Privacy policy
1. Who we are
Bulkman is operated by DeDigitaal ("we", "us"), a Webflow Premium Partner based in the Netherlands. We are the controller for the personal data described in this policy. Questions: privacy@bulkman.io.
2. What we collect
Account data (name, email, hashed password), billing data (name, address, VAT number, card details are handled by our payment processor and never touch our servers), workspace data (connected Webflow sites and encrypted API tokens), product usage (features used, actions run) and support conversations.
3. Your CMS content
When you connect a site, Bulkman reads your CMS items to display them and writes only the changes you apply. Snapshots of the items you edit are stored so you can roll back, and are deleted automatically after your plan's history window (7 days, 30 days, or unlimited until you delete them) or when you disconnect the site. We never sell your CMS content, share it with third parties for their own purposes, or use it to train models.
4. API tokens
Webflow site tokens are stored encrypted at rest and used exclusively to call the Webflow API on your behalf. You can revoke a token in Webflow at any time; disconnecting a site deletes the token from our systems.
5. Why we may process your data (legal bases)
Performing our contract with you (running Bulkman), our legitimate interests (securing the service, preventing abuse, improving the product), legal obligations (tax and bookkeeping), and your consent (product emails beyond service messages, optional analytics). You can withdraw consent at any time.
6. Retention
Account data is kept while your account is active and deleted within 30 days of account deletion. Snapshots follow your plan's history window. Invoices are kept for 7 years as required by Dutch tax law.
7. Subprocessors
We use a small number of subprocessors: EU-based hosting and database infrastructure, a payment processor, and a transactional email provider. All are bound by data processing agreements. The current list is available on request.
8. Your rights
Under the GDPR you can request access, correction, deletion, restriction, portability, and object to processing. Email privacy@bulkman.io and we'll respond within 30 days. You can also lodge a complaint with the Dutch DPA (Autoriteit Persoonsgegevens).
9. Security
Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted and logged. Snapshots are isolated per workspace.
10. Changes to this policy
If we make material changes, we'll notify you by email before they take effect.