Privacy Policy
This Privacy Policy explains how Bamlo (“Bamlo,” “we,” “us,” or “our”) collects, uses, discloses, and otherwise processes personal data in connection with our website, our early-access waitlist, and the Bamlo product — the chat rooms we host for communities, including channels, threads, search, uploads, and member sign-in.
This Policy is not a contract and does not create any rights or obligations beyond those provided by applicable law.
Our role in processing personal data
Data protection laws often distinguish between a “controller” (who decides why and how personal data is processed) and a “processor” (who processes personal data on a controller’s behalf, following their instructions). Our role depends on the data in question.
We are the controller of personal data we process for our own purposes: visitors to our website, people who join the waitlist, account holders who open a room, and our communications with you.
We act as a processor for the content inside a customer’s room — the messages, threads, uploads, and member information that a room owner and their members create. The room owner is the controller of that content. If you are a member of someone’s room and have a request about your data in it, please contact that room owner. We will support them in responding, but we generally cannot act on that content on our own. If you were invited to a room but have not yet joined, please ask the person who invited you.
Your data inside a room
Visible to other members. A room is a shared space. When you post a message, reply in a thread, upload a file, or fill in your profile, that content and your basic profile details — such as your display name and the email or identity you signed in with — may be visible to, and discoverable by, other members of the same room.
Room owners and moderators. The owner of a room, and anyone they appoint to help moderate it, controls that room. Depending on their plan, they can view, search, export, and delete content; manage who is a member; remove or restrict members (for example, kick, ban, or slow mode); and, where available, use moderation rules and audit logs. Because the room owner is the controller of this content, please direct any request about your data inside a room to them.
Personal data we collect
The categories of personal data we collect depend on how you interact with us.
Data you provide
- Waitlist information. When you join the early-access waitlist, we collect your email address and the short description you give of what you would use Bamlo for.
- Account information. When you open a room, we collect your email address and the credentials used to sign in. Passwords are never stored in plain text (see Security).
- Billing information. When you subscribe to a paid plan, we collect billing details such as your billing name, billing address, and the plan you are on. Payment card details are collected and processed directly by our payment processor (see Billing and payments); we do not store full card numbers ourselves.
- Room content (as processor). When you use a room, we process the messages, threads, files, and member details that you and others put into it, on behalf of the room owner.
- Support and other communications. When you email us or otherwise contact us, we collect the content of your message and your contact details so we can respond.
Data collected automatically
- Request and log data. When you use our website or product, we automatically collect basic technical data such as your IP address, user agent (browser and device type), timestamps, and the pages or actions involved in a request. We may use your IP address to approximate your general location for security and localization.
- Usage metadata. As you use a room, we generate metadata about how the service is used — for example, which rooms and channels you open, when you sign in, the messages and threads you send, and the types of files you share. We use this to operate the service, power features such as search, and keep rooms secure.
- Waitlist attribution. When you join the waitlist, we record limited first-touch attribution — such as campaign parameters (UTMs), advertising click identifiers, the landing path, and the referring page — to understand how people find us.
- Essential cookies. We use cookies and similar technologies only where they are needed to keep you signed in and to operate the service — see Cookies and similar technologies for details. We do not use third-party advertising trackers, and we do not sell personal data or use it for cross-site targeted advertising.
How we use personal data
We use personal data to:
- operate the waitlist, confirm submitted email addresses, and send early-access and access updates;
- create and administer accounts and rooms, and provide the features and functionality of the product;
- process payments, manage subscriptions, and handle billing and invoicing for paid plans;
- communicate with you about your account, your use of the service, and support requests;
- maintain the security, integrity, and reliability of the service, and prevent duplicate, fraudulent, or abusive use;
- understand how people find and use the service so we can improve it;
- comply with our legal obligations and enforce our terms; and
- fulfill any other purpose you consent to or that you provide the data for.
Legal basis, regulatory alignment, and breach notice
Legal basis for processing
Where the GDPR, UK GDPR, or similar laws apply, we rely on the following legal bases:
- Contract — to create your account, host rooms, and deliver the features you signed up for.
- Legitimate interests — to keep the service secure, prevent fraud and abuse, maintain operational logs and usage metadata, and improve the service. We weigh these interests against your rights and freedoms, and you may object to certain processing (see Your choices and rights).
- Consent — for optional processing such as waitlist attribution tracking or promotional email. Consent is withdrawable at any time.
- Legal obligation — where law requires us to retain, disclose, or otherwise process data.
Regulatory alignment
Our practices are designed to align with the GDPR (EU/EEA) and UK GDPR; the California Consumer Privacy Act as amended by the CPRA, for California residents; and CAN-SPAM, for any commercial email we send. We do not claim adherence to frameworks we are not actually bound by. If a law that governs your data is not listed here, that is not a refusal to honor it — contact us (Contact us) with a specific concern and we will respond.
Breach notification
No law guarantees instant breach notice, and we will not invent one. As a policy commitment (not a legal citation): if we confirm a security incident likely to result in high risk to your rights and freedoms, we will notify affected users without undue delay after confirmation, using the contact details we hold. Our internal target is to reach you within 72 hours where feasible. Where law sets a specific requirement that differs, the law controls.
Cookies and similar technologies
We use cookies, local storage, and similar browser storage only where strictly necessary to operate the service. Specifically, we use:
- Session and authentication storage — to keep you signed in and recognize you between page loads. The product cannot function without it.
- Security storage — to help protect against abuse and validate requests.
- Short-lived confirmation tokens — for waitlist email confirmation and one-time access links. These expire quickly and are stored only as hashes (see Security).
We do not use:
- analytics or measurement cookies;
- advertising or cross-site tracking cookies; or
- third-party social, embed, or content cookies.
Because we rely only on strictly-necessary storage, no consent is required under Article 5(3) of the EU ePrivacy Directive, and there is nothing to opt out of. You can still clear or block cookies and storage in your browser settings; doing so will sign you out and may prevent some features from working. Most browsers also let you set a Do Not Track or Global Privacy Control signal. We do not currently take automated action on those signals because we do not perform tracking that they would restrict — but you can always manage storage directly in your browser.
How we disclose personal data
We do not sell your personal data. We disclose it only in the following ways:
- Service providers (subprocessors). We rely on a small set of providers to run the service. This marketing website and the early-access waitlist run on Cloudflare; the Bamlo product itself (the chat platform at platform.bamlo.chat) runs on Hetzner infrastructure; confirmation and access emails are sent through Fastmail; and payments for paid plans are handled by a payment service provider (a PCI-DSS-compliant processor). We name the specific payment processor here and in our subprocessor list once paid plans are live; until then, we will tell you who it is before you pay. These providers process data only as needed to provide hosting, storage, email delivery, and payment processing on our behalf.
- Legal and safety. We may disclose personal data to comply with law or lawful requests, to enforce our agreements, to detect or prevent fraud or security incidents, or to protect the rights, property, or safety of Bamlo, our customers, or others.
- Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction.
- With your consent or direction. We may disclose personal data to others when you ask us to or otherwise consent.
Billing and payments
Paid plans are billed through a payment service provider (a PCI-DSS-compliant processor). When you subscribe, you provide your payment card details directly to that provider, which handles them under its own privacy notice; we do not receive or store your full card number. We receive confirmation of payment and limited billing details — such as your billing name, billing address, the last four digits and type of card, and your subscription and payment history — which we use to manage your subscription, issue invoices and receipts, and keep our financial records. We will name the specific provider here and in our subprocessor list before any paid plan is taken; until then we will tell you who it is before you pay.
Retention
We keep personal data only as long as needed for the purposes in this Policy. Where possible we commit to the concrete timelines below; where a range or “case-by-case” is stated, the actual period depends on the nature of the data and any applicable legal or operational needs.
- Waitlist data. Kept while you are on the waitlist and for up to 12 months after last engagement, in case you return. Unconfirmed, invalid, or duplicate submissions are deleted immediately. We action verified deletion requests within 30 days.
- Account data. Kept while your account is active. Verified deletion requests are processed within 30 days; some data may persist in backups for up to 90 days before being overwritten.
- Room content. Retained while a room is active and controlled by the room owner. When the owner deletes content or closes a room, it is deleted from the live system immediately; copies may persist only in regular backups, which expire on their normal schedule (see Backups below). Metadata associated with deleted content may be de-identified rather than removed. We do not provide a recovery window — once content is deleted, it cannot be restored.
- Backups. Our waitlist database and the product infrastructure on Hetzner maintain rolling backups for disaster recovery, retained for up to 90 days and then overwritten. Deletion requests take effect in the live system immediately; backup copies expire on their normal schedule.
- Request and log data. Operational logs (IP address, user agent, timestamps, request paths) are kept for up to 90 days for troubleshooting, then aggregated or deleted. Security logs may be kept for up to 12 months to investigate and prevent abuse.
- Export requests. When you request a copy of your data, we aim to deliver it within 30 days. Complex requests may take longer, in which case we will tell you.
- Billing records. Invoices, receipts, and limited billing details are retained for 5 years from the end of the calendar year in which they were issued, as required by Polish accounting and tax law. Full card numbers are never stored (see Billing and payments).
- Legal holds. Where we are required to retain data to comply with a legal obligation, resolve a dispute, prevent abuse, or enforce our agreements, we will keep it for the period required and no longer.
Security
We use reasonable technical and organizational safeguards designed to protect personal data. Connections are encrypted in transit (TLS / HTTPS), and data is encrypted at rest. Account passwords are stored only as hashes, never in plain text. Waitlist confirmation tokens are random, short-lived, and stored only as hashes. No system can be guaranteed perfectly secure, so we cannot warrant the absolute security of your data.
To report a security issue, email [email protected].
Your choices and rights
You can stop receiving promotional emails by using the unsubscribe link in any such message; we may still send service-related messages, such as confirmation or account notices. Where we rely on your consent, you may withdraw it at any time.
Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise these rights for data we control, email [email protected]; we respond to verified requests within 30 days. For data inside a room (where we act as a processor), please contact the room owner. You may also complain to your local data protection authority.
Children’s data
Our services are not directed to children, and we do not knowingly collect personal data from them. The applicable age depends on where you live: in the United States it is 13 (the federal baseline); in the European Economic Area it is 16 under Article 8 of the GDPR, though an EEA member state may set it as low as 13. Wherever you are, our services are intended for individuals at or above the applicable age. If you believe a child below that age has provided us personal data, contact us and we will delete it.
International data
The Bamlo product runs on Hetzner infrastructure located in the European Union (Germany/Finland), and this marketing website and waitlist run on Cloudflare’s global network. Cloudflare may process request and log data outside the EEA; for any such transfer we rely on appropriate safeguards, such as the European Commission’s adequacy decisions or Standard Contractual Clauses, together with any supplementary measures needed to protect your data. Room content created inside the Bamlo product stays in the EU.
Third-party websites
Our website and product may link to third-party sites or services. This Policy does not cover their practices; please review their own privacy notices.
Updates
We may update this Policy as our website, waitlist, or product changes. When we do, we will revise the effective date above, and for material changes we will provide a more prominent notice. The latest version will always be posted on this page.
Contact us
For questions or requests about this Policy or your personal data, email [email protected]. For security reports, email [email protected].
Bamlo[Legal entity name or sole-proprietor name]
[Street and number]
[00-000] Warsaw, Poland
NIP: [if registered]
[email protected]