We’re live on Product Hunt. Support us

Privacy Policy

How Bluerails Discovery collects, uses, and retains personal data. We are EU-operated and apply the GDPR baseline to every visitor regardless of location.

Last updated: 17 June 2026.

What we collect

  • Work email address you enter on the landing form, so we can deliver your Discovery report.
  • Brand domain, brand name, and industry vertical you submit, so we can run the scan.
  • IP address at signup, stored as a SHA-256 hash (never as the raw IP). Used only for abuse rate-limiting.
  • A functional session cookie (vis_session) that lets you reach your scan and report. This cookie is strictly necessary and runs without consent.
  • Scan results and report artefacts: prompts run, AI assistant answers, KPI values, and the rendered report. Stored against your brand record.
  • Product analytics (page views, button clicks, scan completion) via Amplitude. This only fires after you click Accept on the consent banner.

How we use it

  • To compute your Discovery report by running prompts against ChatGPT, Perplexity, Gemini, and Claude.
  • To send the report to the email address you submitted.
  • To rate-limit abusive scan submissions from the same source.
  • To improve the product (consented analytics only).

We do not sell, rent, or share your personal data with any third party for their own marketing. We do not use your data to train AI models.

Retention

  • Report snapshots are stored indefinitely with personal identifiers stripped, so we can keep methodology comparable over time. Brand domain stays attached; email is not stored on the snapshot row.
  • Email addresses are retained for 24 months from the last scan, then deleted.
  • Raw IP addresses are never stored. Only the SHA-256 hash is persisted, and only for abuse prevention.
  • Consent records are stored client-side (browser localStorage). Clearing your browser storage resets your consent state.

Your rights (DSAR)

Under the GDPR you may request access to, correction of, export of, or deletion of any personal data we hold about you. To exercise these rights, email [email protected] from the address on file. We respond within 30 days.

You also have the right to lodge a complaint with the data protection authority in your country of residence.

Third-party processors

We use the following sub-processors to deliver Discovery. Each is contractually bound to GDPR-equivalent terms.

  • Amazon Web Services (AWS), eu-west-1 (Ireland): hosting, database, email delivery (SES).
  • Anthropic: Claude model inference for scan prompts.
  • OpenAI: ChatGPT model inference for scan prompts.
  • Google: Gemini model inference for scan prompts.
  • Perplexity: Perplexity model inference for scan prompts.
  • Amplitude: product analytics. Only fires after consent is granted.
  • Stytch: authentication for logged-in dashboard users (not used in the free scan flow).

Contact

Bluerails GmbH, Berlin, Germany. Privacy contact: [email protected].