Privacy policy

The data controller is GRNL, Lda. (trading as "blipee"), with registered office at Rua Teixeira de Pascoais, 1, Estoril, Portugal, tax number 517262100.

For anything privacy-related, write to privacy@blipee.com or use the form at /contact.

Account & identity: name, work email, organisation, role.

Product usage: pages visited, actions performed, Sofia AI queries, error logs — all tied to your account, never sold to behavioural ad networks.

Operational data: BACnet/IoT readings, sustainability datapoints, files you upload. These belong to your organisation; we handle them as a processor.

Billing: tax data and payment methods, handled by our payment processor. We don’t store card numbers on blipee servers.

Deliver the service · run your account · invoice · meet legal obligations.

Improve the product · investigate bugs · measure performance (always aggregate, never individual).

Talk to you about the service (maintenance windows, releases, security advisories). Marketing only with opt-in.

Contract performance (running the service you signed up for).

Legal obligation (tax, AML, court orders).

Legitimate interest (security, fraud prevention, product improvement). We always weigh the impact on you.

Explicit consent (newsletter, analytics cookies).

The current list of subprocessors — with identity, location and purpose — is available in our Trust center.

When we change the list, we notify you at least 30 days in advance, during which you can object on reasonable data-protection grounds.

We don’t sell your data. Ever.

If forced by law (court order, competent regulator) we share the minimum necessary and notify you unless prohibited.

Active account: as long as the contract lasts.

Cancelled account: 90 days for recovery, after which data is irreversibly deleted, except for data we are legally required to retain (invoices and accounting records, kept for the statutory periods — 10 years in Portugal) and data strictly needed to comply with legal obligations or to establish, exercise or defend legal claims.

Security logs: 12 months.

This section covers data that blipee processes as a controller (your account, billing, site usage). For personal data we process on behalf of a customer — as a processor — requests are handled by the customer as controller, under the DPA.

You have the right to: access, rectification, erasure, portability, objection, restriction of processing, withdrawal of consent.

We answer within 30 days. No fee.

If you’re not happy, you can complain to CNPD (Portuguese DPA) at cnpd.pt, or your local supervisory authority.

Personal data is hosted in the European Union (EEA). Backups stay in the EU.

Where, exceptionally, a subprocessor operates outside the EU/EEA, we use the European Commission’s Standard Contractual Clauses plus additional safeguards where required.

Encryption in transit and at rest. Immutable audit logs. Role-based access control (RBAC) with least-privilege. Periodic penetration tests.

We are currently undergoing SOC 2 certification; ISO 27001 is on our security roadmap. The current status lives in the Trust center.

We give you 30 days’ notice by email before any material change.

Minor edits (clarifications, contact details) take effect at the next deploy.