FAQ Library
Privacy & GDPR
GDPR, ePrivacy, cookies, consent and data-subject rights in practice.
- What is GDPR in one paragraph?GDPR is the EU's data-protection law. It gives people rights over their personal data (access, deletion, portability) and requires you to have a lawful basis for processing. It applies to any business handling EU residents' data.
- Does GDPR apply to me if I'm outside the EU?Yes if you target EU residents — collect their data, sell to them or track them. Most modern websites are in scope.
- Controller vs processor — what's the difference?The controller decides why and how data is processed (you). The processor handles data on your behalf (us). GDPR roles set who is responsible for what.
- Is Blanca's Builder a data processor for me?Yes. We process data on your behalf to deliver the service. A DPA (Data Processing Agreement) is available at /trust/data-processing — accepted by default on signup.
- Do I need a privacy policy?Yes. Any site that collects any personal data — even just an email — needs one. Blanca's Builder generates a starting policy and translates it to 24 languages.
- Do I need a cookie banner?Only if you set non-essential cookies (analytics, ads, third-party scripts). With first-party privacy-friendly analytics no banner is required.
- What is Google Consent Mode and do I need it?It lets you signal user consent to Google's tags. Required if you run Google Ads or Analytics in the EU. The platform includes a consent module that supports v2.
- How should I categorise cookies?Strictly necessary, functional, analytics, marketing. The cookie banner asks per category; preferences are stored 6-12 months and respected sitewide.
- How do I handle Data Subject Requests?From Admin, Privacy, Requests you can export or delete a user's data in one click. The request log keeps an auditable record for regulators.
- How long should I keep customer data?Only as long as needed. Define retention per data type (orders, leads, logs). The platform automates deletion when retention expires.
- Where is my data stored?EU by default — Supabase in Frankfurt or Stockholm. US or APAC residency is available on Enterprise.
- Do you transfer EU data to the US?Only when essential (e.g. some AI providers). Transfers use the EU-US Data Privacy Framework and Standard Contractual Clauses, listed in our DPA.
- Is customer data encrypted at rest?Yes. AES-256 at rest, TLS 1.2+ in transit. BYOK encryption keys available on Enterprise via AWS KMS or Cloudflare Keyless.
- What if there's a data breach?We notify affected customers without undue delay and within 72 hours per GDPR Article 33. Breach reports are published at /trust/incidents.
- Can my customers export their own data?Yes. Settings, Privacy, Export data sends a ZIP with everything we hold on them within 24 hours.
- Can users delete their account themselves?Yes. Settings, Account, Delete account schedules deletion with a 14-day grace; backups are purged within 30 days.
- Is my data used to train AI models?No. By default, prompts and responses are never used to train models. Both BYOK and Managed AI providers contractually exclude training.
- Where can I see your list of subprocessors?At /trust/data-processing. Updates are notified 30 days in advance per GDPR; you can object before they take effect.
- Are you compliant with Schrems II?Yes. Default infrastructure (Cloudflare EU, Supabase EU) stays inside the EU. Where US providers are involved, SCCs and DPF certifications apply.
- Do I need a Data Protection Officer (DPO)?Required for public bodies and for organisations whose core activity is large-scale monitoring or processing of special-category data. Most small businesses do not need one.