Privacy Policy

EU GDPR 2016/679End-to-end encryptedEffective 22 May 2026

Controller: PALIBATCHEE HOUSE s.r.o., with registered seat at Klincova 35, 821 08 Bratislava, Slovak Republic, Company ID (IČO): 50 524 861, a company incorporated and registered within the European Union.  · 
Contact: privacy@bbly.app

Regulation: EU General Data Protection Regulation (GDPR) 2016/679  ·  Supervisory authority: Office for Personal Data Protection of the Slovak Republic

We do not sell your data. We do not use your document content to train AI models. Your documents are end-to-end encrypted — we cannot read them.
1. Who We Are — The Data Controller

PALIBATCHEE HOUSE s.r.o. ("we", "us", "our", "Controller") is the provider of bbly.app and data controller responsible for personal data processed in connection with the bbly. service. We operate the bbly. spatial document drafting tool available at bbly.app.

We are a limited liability company incorporated under the laws of the Slovak Republic and registered within the European Union. As an EU-established company, we process personal data in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the "GDPR") and applicable Slovak data protection law.

Your data is subject to EU data protection standards.

For privacy enquiries, data subject requests, or complaints, contact us at privacy@bbly.app. We aim to respond within 5 business days and in any event within one calendar month as required by GDPR Article 12.

2. Data We Collect and Why

We collect and process personal data only to the extent necessary for the purposes described below. The legal basis for each category of processing is identified in accordance with GDPR Article 6.

2.1 Account data

When you register, we collect your email address and, optionally, your name. If you register via Google OAuth, we receive your name and email address from Google.

Purpose: creating and managing your account, authentication, service communicationBasis: Art. 6(1)(b) — performance of a contractRetained: Duration of account; deleted within 30 days of closure

2.2 Document content

When you create documents, the content you type into bubbles is stored as part of the Service. Important: document content is protected by end-to-end encryption (E2EE). Your documents are encrypted on your device before being transmitted. We store only encrypted ciphertext and cannot access, read, or process the plaintext content of your documents. See Section 5 for a full explanation.

Purpose: providing the core document drafting and storage functionalityBasis: Art. 6(1)(b) — performance of a contractRetained: Duration of account; deleted within 30 days of closure. Never deleted solely due to a plan change.

2.3 Usage metadata

Non-content metadata including document count, storage size, page count, bubble count, plan tier, and timestamps of document creation and modification.

Purpose: enforcing plan limits, displaying usage to you, detecting abuse, aggregate statisticsBasis: Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interestsRetained: Duration of account. Anonymised aggregate statistics may be retained indefinitely.

2.4 Technical and security data

IP addresses, browser type, operating system, session tokens, and access logs processed through our authentication and hosting infrastructure.

Purpose: authentication, session management, fraud detection, security incident responseBasis: Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interestsRetained: Up to 90 days for access logs; session tokens expire on sign-out

2.5 Billing and payment data

Payment processing is handled entirely by Stripe Inc. We do not receive or store your full payment card details. We receive a billing token, the last four digits of your card, card type, and billing confirmation status.

Purpose: processing subscription payments, managing billing, tax complianceBasis: Art. 6(1)(b) contract; Art. 6(1)(c) legal obligationRetained: 7 years as required by Slovak and EU accounting law

2.6 Team membership data

If you are a member of a Team workspace, we process your team membership, role (admin or editor), and the association between your account and the team.

Purpose: providing team collaboration, access control to shared documents, team administrationBasis: Art. 6(1)(b) — performance of a contractRetained: For as long as you are a team member. Deleted when you leave or close your account.

2.7 Communications

If you contact us by email, we process the content of your message and your email address to respond to your enquiry.

Purpose: responding to enquiries and support requestsBasis: Art. 6(1)(f) legitimate interestsRetained: As long as necessary to resolve the enquiry, and up to 2 years thereafter
3. Data We Do Not Collect

We want to be explicit about data we do not process:

  • We do not collect or process the plaintext content of your documents — only encrypted ciphertext is stored on our servers.
  • We do not collect special categories of personal data (health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, etc.).
  • We do not use your data to train machine learning or AI models.
  • We do not engage in automated profiling that produces legal or similarly significant effects.
  • We do not knowingly collect data from children under 16. If we become aware of such data, we will delete it promptly.
4. Third-Party Sub-Processors

We engage the following third-party sub-processors to deliver the Service. Each is bound by a data processing agreement and processes data only as instructed by us.

Supabase Inc.

Provides database infrastructure, file storage, and authentication services. Your account data, encrypted document content, and usage metadata are stored on Supabase infrastructure.

HQ: United StatesTransfer: Standard Contractual Clauses (SCCs) — GDPR Art. 46(2)(c)supabase.com/privacy
Vercel Inc.

Provides hosting and serverless compute for the bbly. web application and PDF export function. Technical data (IP address, request headers) is processed by Vercel infrastructure.

HQ: United StatesTransfer: Standard Contractual Clauses (SCCs)vercel.com/legal/privacy-policy
Stripe Inc.

Processes payments for Pro and Team subscriptions. We share only the minimum billing information required. Stripe is PCI-DSS Level 1 certified.

HQ: United StatesTransfer: SCCs + EU-US Data Privacy Frameworkstripe.com/privacy
Resend Inc.

Used to send transactional emails including account confirmation, password reset, and team invitation emails. We share your email address with Resend for this purpose only.

HQ: United StatesTransfer: Standard Contractual Clauses (SCCs)resend.com/legal/privacy-policy
Google LLC (Fonts only)

Google Fonts is used to load typefaces in the editor interface. Font files are fetched from Google's servers at runtime; your IP address may be logged by Google as a result. We embed fonts as base64 in PDF exports to avoid Google Fonts requests during export.

HQ: United StatesTransfer: Standard Contractual Clauses (SCCs)policies.google.com/privacy

We do not share personal data with any other third party for commercial, marketing, or advertising purposes.

5. End-to-End Encryption

5.1 How it works

The Service implements end-to-end encryption (E2EE) for all document content and Bubble Library items:

  • Encryption keys are generated on your device using X25519 key exchange.
  • Document content is encrypted with AES-256-GCM on your device before transmission.
  • Encrypted ciphertext is transmitted to and stored on our servers.
  • We do not hold your private decryption keys and cannot decrypt your documents.
  • If our servers were compromised, an attacker would obtain only encrypted ciphertext that cannot be read without your private key.

5.2 What E2EE does not protect

End-to-end encryption protects the content of your documents. The following metadata is not encrypted and may be accessible to us for operational purposes: document titles, creation and modification timestamps, document and bubble counts, file sizes, and access logs.

5.3 Team document sharing

When you share a document with a team member, the document's encryption key is re-encrypted for each authorised team member's public key using a key-wrapping mechanism. Only users whose public keys are registered in the document's access list can decrypt the document.

5.4 Key loss

Because we do not hold your private keys, we cannot recover access to your encrypted documents if you lose your login credentials. You are solely responsible for maintaining access to your account. We strongly recommend using a secure, unique password and a password manager.

6. Cookies and Local Storage

6.1 Essential cookies only

bbly. uses only essential cookies — those strictly necessary to provide the service you have requested. We do not use advertising, tracking, behavioural profiling, or analytics cookies. Because we use only strictly necessary cookies, we do not require your prior consent under EU ePrivacy rules (Directive 2002/58/EC as amended). You may clear cookies at any time through your browser settings; doing so will sign you out of the Service.

6.2 Cookies and local storage we use

  • Authentication session cookie — set by Supabase to maintain your signed-in session. Expires on sign-out or after the session period.
  • bubbl_session (localStorage) — a locally stored display cache containing your plan information and display name. Used to avoid visible loading flicker in the dashboard. This is not the authentication source of truth and does not contain sensitive credentials.
  • Workspace context (localStorage) — stores your most recently selected workspace context (Personal or Team) to persist your preference across sessions.
7. International Data Transfers

PALIBATCHEE HOUSE s.r.o. is established in the Slovak Republic, an EU Member State. However, some of our sub-processors are located in the United States and other countries outside the European Economic Area (EEA).

Where we transfer personal data outside the EEA, we do so on the basis of appropriate safeguards as required by GDPR Chapter V, including Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c), or the EU-US Data Privacy Framework where applicable.

You may request a copy of the relevant transfer mechanism documentation by contacting us at privacy@bbly.app.

8. Your Rights as a Data Subject

Under the GDPR, you have the following rights in relation to your personal data. These rights may be subject to certain conditions and exceptions as provided by applicable law.

  • Right of access (Art. 15) — request a copy of the personal data we hold about you, along with information about how we process it.
  • Right to rectification (Art. 16) — correct inaccurate personal data. You can update your name and email directly in account settings.
  • Right to erasure (Art. 17) — request deletion of your account and all associated personal data from account settings or by emailing privacy@bbly.app. We will action deletion within 30 days.
  • Right to data portability (Art. 20) — export your documents as PDF at any time using the in-app export function. For account data, contact us at privacy@bbly.app.
  • Right to restriction of processing (Art. 18) — in certain circumstances you may request that we restrict how we process your data while a dispute is resolved.
  • Right to object (Art. 21) — object to processing based on our legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds.
  • Right not to be subject to automated decision-making (Art. 22) — we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, email privacy@bbly.app. We will respond within one calendar month as required by GDPR Article 12. We may ask you to verify your identity before processing your request.

9. Supervisory Authority and Complaints

The supervisory authority with jurisdiction over PALIBATCHEE HOUSE s.r.o. as an EU-established controller is:

Office for Personal Data Protection of the Slovak Republic

Hranicna 12, 820 07 Bratislava 27, Slovak Republic

dataprotection.gov.sk

If you are resident in another EU Member State, you also have the right to lodge a complaint with the supervisory authority in your country of residence.

We encourage you to contact us at privacy@bbly.app before lodging a formal complaint — most issues can be resolved quickly and informally.

10. Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:

  • End-to-end encryption of all document content using AES-256-GCM with X25519 key exchange.
  • Encryption of data in transit using TLS 1.2 or higher.
  • Encryption of data at rest on Supabase infrastructure.
  • Row-level security policies on all database tables ensuring users can only access their own data.
  • Access controls and authentication requirements for all staff with access to production systems.
  • Regular review of our security practices and sub-processor security posture.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and affected data subjects without undue delay where required by GDPR Article 34.

11. Children's Privacy

The Service is a professional document drafting tool not directed at or intended for use by children under 16. We do not knowingly collect data from children under 16. If we become aware that a user is under 16, we will delete their account. If you believe a child has registered, please contact us at privacy@bbly.app and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. Material changes will be notified to registered users by email at least 30 days before taking effect. The effective date at the top of this document reflects the most recent revision.

Your continued use of the Service after the effective date of an updated policy constitutes your acknowledgement of the changes. If you do not agree with a material change, you may close your account before the change takes effect.

13. Contact

For any privacy-related enquiry, data subject request, or concern about how we handle your data:

PALIBATCHEE HOUSE s.r.o.
Klincova 35, 821 08 Bratislava
Slovak Republic

Email: privacy@bbly.app

Web: bbly.app/privacy

We aim to respond to all requests within 5 business days and in any event within one calendar month as required by GDPR Article 12.

PALIBATCHEE HOUSE s.r.o. · EU GDPR compliant · Effective 22 May 2026
Open App