Effective Date: October 1, 2024
Last Updated: May 7, 2025
Blolabel.ai (“Blolabel,” “we,” “us,” or “our”) is committed to safeguarding your privacy and honoring your rights under U.S. and EU law. This Privacy Policy applies to all personal data collected via our web and mobile application (the “App”) and related services.
- Information We Collect 1.1 Personal Information 1.2 Usage Data 1.3 Device & Network Data
- Name, email address, billing/payment details
- Task completion history, in-App feature usage, timestamps
- Device type/model, operating system version, IP address, browser or device identifiers
- Legal Bases for Processing (GDPR) When processing data of EU residents, we rely on the following lawful bases (GDPR Art. 6): Data CategoryPurposeLegal BasisPersonal InformationApp registration, payment processingPerformance of contract (Art 6(1)(b))Usage & Device DataApp functionality, security, analyticsLegitimate interests (Art 6(1)(f))Email for MarketingPromotional communicationsConsent (Art 6(1)(a))
- How We Use Your Information
- Deliver & maintain App functionality
- Process payments and issue rewards
- Analyze usage to improve features and performance
- Communicate security alerts, policy updates, or promotions (with opt-out)
- Sharing & Disclosure We do not sell your data. We may share your information with:
- Service providers (e.g., payment processors, hosting, analytics)
- Sub-processors under our Data Processing Addendum (DPAA) for EU transfers
- Legal authorities when required by law or to protect our rights
- Data Storage & International Transfers
- U.S. Users: Data stored on U.S.-based servers (MongoDB Atlas).
- EU Users: Data stored on GDPR-compliant EU servers.
- Transfers Outside the EU: Governed by Standard Contractual Clauses or an approved adequacy decision.
- Your Rights (EU Residents) You may exercise, free of charge, the following rights by emailing privacy@blolabel.ai or using the in-App “Privacy Requests” form:
- Access & Portability of your personal data
- Rectification of inaccuracies
- Erasure (“Right to be Forgotten”)
- Restriction of processing
- Objection to processing (including direct marketing)
- Withdrawal of Consent at any time
- Lodge a Complaint with your local Supervisory Authority (e.g., www.bfdi.bund.de)
- Cookies & Tracking Technologies We use cookies and similar tools to power and personalize your experience. CategoryPurposeBasisStrictly NecessaryCore App functionalityLegitimate interestsAnalytics & PerformanceUsage analysis (Mixpanel, GA)Consent (EU); Legitimate interests (U.S.)Marketing & AdvertisingPromotional messagingConsent (all users) You can manage or withdraw your cookie consents any time via App Settings → Cookie Preferences.
- Regulatory Compliance 8.1 HIPAA Compliance 8.2 GDPR Compliance
- Business Associate Addendum (BAA)
We have executed a HIPAA Business Associate Addendum with Amazon Web Services (AWS), which designates our account as a HIPAA account and defines the AWS services eligible for processing, storing, and transmitting Protected Health Information (PHI). Amazon Web Services, Inc. - HIPAA-Eligible Services
We only process, store, and transmit PHI using the AWS services covered under the AWS BAA, such as Amazon EC2, Amazon S3, Amazon RDS, and others listed in the HIPAA Eligible Services Reference webpage. Amazon Web Services, Inc. - Encryption & Safeguards
All PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256) using AWS Key Management Service (KMS) or customer-provided keys. Amazon Web Services, Inc. - Shared Responsibility Model
AWS manages the physical safeguards, including data center security and hardware controls, while we implement administrative and technical safeguards—such as access controls, audit logging, and vulnerability management—to meet HIPAA requirements. Compliance reports and the BAA are accessible via AWS Artifact. Amazon Web Services, Inc. - AWS Data Processing Addendum (DPA)
Our processing of EU personal data is governed by the AWS Global Data Processing Addendum (GDPR DPA), which is incorporated into the AWS Service Terms and applies automatically to all customers globally. AWS DocumentationAmazon Web Services, Inc. - Standard Contractual Clauses (SCCs)
The AWS DPA includes the SCCs adopted by the European Commission for lawful transfers of personal data outside the European Economic Area (EEA). Amazon Web Services, Inc. - Technical & Organizational Measures
AWS maintains certifications and compliance attestations, including ISO 27001, ISO 27017, ISO 27018, and SOC 1/2/3, and offers service controls—such as encryption, erasure, and audit logging—to assist us in meeting GDPR obligations. Amazon Web Services, Inc. - Data Transfer Mechanisms & Schrems II
Customers can select AWS Regions that keep data within the EU, and AWS provides resources to support Data Transfer Impact Assessments in compliance with European Data Protection Board (EDPB) guidance. Amazon Web Services, Inc.
- Business Associate Addendum (BAA)
- Data Retention Data TypeRetention PeriodTransaction & Task Data5 years after last activityLogs & Diagnostics12 monthsMarketing ConsentsUntil withdrawn
- Security Measures
- Encryption: TLS 1.2+ for data in transit; AES-256 at rest.
- Access Controls: Role-based access, least-privilege enforcement.
- Vulnerability Management: Quarterly penetration tests; monthly patching.
- Incident Response: Formal plan with breach notifications within 72 hours.
- Records & Impact Assessments We maintain a Record of Processing Activities (RoPA) per GDPR Art. 30 and have completed Data Protection Impact Assessments (DPIAs) for high-risk processing (e.g., voice analysis); summaries are available on request.
- Changes to This Policy We review this policy annually (or when laws change). Material changes will be highlighted upon App login and via email.
- Contact Us If you have questions, requests, or concerns:
Email: privacy@blolabel.ai
Phone: +1 949 689 9539
Mail: 400 S 4th St, Las Vegas, NV 89101
