Privacy Policy

1. Who we are

Blitz Marketing is a SaaS platform that helps affiliate marketers, agencies, and small business owners create campaign assets, pages, and AI-assisted marketing workflows. In this policy, “Blitz Marketing”, “we”, “our”, and “us” refer to the operator of the Blitz Marketing platform and website at blitz.ws.

2. Information we collect

We may collect and store the following categories of information:

• account information such as your name, email address, password hash, plan, and language preferences
• billing and subscription information processed through Stripe, including subscription status, invoices, and payment metadata
• content and workspace data such as campaigns, prompts, generated outputs, pages, uploaded images, brand profiles, and training progress
• affiliate and referral information such as referral codes, earnings, payout requests, and attributed signups
• usage and analytics information such as feature usage, generated assets, page views, and product interaction data
• support and communication data when you contact us, request support, join a waitlist, or submit feedback

3. How we use your information

We use your information to:

• create and manage your account
• provide access to Blitz Marketing features and paid products
• process subscriptions, one-off purchases, and affiliate payouts
• generate content, pages, training access, and AI-assisted outputs
• improve product performance, onboarding, and feature design
• send transactional emails such as verification, billing, and support messages
• protect the platform against abuse, fraud, or unauthorized access
• meet legal, accounting, and regulatory obligations

4. Legal bases for processing

Where applicable, we process personal data because:

• it is necessary to perform our contract with you
• it is necessary for our legitimate interests in operating and improving the service
• you have given consent for a specific purpose
• we are required to comply with legal obligations

5. Cookies and analytics

We use privacy-focused analytics (Plausible Analytics) to understand how users interact with our platform. Plausible does not use cookies and does not collect personal data. We may also use essential cookies for:

• Authentication and session management
• Remembering your preferences and settings
• Security and fraud prevention
• Affiliate referral tracking

You can control cookie settings through your browser. However, blocking certain cookies may affect functionality.

6. Third-party providers

We use trusted third-party providers to operate Blitz Marketing, including services for:

• Stripe (payment processing) — processes subscription and purchase payments
• Resend (email delivery) — sends transactional emails
• Vercel (hosting) — hosts the platform infrastructure
• Railway/Neon (database) — stores platform data
• OpenAI (AI generation) — processes content generation requests
• Fal.ai (media generation) — processes image and video generation
• Plausible Analytics (analytics) — provides privacy-focused usage analytics
• Amazon Web Services — SES (bulk email delivery) — delivers opt-in confirmation emails and broadcast emails sent through the Blitz Email Platform feature on behalf of Pro users

These providers only receive the data needed to perform their services on our behalf. Some providers may be located outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

7. AI-generated content and user inputs

When you submit prompts, campaign details, URLs, brand information, or other inputs, that information may be processed by our AI and media providers to generate outputs for you. You should only submit information you have the right to use and share. Do not submit special category data, confidential client material, or regulated information unless you have confirmed that doing so is appropriate.

8. Social account connections and Meta Platform Data

If you connect social accounts such as LinkedIn, Facebook, Instagram, X, or Pinterest, we store the account connection details, access tokens, publish preferences, and related scheduling metadata needed to let Blitz publish approved content on your behalf. We use these connections only to provide the publishing and scheduling features you enable in the product.

• You can disconnect a connected account from your Blitz dashboard at any time.
• OAuth access tokens are stored encrypted at rest using AES-256 encryption and are never transmitted to third parties in unencrypted form.
• Where a provider supports it, we may also retain refresh tokens or page/account references needed for re-authorisation.
• You can request deletion of stored social account data by using the public data deletion instructions at /data-deletion or by contacting us directly.

Meta Platform Data specifically: Data received from Meta (including Meta user IDs, email addresses, access tokens, Page identifiers, and Instagram Business Account identifiers) is used solely to authenticate your account and publish content to the Facebook Pages and Instagram Business Accounts you have authorised. This data is:

• Stored in our database hosted on Railway, with access tokens encrypted at rest
• Processed by our application server hosted on Vercel and Railway solely to execute publishing on your behalf
• Never shared with our AI providers (OpenAI, Fal.ai) or any other third party not listed in this policy
• Retained only for as long as your social account remains connected, or until you request deletion

9. Blitz Email Platform and subscriber data

Pro plan members can use the Blitz Email Platform to manage their own subscriber lists, send double opt-in confirmation emails, and broadcast emails to their confirmed subscribers. This feature is only available on the Pro subscription tier.

Your role as data controller: When you upload contacts, collect opt-ins, or send emails to your own audience using this feature, you are acting as the data controller for that subscriber data. Blitz Marketing acts as a data processor on your behalf. You are solely responsible for ensuring you have a lawful basis to contact each subscriber and that your use of this feature complies with applicable laws (including GDPR, CAN-SPAM, CASL, and any other regulations that apply to you and your subscribers).

The following subscriber data is collected and stored when you use this feature:

• email address, first name (optional), and last name (optional)
• subscription status (pending, awaiting confirmation, active, unsubscribed, bounced, expired)
• the source of the subscription (CSV import or opt-in form)
• confirmation token (time-limited, used to activate subscriptions via double opt-in)
• timestamps for confirmation sent, confirmed, unsubscribed, and created dates

Double opt-in: All contacts imported via CSV are sent a confirmation email before they become active subscribers. Unconfirmed contacts expire after 14 days and are not used for any broadcast sending. Contacts who submit your hosted opt-in form receive a confirmation email immediately.

Email delivery: Confirmation and broadcast emails are delivered through Amazon Web Services Simple Email Service (SES). SES receives the recipient email address, your configured sending domain, and the email content needed to deliver the message. AWS may log delivery events including bounces, complaints, and delivery confirmations.

Unsubscribe and subscriber rights: Every broadcast email sent through the Blitz Email Platform includes an unsubscribe link. Clicking it immediately marks the subscriber as unsubscribed and they will not receive further emails from that list. If one of your subscribers contacts us directly requesting data deletion, we will notify you and assist with removal in accordance with our obligations as data processor.

Send limits: Each Pro user may send up to 10,000 emails per calendar month through this feature. This limit is tracked separately from your content generation quota.

10. Affiliate and referral tracking

If you join our affiliate programme, we store referral codes, attributed signups, subscription revenue events, and payout details so we can calculate and process commission. We may also store cookies or referral parameters to attribute signups correctly.

11. Data retention

We keep account, billing, and workspace data for as long as it is needed to provide the service, maintain records, resolve disputes, and comply with legal obligations. If you delete your account, we will remove or anonymize personal data where reasonably possible, subject to legal, accounting, and fraud-prevention requirements.

12. Your rights

Depending on your location, you may have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete information
• Erasure: Request deletion of your personal data (subject to legal retention requirements)
• Restriction: Request that we limit processing of your personal data
• Portability: Request a copy of your data in a portable, machine-readable format
• Objection: Object to certain processing activities
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time
• Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights

To exercise any of these rights, contact us at hello@blitz.ws. We will respond within 30 days.

You can also review our public data deletion instructions at /data-deletion.

13. Law enforcement and public authority requests

We may receive requests from public authorities, law enforcement agencies, or courts to disclose personal data or Platform Data we hold. When we receive such requests, we apply the following practices:

• Legal review: Every request is reviewed for legality and validity before any data is disclosed. We will not comply with requests that lack a proper legal basis, jurisdiction, or authority.
• Challenging unlawful requests: Where we have reasonable grounds to believe a request is overbroad, unlawful, or otherwise improper, we will challenge it through available legal mechanisms before disclosing any data.
• Data minimisation: Where disclosure is legally required, we will disclose only the minimum information necessary to comply with the specific legal obligation, and no more.
• Documentation: We maintain internal records of all public authority requests received, including the nature of each request, the legal reasoning applied, the actors involved, and the response provided.

Where permitted by law, we will notify affected users of requests for their data before complying. We will not notify users where doing so is prohibited by court order or applicable law.

14. Security

We use reasonable technical and organizational measures to protect your data. However, no online service can guarantee absolute security, and you are responsible for maintaining the confidentiality of your account credentials.

15. Children's privacy

Blitz Marketing is not intended for children, and we do not knowingly collect personal data from anyone under 18.

16. International data transfers

Blitz Marketing operates globally and may transfer data to countries outside your jurisdiction, including the United States. When we transfer personal data internationally, we ensure appropriate safeguards are in place through:

• European Commission-approved Standard Contractual Clauses
• Adequacy decisions by relevant authorities
• Other legally-approved transfer mechanisms

17. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date on this page. Material changes may also be communicated in-product or by email where appropriate.

18. Contact and Data Protection Officer

If you have questions about this Privacy Policy or how your information is handled, please contact hello@blitz.ws.