1. Introduction

1.1 About Us

Bluto AI Limited (trading as "Bluto" and "Bluto AI") is committed to protecting your privacy and being transparent about how we collect, use, and protect your personal information.

Company Details:

Legal Name: Bluto AI Limited
Company Number: 16839916
Registered Office: 20 Red Lion Street, London, England, WC1R 4PS
ICO Registration Number: ZC040466
Website: bluto.ai
Contact: [email protected]

For the purposes of UK and EU data protection law, Bluto AI Limited is the data controller responsible for your personal information.

1.2 Scope of This Policy

This Privacy Policy describes how we collect, use, store, share, and protect personal information when you:

• Visit our website at bluto.ai
• Create an account and use our Services
• Interact with us via email, support channels, or other communications
• Use our free calculators and tools

This Privacy Policy applies to personal information processed by Bluto, including through our websites, mobile applications (if applicable), and related online services (collectively, the "Services").

1.3 Important Information

Your Rights: You have important rights regarding your personal information, including the right to access, correct, delete, and object to certain processing. See Section 9 for full details.

Contact Us: If you have any questions about this Privacy Policy or how we handle your personal information, please contact us at [email protected].

Data Protection Officer: For data protection enquiries, you can contact our Data Protection Officer at [email protected].

2. Information We Collect

We collect several types of information from and about you, depending on how you interact with our Services.

2.1 Information You Provide Directly

Account Information
When you create a Bluto account, we collect:

• Name (first and last name)
• Email address
• Password (stored in hashed form; we cannot see your actual password)
• Company name (optional)
• Job title (optional)
• Phone number (only if you enable two-factor authentication)

Profile Information
You may optionally provide:

• Profile picture (which may be imported from your social sign-in provider or uploaded by you)
• Professional details (company, role, industry)
• Communication preferences

Payment Information
When you purchase a paid subscription, our payment processor (Stripe) collects:

• Payment card details (card number, expiry date, CVC)
• Billing address
• Name on card

Important: We do not receive or store your full payment card details. Stripe processes and stores this information on our behalf. We receive only:

• Last four digits of your card
• Card brand (Visa, Mastercard, etc.)
• Expiry date
• Billing country
• Whether payment succeeded or failed

For more information, see Stripe's Privacy Policy at stripe.com/privacy.

Customer Content
"Customer Content" means the financial models, projections, assumptions, calculations, data, and other materials you create, input, or upload using the Services. This may include:

• Financial projections and forecasts
• Revenue models and cost structures
• Business assumptions and scenarios
• Documents and files you upload
• Text, notes, and comments you add

We treat Customer Content as confidential business information belonging to you.

Communications Information
When you contact us for support or communicate with us, we collect:

• The content of your messages
• Email address or contact information
• Information about your issue or enquiry
• Any attachments or screenshots you provide

Survey and Feedback Information
If you participate in surveys or provide feedback, we collect:

• Your responses to survey questions
• Feedback and suggestions you provide
• Ratings and reviews

2.2 Information We Collect Automatically

Technical Information
When you use our Services, we automatically collect:

• IP address
• Browser type and version
• Device type (desktop, mobile, tablet)
• Operating system and version
• Screen resolution
• Time zone setting
• Browser plugins and extensions (if they affect how the Services function)
• Referring website (the site you visited before ours)

Usage Information
We collect information about how you use the Services, including:

• Pages visited and features used
• Date and time of visits
• Session duration
• Actions taken (e.g., creating a model, exporting a report, inviting a collaborator)
• Frequency of use and patterns
• Features accessed and how often
• Error messages and technical issues encountered

Important distinction: Usage Information tells us how you use the Services (e.g., "User created 5 financial models") but does not include the content of your Customer Content (e.g., the specific financial figures in those models).

Collaboration and Sharing Information
When you collaborate with others, we collect:

• Names and email addresses of users you invite<br/> • Permissions granted (view, edit, etc.)<br/> • Collaboration activities (who viewed or edited a model and when)<br/> • Comments and notes exchanged between collaborators

Cookies and Similar Technologies
We use cookies and similar tracking technologies. See Section 7 for full details.

2.3 Information from Third-Party Sources

Social Sign-In Providers
If you create an account or sign in using LinkedIn, Google, or Microsoft, we receive information from those services, which may include:

From LinkedIn:
• Name
• Email address
• Profile picture
• Professional headline
• Current position and company

From Google:
• Name
• Email address
• Profile picture
• Language preference

From Microsoft:
• Name
• Email address
• Profile picture
• Preferred language

You can control what information these providers share with us through your privacy settings on their platforms. You can also remove your profile picture in your Bluto account settings at any time.

Payment Processor<br/> As described in Section 2.1, we receive limited payment information from Stripe to confirm successful transactions and manage subscriptions.

Analytics and Security Providers
We receive information from third-party analytics and security services that help us understand how our Services are used and protect against threats. This information is typically aggregated and anonymised.

2.4 Information We Do NOT Collect

We do not collect, and you must not upload:

• National Insurance numbers or other government identifiers
• Payment card details (full card numbers, CVCs)
• Patient or medical information
• Biometric data (fingerprints, facial recognition data)
• Children's personal data (see Section 11)
• Special category data under GDPR unless strictly necessary for providing the Services (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or data concerning health or sex life)

If you upload such information, you do so in violation of our Terms of Service, and we may delete it without notice.

3. How We Use Your Information

We use your personal information for the purposes described below. For users in the UK and EU, we also specify the legal basis for each use.

3.1 To Provide and Manage the Services

What we do:

• Create and manage your account
• Process your subscription and payments
• Provide the financial modelling tools and features
• Enable collaboration and sharing with other users
• Perform calculations and generate projections based on your inputs
• Store and backup your Customer Content
• Export and download functionality
• Send service-related emails (password resets, payment confirmations, etc.)

Information used:

• Account Information
• Customer Content
• Payment Information
• Technical Information

Legal basis (UK/EU):
Performance of contract – necessary to provide the Services you've signed up for
Legitimate interests – ensuring the Services function properly and securely

3.2 To Communicate with You

What we do:

• Respond to your support requests and enquiries
• Send important updates about the Services, your account, or these policies
• Notify you about new features, products, or changes to pricing
• Send administrative messages (downtime, security alerts)

Information used:

• Account Information
• Communications Information
• Technical Information

Legal basis (UK/EU):
Performance of contract – communicating about the Services you use
Legal obligation – providing legally required notices
Legitimate interests – keeping you informed about important matters

3.3 To Improve and Develop the Services

What we do:

• Analyse anonymised and aggregated Usage Information to understand how the Services are used
• Identify popular features and those that need improvement
• Test new features and designs
• Conduct research and analysis
• Fix bugs and technical issues
• Improve performance and user experience

Information used:

• Usage Information (anonymised and aggregated)
• Technical Information
• Feedback (when provided)

Information NOT used:
The substantive content of your Customer Content (your specific financial figures, projections, and business data)

Example: We might analyse that "80% of users create 5-year forecasts" but we never analyse the specific revenue figures in individual users' models.

Legal basis (UK/EU):
Legitimate interests – improving our Services and developing new features
Consent – where we ask for your explicit feedback

3.4 To Ensure Security and Prevent Fraud

What we do:

• Detect and prevent fraud, abuse, and security threats
• Monitor for suspicious activity
• Investigate security incidents
• Protect against unauthorised access
• Verify identity for security purposes
• Maintain audit logs for security and compliance

Information used:

• Account Information
• Technical Information (including IP addresses)
• Usage Information
• Access logs

Legal basis (UK/EU):
Legitimate interests – protecting our Services, users, and business from threats
Legal obligation – complying with security and fraud prevention laws

3.5 For Marketing and Advertising

What we do:

• Send marketing emails about new features, offers, or events (only with your consent or where permitted by law)
• Show you relevant advertisements on third-party platforms (e.g., LinkedIn, Google)
• Personalise marketing messages based on your use of the Services

Information used:

• Account Information
• Usage Information (aggregated)
• Marketing preferences

Your choices:

• You can opt out of marketing emails by clicking "Unsubscribe" in any marketing email
• You can opt out of personalised advertising through our cookie consent tool or by adjusting your ad settings on third-party platforms
• See Section 8 for more details on your choices

Legal basis (UK/EU):
Consent – we will only send marketing emails with your consent (required under UK/EU law)
Legitimate interests – showing relevant advertisements to prospects (where permitted)

3.6 To Comply with Legal Obligations

What we do:

• Respond to legal requests from law enforcement or regulatory authorities
• Comply with court orders, subpoenas, or regulatory requirements
• Enforce our Terms of Service
• Establish, exercise, or defend legal claims
• Comply with tax, accounting, and other regulatory obligations

Information used:

• Any information relevant to the legal obligation or request

Legal basis (UK/EU):
Legal obligation – required by law to process certain information
Legitimate interests – protecting our legal rights and complying with legal processes

3.7 For Business Transfers

What we do: If we are involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction.

Information used:

• Any information necessary for the transaction

Legal basis (UK/EU):
Legitimate interests – facilitating business transactions

Your rights: You will be notified of any such transfer, and you will have choices about your information.

3.8 Important Clarifications

What We Do NOT Do with Your Customer Content:
We never:

❌ Use your financial models to train machine learning algorithms or AI models
❌ Use your projections to benchmark other customers
❌ Access the substantive content of your financial models except:
    • When you explicitly request support and grant us permission
    • When necessary for security monitoring or incident response
    • When required by law (e.g., court order)
❌ Sell your Customer Content to third parties
❌ Use your business data for our own benefit

Customer Content vs. Usage Data
Customer Content = The what (your specific financial figures, projections, business data)
We do NOT analyse or access this except as described above

Usage Data = The how (which features you use, how often, etc.)
We DO analyse this in anonymised, aggregated form to improve the Services

4. How We Share Your Information

We share your personal information only as described below. We do not sell your personal information to third parties.

4.1 With Other Users (When You Choose to Share)

Collaboration Features <br /> When you invite Authorised Users to collaborate on your financial models:

• They can see: Your name, profile picture (if set), and email address
• You can see: Their name, profile picture (if set), and email address
• Both can see: The content of shared models, comments, and edit history
• Activity logs: Authorised Users may see who viewed or edited a model and when
• You control: Who you invite and what permissions they have (view, edit, etc.)

We are not responsible for how other users use or further share content you make available to them.

Public Sharing
If you choose to make a model publicly accessible (e.g., via a shareable link):

• Anyone with the link can view the model
• The model may be indexed by search engines
• Information in the model becomes publicly available

Important: Only share publicly if you intend the information to be public.

4.2 With Service Providers

We share information with trusted third-party service providers who help us operate the Services:

• Amazon Web Services (AWS) - Cloud hosting and infrastructure
• Stripe - Payment processing
• Mailgun - Transactional emails
• LinkedIn, Google, Microsoft - Social sign-in
• Sophos - Security monitoring and threat detection
• Analytics providers (e.g., Google Analytics) - Usage analytics

All service providers:

• Are contractually obligated to protect your information
• May only use your information to provide services to us
• Must comply with data protection laws
• Are listed in our Subprocessor List at bluto.ai/legal/subprocessors

4.3 For Legal Reasons

We may disclose your information if we believe it is necessary to:

• Comply with applicable laws, regulations, legal processes, or enforceable governmental requests
• Enforce our Terms of Service, including investigating potential violations
• Detect, prevent, or address fraud, security, or technical issues
• Protect the rights, property, or safety of Bluto, our users, or the public as required or permitted by law

4.4 In Business Transfers

If Bluto is involved in a merger, acquisition, asset sale, or bankruptcy:

• Your information may be transferred to the acquiring entity
• We will notify you via email and/or a prominent notice on our website
• You will have an opportunity to delete your account before the transfer if you do not wish your information to be transferred

4.5 With Your Consent

We may share your information with third parties when you explicitly consent, such as:

• When you authorise integration with third-party tools
• When you agree to participate in joint marketing activities
• When you ask us to share information with a specific party

4.6 Aggregated and Anonymised Information

We may share aggregated or anonymised information that cannot reasonably be used to identify you, such as:

• "80% of Bluto users create 5-year financial forecasts"
• "Average model creation time is 15 minutes"
• Industry trends and benchmarks

This information does not identify you personally and helps us improve the Services and industry understanding.

5. International Data Transfers

5.1 Where We Store Your Data

Primary hosting: All Customer Content and personal information is hosted on Amazon Web Services (AWS) infrastructure in the United Kingdom (London region, eu-west-2) and/or the European Union (Ireland region, eu-west-1).

Email infrastructure: Transactional emails are processed through Mailgun's EU infrastructure.

5.2 Transfers Outside the UK/EEA

Some of our service providers are located outside the UK and European Economic Area (EEA), including in the United States. When we transfer your personal information outside the UK/EEA, we ensure it is protected by implementing appropriate safeguards:

For Transfers to the United States:
Standard Contractual Clauses (SCCs):

• We use the European Commission's Standard Contractual Clauses for transfers from the UK/EEA to the US
• These are legally binding contracts that require recipients to protect your data to European standards
• You can request a copy of our SCCs by contacting [email protected]

UK Addendum:

• For UK data transfers, we use the UK Addendum to the SCCs approved by the UK Information Commissioner's Office (ICO)

EU-US Data Privacy Framework:

• Some of our US service providers (e.g., Google) participate in the EU-US Data Privacy Framework, providing an additional layer of protection

For Transfers to Other Countries:
We ensure any transfers to other countries are protected by:

• Standard Contractual Clauses
• Adequacy decisions (for countries the EU/UK has deemed to provide adequate protection)
• Your explicit consent (where required)

5.3 Your Rights Regarding International Transfers

If you are in the UK or EU, you have the right to:

• Receive information about the safeguards we use for international transfers
• Object to certain transfers if you believe they are not adequately protected
• Request a copy of the safeguards (e.g., SCCs) we have in place
• Contact us at [email protected] to exercise these rights

6. Data Retention

6.1 How Long We Keep Your Information

We retain your personal information for as long as necessary to provide the Services and fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Information: Duration of your account + 30 days - To provide Services; 30-day grace period for recovery
• Customer Content: Duration of your account + 30 days - To provide Services; 30-day grace period for recovery
• Payment Information: 7 years after last transaction - Legal and tax compliance (UK law)
• Communications: 3 years from last communication - To resolve disputes and provide support
• Usage Logs: 2 years - Security monitoring and service improvement
• Marketing Preferences: Until you unsubscribe or delete account - To honour your preferences
• Security Logs: 1 year - To detect and respond to security incidents

6.2 Account Deletion

When you delete your account:

30-Day Grace Period:

• Your account is deactivated but not immediately deleted
• You can still access and download your Customer Content during this period
• You can reactivate your account at any time during these 30 days by logging in

After 30 Days:

• All your Customer Content is permanently deleted from our active systems
• Your Account Information is permanently deleted
• We cannot recover your data after this point

Backup Retention:

• Information may remain in our backup systems for up to 90 days after deletion
• Backup copies are encrypted and inaccessible for recovery
• They are automatically purged according to our backup retention schedule

Legal Holds:

• If we are legally required to retain information (e.g., due to ongoing litigation), we will retain only the minimum necessary information for as long as required

6.3 Inactive Accounts

If your account has been inactive for 3 years:

• We will send you an email asking if you wish to keep your account
• If you do not respond within 90 days, we may delete your account and associated data
• You will receive multiple reminder emails before deletion

7. Cookies and Tracking Technologies

7.1 What Are Cookies?

Cookies are small text files that are placed on your device when you visit a website. They help websites remember your preferences and understand how you use the site.

7.2 How We Use Cookies

We use cookies and similar technologies for the following purposes:

Essential Cookies (Always Active)
These cookies are necessary for the Services to function and cannot be disabled:

• Authentication: Keep you logged in as you navigate the Services
• Security: Detect suspicious activity and prevent fraud
• Load balancing: Ensure the Services perform efficiently
• Session management: Remember your preferences during your session

Legal basis: These cookies are necessary to provide the Services you've requested (performance of contract).

Analytics Cookies
These cookies help us understand how users interact with the Services:

• Usage patterns: Which features are most popular
• Performance monitoring: How quickly pages load
• Error detection: Identifying and fixing technical issues

We use Google Analytics and similar services. These cookies do not identify you personally.

Legal basis: Your consent (required under UK/EU law for non-essential cookies).

Marketing Cookies
These cookies are used to show you relevant advertisements:

• Remarketing: Showing ads to people who have visited our website
• Campaign tracking: Measuring the effectiveness of marketing campaigns
• Personalisation: Tailoring ads based on your interests

Legal basis: Your consent.

7.3 Managing Cookies

Cookie Consent Tool
When you first visit our website, you will see a cookie consent banner. You can:

• Accept all cookies
• Reject non-essential cookies
• Customise your preferences

You can change your cookie preferences at any time by clicking "Manage Cookies" in the footer of our website (you may need to log out to see the footer).

Browser Settings
You can also control cookies through your browser settings:

• Google Chrome: Settings > Privacy and security > Cookies and other site data
• Firefox: Settings > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Cookies and website data
• Edge: Settings > Cookies and site permissions

Note: Disabling essential cookies may affect the functionality of the Services.

Opting Out of Advertising
To opt out of interest-based advertising:

• Your Online Choices (EU): youronlinechoices.eu
• Digital Advertising Alliance (US): optout.aboutads.info
• Network Advertising Initiative: optout.networkadvertising.org

7.4 Do Not Track / Global Privacy Control

Some browsers have a "Do Not Track" (DNT) feature. We do not currently respond to DNT signals.

However, we do recognise and honour Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we will treat it as a request to opt out of:

• The "sale" of your personal information (as defined under California law)
• The "sharing" of your personal information for targeted advertising

7.5 Third-Party Cookies

Some cookies are placed by third-party services that appear on our pages (e.g., social media widgets, analytics). We do not control these cookies. Please refer to the privacy policies of these third parties:

• Google: policies.google.com/privacy
• LinkedIn: linkedin.com/legal/privacy-policy
• Microsoft: privacy.microsoft.com

For a complete list of cookies we use, see our Cookie Policy at bluto.ai/legal/cookies.

8. Your Choices and Rights

You have important rights regarding your personal information. The specific rights available to you depend on where you are located.

8.1 Rights for All Users

Regardless of where you are located, you can:

Access and Update Your Information
• Log in to your account to view and update your Account Information, profile details, and preferences
• Contact us at [email protected] if you need help accessing your information

Delete Your Account
• You can delete your account at any time through your account settings
• This will initiate the 30-day deletion process described in Section 6.2

Export Your Data
• You can download your Customer Content at any time through the export functionality
• Request a copy of your Account Information by contacting [email protected]

Opt Out of Marketing
• Click "Unsubscribe" in any marketing email
• Adjust your email preferences in your account settings
• Contact us at [email protected] to opt out

Manage Cookies
• Use our cookie consent tool (link in the footer of our website)
• Adjust your browser settings as described in Section 7.3

8.2 Rights for UK and EU Users (GDPR)

If you are in the UK or European Union, you have the following additional rights under the UK GDPR and EU GDPR:

Right of Access (Article 15 GDPR)
You have the right to obtain:

• Confirmation whether we process your personal information
• A copy of your personal information
• Information about how we use your personal information

How to exercise: Contact us at [email protected] or [email protected]. We will respond within one month.

Right to Rectification (Article 16 GDPR)
You have the right to have inaccurate personal information corrected.

How to exercise: Update your information in your account settings or contact us at [email protected].

Right to Erasure / "Right to Be Forgotten" (Article 17 GDPR)
You have the right to request deletion of your personal information in certain circumstances:

• The information is no longer necessary for the purposes for which it was collected
• You withdraw consent (where processing is based on consent)
• You object to processing and there are no overriding legitimate grounds
• The information has been unlawfully processed
• Deletion is required to comply with a legal obligation

Exceptions: We may refuse deletion if we need the information to:

• Comply with a legal obligation
• Establish, exercise, or defend legal claims
• For archiving purposes in the public interest

How to exercise: Delete your account through account settings or contact [email protected].

Right to Restriction of Processing (Article 18 GDPR)
You have the right to request that we restrict processing of your personal information in certain circumstances:

• You contest the accuracy of the information
• The processing is unlawful but you do not want it erased
• We no longer need the information, but you need it for legal claims
• You have objected to processing pending verification of our legitimate grounds

How to exercise: Contact [email protected].

Right to Data Portability (Article 20 GDPR)
You have the right to receive your personal information in a structured, commonly used, machine-readable format and to transmit it to another controller, where:

• Processing is based on consent or contract
• Processing is carried out by automated means

How to exercise: Use our export functionality or contact [email protected].

Right to Object (Article 21 GDPR)
You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Direct Marketing: You have an absolute right to object to marketing at any time. Click "Unsubscribe" or contact us.

Other Processing: You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds that override your interests, rights, and freedoms.

How to exercise: Contact [email protected].

Right to Withdraw Consent (Article 7 GDPR)
Where processing is based on your consent, you have the right to withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

How to exercise: Adjust your preferences in account settings or contact [email protected].

Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority:

UK Users:

• Information Commissioner's Office (ICO)
• Website: ico.org.uk
• Phone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

EU Users: Contact your local data protection authority. A list is available at: edpb.europa.eu/about-edpb/board/members_en

Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

8.3 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know (CCPA § 1798.100)
You have the right to know:

• What personal information we collect about you
• The categories of sources from which we collect it
• The purposes for which we use it
• The categories of third parties with whom we share it
• The specific pieces of personal information we have about you

How to exercise: Contact us at [email protected] or call us at [phone number].

Right to Delete (CCPA § 1798.105)
You have the right to request deletion of your personal information, subject to certain exceptions.

How to exercise: Delete your account or contact [email protected].

Right to Correct (CPRA § 1798.106)
You have the right to correct inaccurate personal information.

How to exercise: Update your account settings or contact [email protected].

Right to Opt Out of Sale/Sharing (CCPA § 1798.120)
You have the right to opt out of:

• The "sale" of your personal information
• The "sharing" of your personal information for cross-context behavioural advertising

Do we "sell" personal information?

• We do not sell personal information in the traditional sense (i.e., for money)
• However, under California's broad definition, using cookies for targeted advertising may be considered a "sale" or "sharing"
• Categories potentially "sold" or "shared": Identifiers (e.g., IP address, cookie IDs), Internet activity information, Inferences (e.g., preferences derived from your behaviour)

How to opt out:

• Click "Manage Cookies" in the footer of our website
• Adjust your cookie preferences to decline advertising cookies
• Enable Global Privacy Control (GPC) in your browser

Right to Limit Use of Sensitive Personal Information (CPRA § 1798.121)
You have the right to limit our use of sensitive personal information.

Sensitive personal information we collect:

• Account log-in credentials (email and password)
• Payment information (processed by Stripe)

How we use it:

• Only to provide the Services and for security purposes (permissible under CPRA)
• We do not use sensitive personal information for any other purposes

How to exercise: Contact [email protected] if you have concerns.

Right to Non-Discrimination (CCPA § 1798.125)
We will not discriminate against you for exercising your privacy rights. This means we will not:

• Deny you goods or services
• Charge different prices or rates
• Provide a different level or quality of service
• Suggest that you will receive a different price or quality of service

Authorised Agents
You may designate an authorised agent to submit requests on your behalf. To do so:

• Provide written authorisation signed by you
• Verify your identity
• The agent must provide proof of authorisation

Verification Process
To protect your privacy, we verify your identity before responding to requests:

• We will ask you to confirm information we have on file (e.g., email address, account details)
• For deletion requests, we may require additional verification
• We will respond within 45 days (with a possible 45-day extension if needed)

California "Shine the Light" Law
Under California Civil Code Section 1798.83, California residents have the right to request information about personal information disclosed to third parties for direct marketing purposes in the preceding calendar year.

We do not disclose personal information to third parties for their direct marketing purposes.

8.4 Rights for Other US State Residents

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or other US states with comprehensive privacy laws, you have similar rights to California residents, including:

• Right to know what personal information we collect
• Right to access your personal information
• Right to correct inaccurate information
• Right to delete your personal information
• Right to opt out of targeted advertising and sale of personal information
• Right to non-discrimination

How to exercise: Contact us at [email protected].

Appeals: If we deny your request, you have the right to appeal. Contact us at [email protected] with "Privacy Rights Appeal" in the subject line.

8.5 How We Respond to Requests

Timeframes

• UK/EU: Within one month (with possible two-month extension for complex requests)
• California: Within 45 days (with possible 45-day extension)
• Other US states: Within 45-60 days depending on state law

Fees

• We do not charge a fee for most requests
• We may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests
• We may refuse to act on such requests

Verification

To protect your privacy, we verify your identity before fulfilling requests. We may ask you to:

• Confirm your email address
• Provide account information
• Answer security questions

9. Security

9.1 How We Protect Your Information

We take the security of your personal information seriously and implement industry-standard technical and organisational measures to protect it:

Encryption:

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• Unique encryption keys per customer using AWS Key Management Service (KMS)

Access Controls:

• Multi-factor authentication (MFA) available for all users
• Role-based access controls limiting who can access what data
• Principle of least privilege for internal access
• All access logged and monitored

Infrastructure Security:

• Hosted on Amazon Web Services (AWS) with enterprise-grade physical security
• Regular security assessments and penetration testing
• 24/7 threat monitoring with Sophos Managed Detection and Response
• Automated vulnerability scanning

Operational Security:

• Background checks for employees with access to customer data
• Security awareness training for all staff
• Incident response plan and procedures
• Regular security audits

For more details, see our Security page at bluto.ai/security.

9.2 Data Breach Notification

In the event of a data breach that affects your personal information:

UK/EU users:

• We will notify the ICO (UK) or relevant EU data protection authority within 72 hours of becoming aware of the breach (where required)
• We will notify affected users without undue delay if the breach is likely to result in high risk to your rights and freedoms
• Notification will include: nature of the breach, likely consequences, and measures taken to address it

California users:

• We will notify affected users without unreasonable delay (and no more than required by California law)
• We will notify the California Attorney General if the breach affects more than 500 California residents

Other users:

• We will notify you in accordance with applicable local laws

9.3 Your Responsibility

You also play a role in keeping your information secure:

• Choose a strong, unique password
• Enable two-factor authentication
• Do not share your password with anyone
• Log out of shared devices
• Keep your device and browser software up to date
• Be cautious about phishing emails pretending to be from Bluto

If you believe your account has been compromised, contact us immediately at [email protected].

9.4 Limitations

No security is perfect. While we implement strong security measures, we cannot guarantee absolute security. You use the Services at your own risk.

10. Third-Party Links and Services

Our Services may contain links to third-party websites, services, or applications that are not owned or controlled by Bluto.

We are not responsible for the privacy practices of third parties. When you leave our Services, we encourage you to read the privacy policies of other sites you visit.

Examples of third-party links:

• Social media platforms (LinkedIn, Twitter, etc.)
• Payment processor (Stripe)
• Support and help resources
• Partner websites

We do not endorse or make any representations about third-party websites or services.

11. Children's Privacy

Our Services are not intended for children under the age of 16. We do not knowingly collect personal information from children under 16.

If we become aware that we have collected personal information from a child under 16 without appropriate consent:

• We will delete that information as quickly as possible
• We will terminate the child's account
• We will notify the parent or guardian (if we have contact information)

If you are a parent or guardian and believe we have collected information about your child, please contact us immediately at [email protected].

Age verification: By creating an account, you represent that you are at least 16 years old (or the age of majority in your jurisdiction, if higher).

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How we notify you of changes:

• We will post the updated Privacy Policy on this page
• We will update the "Last Updated" date at the top
• For material changes, we will:
    • Send you an email notification (to the address on your account)
    • Display a prominent notice on our website or in the Services

Your continued use of the Services after the effective date of changes constitutes acceptance of the updated Privacy Policy.

If you do not agree to the updated Privacy Policy, you must stop using the Services and may delete your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please contact us:

Email: [email protected]
Data Protection Officer: [email protected]
Support: [email protected]

Post: Bluto AI Limited
Data Protection Enquiries
20 Red Lion Street
London, England
WC1R 4PS
United Kingdom

14. Supervisory Authorities

For UK Residents:
Information Commissioner's Office (ICO)

Website: ico.org.uk
Helpline: 0303 123 1113
Online reporting: ico.org.uk/make-a-complaint
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

For EU Residents:
Contact your local data protection authority:

Full list available at: edpb.europa.eu/about-edpb/board/members_en

For California Residents:
California Attorney General's Office

Website: oag.ca.gov/privacy
Privacy Enforcement and Protection Unit: oag.ca.gov/contact/consumer-complaint-against-business-or-company

Appendix A: Summary of Information We Collect

• Identifiers: Name, email, IP address, device ID - Account creation, authentication, communications
• Financial Information: Billing address, last 4 digits of card (via Stripe) - Process payments
• Customer Content: Financial models, projections, assumptions - Provide Services
• Usage Information: Features used, pages visited, session duration - Improve Services, analytics
• Technical Information: Browser type, OS, device type - Ensure compatibility, troubleshoot issues
• Communications: Support requests, emails, feedback - Customer support, improvements
• Social Sign-In Data: Name, email, profile picture from LinkedIn/Google/Microsoft - Account creation, authentication

Appendix B: Legal Bases for Processing (UK/EU)

• Provide Services: Performance of contract
• Process payments: Performance of contract
• Customer support: Performance of contract, Legitimate interests
• Security and fraud prevention: Legitimate interests, Legal obligation
• Service improvement: Legitimate interests
• Marketing communications: Consent (for email), Legitimate interests (for other marketing where permitted)
• Legal compliance: Legal obligation
• Business transfers: Legitimate interests

Appendix C: Data Sharing Summary

• AWS: Hosting and infrastructure - Data Processing Agreement, encryption, UK/EU hosting
• Stripe: Payment processing - PCI-DSS compliant, Data Processing Agreement
• Mailgun: Transactional emails - EU hosting, Data Processing Agreement
• Social sign-in providers: Authentication - OAuth 2.0, limited data sharing
• Sophos: Security monitoring - Data Processing Agreement
• Analytics providers: Usage analysis - Anonymisation, Data Processing Agreement
• Legal authorities: Compliance with law - Only as required by law

By using the Services, you acknowledge that you have read and understood this Privacy Policy.