Privacy Policy · Bulkman
Legal

Privacy policy

Draft v0.9 · July 2026 · Have your counsel review before publishing.

1. Who we are

Bulkman is operated by DeDigitaal ("we", "us"), a Webflow Premium Partner based in the Netherlands. We are the controller for the personal data described in this policy. Questions: privacy@bulkman.io.

2. What we collect

Account data (name, email, hashed password), billing data (name, address, VAT number, card details are handled by our payment processor and never touch our servers), workspace data (connected Webflow sites and encrypted API tokens), product usage (features used, actions run) and support conversations.

3. Your CMS content

When you connect a site, Bulkman reads your CMS items to display them and writes only the changes you apply. Snapshots of the items you edit are stored so you can roll back, and are deleted automatically after your plan's history window (7 days, 30 days, or unlimited until you delete them) or when you disconnect the site. We never sell your CMS content, share it with third parties for their own purposes, or use it to train models.

4. API tokens

Webflow site tokens are stored encrypted at rest and used exclusively to call the Webflow API on your behalf. You can revoke a token in Webflow at any time; disconnecting a site deletes the token from our systems.

5. Why we may process your data (legal bases)

Performing our contract with you (running Bulkman), our legitimate interests (securing the service, preventing abuse, improving the product), legal obligations (tax and bookkeeping), and your consent (product emails beyond service messages, optional analytics). You can withdraw consent at any time.

6. Retention

Account data is kept while your account is active and deleted within 30 days of account deletion. Snapshots follow your plan's history window. Invoices are kept for 7 years as required by Dutch tax law.

7. Subprocessors

We use a small number of subprocessors: EU-based hosting and database infrastructure, a payment processor, and a transactional email provider. All are bound by data processing agreements. The current list is available on request.

8. Your rights

Under the GDPR you can request access, correction, deletion, restriction, portability, and object to processing. Email privacy@bulkman.io and we'll respond within 30 days. You can also lodge a complaint with the Dutch DPA (Autoriteit Persoonsgegevens).

9. Security

Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted and logged. Snapshots are isolated per workspace.

10. Changes to this policy

If we make material changes, we'll notify you by email before they take effect.