Privacy Policy

01Data Controller

The "Data Controller" responsible for your personal data under the GDPR and other applicable privacy laws is:

02Scope & Definitions

This Privacy Policy applies to personal data collected through:

• The website exitblueprint.io and any subdomain we operate, hosted on Netlify, Inc.
• Email subscriptions, lead-magnet downloads (free PDF e-book and Notion template), and other forms hosted on the website, managed via MailerLite
• Purchases of our digital products processed through Stripe or MailerLite checkout
• Automated product delivery after purchase, handled via MailerLite
• Invoice creation and accounting records managed via SuperFaktúra
• Email correspondence sent to or from vantage@exitblueprint.io (hosted on Hostinger hMail).

Key terms

• Personal data → any information relating to an identified or identifiable natural person (e.g., name, email, IP address).
• Processing → any operation performed on personal data (collection, storage, use, disclosure, deletion).
• Controller → the entity that determines the purposes and means of processing (us).
• Processor → a third party that processes personal data on our behalf and under our documented instructions (e.g., MailerLite, Stripe, Netlify).
• DPA → Data Processing Agreement, a written contract between us and a processor specifying responsibilities, security measures, and sub-processor rules, required by Art. 28 GDPR.
• SCC → Standard Contractual Clauses, standard clauses adopted by the European Commission (Decision 2021/914) used to lawfully transfer personal data to non-EEA countries.
• DPF → EU-US Data Privacy Framework, an adequacy decision adopted by the European Commission on 10 July 2023 (Decision C(2023) 4745) that allows transfers to certified US organisations without additional safeguards.
• You → any visitor, subscriber, or customer interacting with our website or services.

03Data We Collect

We collect only the data we need to operate the website, deliver our products, and communicate with you. We do not buy email lists, scrape data, or process special categories of personal data (e.g., health, religion, biometrics).

04How We Use Your Data

We use your personal data only for the specific purposes listed below. We do not sell your data, and we do not use it for purposes incompatible with the original purpose of collection.

4.1 Delivering the lead magnet

When you submit your email in exchange for the free PDF e-book and Notion template, we use your email to (a) deliver the requested files via a MailerLite automation and (b) confirm your subscription via a double opt-in confirmation message.

4.2 Email marketing & product education

If you confirm your subscription, we send you:

• Educational and onboarding emails about our digital products and the topics they cover.
• Promotional offers, discounts, launches, and announcements.
• Occasional newsletter content related to faceless digital business, content systems, and product creation.

Every marketing email contains a one-click unsubscribe link. You can withdraw consent at any time, free of charge, with no negative consequences.

4.3 Selling and delivering digital products

When you purchase a product, we use your data to process the payment via Stripe or MailerLite checkout, trigger the automated product delivery email via MailerLite, provide customer support, generate invoices via SuperFaktúra, and meet our tax and accounting obligations under Slovak and EU law.

4.4 Operating, securing, and improving the website

We use technical data from Netlify server logs (infrastructure) and, where you consent, Google Analytics 4 to keep the site running, prevent fraud and abuse, fix bugs, and understand which content is most useful so we can improve it.

4.5 Legal compliance

We process and retain certain data to comply with applicable Slovak and EU laws, including the Accounting Act, VAT Act (EU OSS for cross-border digital sales), and consumer-protection rules.

05Legal Basis for Processing (GDPR)

Under Article 6 of the GDPR, we rely on the following legal bases:

06Sharing & Third-Party Processors

We do not sell your personal data and we do not share it for cross-context behavioural advertising. We share data only with carefully selected service providers acting as processors under written Data Processing Agreements (see Section 07).

6.1 Processor overview

6.2 Other disclosures

We may also disclose personal data:

• To tax authorities, accountants, or legal advisors where required by law or to defend our legal rights.
• To law enforcement or courts in response to a valid, documented legal request.
• To a successor entity in the event of a sale, merger, or acquisition, in which case you will be notified and your rights preserved.

07Data Processing Agreements, SCCs & DPF

Under Article 28 of the GDPR, every processor we engage must sign a Data Processing Agreement (DPA) that obliges them to process data only on our documented instructions, maintain appropriate technical and organisational security measures, assist us in fulfilling data-subject rights, delete or return data upon termination, and make available all information necessary to demonstrate compliance.

For transfers of personal data to countries outside the European Economic Area (EEA), we rely on one or more of the following legally recognised transfer mechanisms:

• EU-US Data Privacy Framework (DPF) → adequacy decision adopted by the European Commission on 10 July 2023 (C(2023) 4745), allowing transfers to certified US organisations without further safeguards. The DPF list is maintained by the US Department of Commerce at dataprivacyframework.gov.
• Standard Contractual Clauses (SCCs) → module-specific clauses adopted by the European Commission via Implementing Decision (EU) 2021/914 of 4 June 2021. We use Controller-to-Processor (Module 2) SCCs with all non-EEA processors.
• Adequacy decision → where the European Commission has determined that a third country provides an essentially equivalent level of protection (e.g., UK under the adequacy decision of 28 June 2021).

7.1 DPA and transfer mechanism per processor

7.2 UK residents

For residents of the United Kingdom, the UK adequacy regulations recognise the EU as providing adequate protection (and vice versa under the EU-UK adequacy decisions of 28 June 2021). Transfers from the UK to processors in the US are covered by the UK International Data Transfer Agreement (IDTA) and/or UK Addendum to EU SCCs, incorporated into the relevant processor DPAs. The UK's equivalent of the DPF is the UK Extension to the DPF, for certified US organisations.

7.3 Swiss residents

Switzerland is recognised as providing adequate protection under EU Commission adequacy decisions. For transfers from Switzerland to the US, we rely on SCCs adapted for Switzerland per the Swiss Federal Act on Data Protection (revFADP) and, where applicable, the Swiss-US Data Privacy Framework.

08International Transfers, Summary

The following processors involve transfers of personal data outside the EEA:

Hostinger (hMail) and SuperFaktúra process data within the EU only. No third-country transfer safeguards are required for these processors.

We continuously monitor changes to transfer mechanisms and update our arrangements as required. If the legal basis for any transfer is invalidated by a court or supervisory authority, we will suspend the transfer and notify you.

09Retention Periods

We keep personal data only as long as necessary for the purposes described in this policy, and then either delete it or anonymise it.

10Cookies & Similar Technologies

A cookie is a small text file placed on your device by a website. We also use web storage (localStorage) for non-tracking purposes such as storing your consent preferences. Below is a complete list of all cookies and web storage items we use.

10.1 Strictly necessary, web storage

These are required for the core functioning of the site and our consent management system. They are set without consent and cannot be disabled without preventing the site from working as intended.

10.2 Analytics cookies, requires consent

These cookies are set by Google Analytics 4 (GA4) and are loaded only after you click "Accept All" or enable Analytics in Cookie Settings. If you click "Reject All", none of these cookies are ever set.

10.3 No marketing or advertising cookies

We currently set no advertising, retargeting, or cross-site tracking cookies (e.g., Meta Pixel, TikTok Pixel, Google Ads). If we add any such cookies in the future, they will appear in this table, require explicit opt-in via the cookie banner, and be loaded only after you consent.

10.4 Managing your cookie preferences

You can change your cookie and tracking preferences at any time using the following methods:

• Cookie banner → shown on your first visit. Use "Accept All", "Reject All", or "Settings" for granular control.
• Cookie Settings link → available in the footer of every page. Clicking it reopens the Settings modal so you can update your choices at any time.
• Browser settings → you can block or delete all cookies via your browser settings. Note: blocking strictly necessary items (like localStorage) may prevent consent preferences from being remembered.
• Google Analytics opt-out → you can also install the Google Analytics Opt-out Browser Add-on as an additional layer of control.

Refusing non-essential cookies does not affect your ability to access or use the website or purchase our products.

11Your Rights Under the GDPR

If the GDPR applies to you (e.g., you are in the EEA, UK, or Switzerland), you have the following rights:

• Right of access (Art. 15) → to know what personal data we hold about you and to receive a copy.
• Right to rectification (Art. 16) → to correct inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17) → to request deletion of your data, subject to legal retention obligations (e.g., invoices must be kept 10 years).
• Right to restriction of processing (Art. 18) → to limit how we process your data in certain situations.
• Right to data portability (Art. 20) → to receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) → including the absolute right to object to direct marketing at any time, without needing to give a reason.
• Right to withdraw consent (Art. 7(3)) → at any time, without affecting prior lawful processing.
• Right not to be subject to automated decision-making (Art. 22) → see Section 15.
• Right to lodge a complaint with a supervisory authority, see Section 17.

To exercise any right, email vantage@exitblueprint.io with the subject line "GDPR request". We will respond within 30 days, free of charge in most cases (Art. 12 GDPR). We may ask for proof of identity to make sure the request is genuine and to protect your data.

12California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"):

• Right to know → what categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties we share it with.
• Right to delete → request deletion of personal information we hold about you, subject to legal exceptions.
• Right to correct → request correction of inaccurate personal information.
• Right to opt out of sale or sharing → we do not sell personal information and we do not share it for cross-context behavioural advertising. There is therefore nothing to opt out of. If this changes, you will be notified and provided with a "Do Not Sell or Share My Personal Information" link.
• Right to limit use of sensitive personal information → we do not collect sensitive personal information as defined under the CCPA.
• Right to non-discrimination → we will not deny services, charge different prices, or provide a lesser quality of service because you exercised your rights.

Categories collected in the last 12 months (CCPA disclosure)

• Identifiers (name, email, IP address)
• Commercial information (purchase history)
• Internet / network activity (browsing, page views, interactions, analytics only with consent)
• Geolocation (approximate, country/region only)
• Inferences drawn from the above (e.g., topic interests for email segmentation)

To exercise your California rights, email vantage@exitblueprint.io with the subject line "CCPA request". You may also designate an authorised agent to make a request on your behalf, subject to verification. We respond within 45 days (extendable by a further 45 days with notice).

13Children's Privacy

Our website and products are intended for adults pursuing entrepreneurial and professional goals. We do not knowingly collect personal data from children under 16 years of age (or the equivalent minimum age under your local law, e.g., 13 under COPPA in the US). If you believe a child has provided us with personal data, contact us at vantage@exitblueprint.io and we will delete it promptly.

14Data Security

We apply technical and organisational measures appropriate to the risk, including:

• HTTPS / TLS encryption for all data transmitted between your browser and our website (enforced by Netlify's infrastructure).
• Strong, unique passwords and two-factor authentication on all critical accounts (Netlify, MailerLite, Stripe, SuperFaktúra, Google, Hostinger).
• Reputable processors with industry-standard certifications, Stripe (PCI DSS Level 1), MailerLite (SOC 2 Type II), Netlify (SOC 2 Type II), Google (ISO 27001, SOC 2, SOC 3), Hostinger (ISO 27001).
• Access control → access to personal data is limited to the controller and authorised processors on a strict need-to-know basis.
• Regular review of access rights, software updates, dependency patches, and security practices.

Despite these measures, no method of transmission over the internet is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by Art. 33 GDPR, and notify you without undue delay where required by Art. 34 GDPR.

15Automated Decision-Making & Profiling

We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing (Art. 22 GDPR). Basic automation used in our operations includes:

• Sending the lead-magnet email automatically when you confirm your subscription via double opt-in (MailerLite).
• Triggering the product delivery email automatically after a confirmed purchase (MailerLite).
• Segmenting subscribers by topic interest or purchase status in MailerLite to send relevant content.

These automations are used for operational efficiency and content relevance only. They do not evaluate or score you in any way that affects your legal rights, access to services, or price paid.

16Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other reasons. The "Last updated" date at the top of this page indicates when the policy was last revised. You can also track the version number in the meta-grid above.

If changes are material, we will notify you in advance, for example, by email to subscribers or via a prominent notice on the website, and, where required by GDPR, ask for fresh consent. Your continued use of the website after the effective date constitutes acceptance of the updated policy.

17Contact & Complaints

For any privacy-related question, request, or complaint, contact us first, we aim to resolve all concerns directly and will respond within 30 days:

Right to lodge a complaint

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with a data protection supervisory authority at any time, you do not need to contact us first, though we encourage it. The competent authority for our establishment is:

EEA residents may alternatively lodge a complaint with the supervisory authority in their country of habitual residence or place of work (Art. 77 GDPR).

UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.

Swiss residents may contact the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

California residents may contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov or the California Attorney General's Office.