a structured, machine-readable format
• Objection: object to processing based on legitimate interest or for direct marketing
• Withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.

13. CCPA Rights (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal data we collect and how it is used
• Right to request deletion of your personal data
• Right to opt out of the sale of personal data — we do not sell your personal data
• Right to non-discrimination for exercising your rights

14. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

15. Security

We implement appropriate technical and organizational measures to protect your data, including end-to-end encryption for AI commands, encrypted connections (TLS), isolated sandboxes per project, and access controls. However, no method of transmission or storage is 100% secure.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service. The "Last updated" date at the bottom indicates when the latest revision was made.

17. Contact

For any privacy-related questions or requests, contact us at:

Ideevoog OÜ
Registry code: 16478761
Email: [email protected]

Last updated: March 11, 2026