B2blix privacy policy
Effective date: 15.07.2026
This privacy policy describes how SaaS Factory OÜ (B2BLIX) collects, uses, stores, shares, and processes personal data when you use B2BLIX services. It covers data types, purposes, legal bases, rights, data sharing, retention, security, and compliance, in line with GDPR and California privacy law.
This privacy policy explains how SaaS Factory OÜ, registry code 16191717 (“B2BLIX”, “we”, “us”, or “our”), collects, uses, stores, shares, and protects personal data when individuals access or use the B2BLIX websites, account area, software platform, applications, tools, integrations, support channels, and related services (collectively, the “Platform”).
B2BLIX is a business-to-business software-as-a-service platform. This privacy policy primarily applies to representatives, employees, contractors, and other authorized users of our business customers, as well as website visitors, prospective customers, suppliers, and other persons who communicate with us.
This privacy policy describes our processing practices and does not itself create consent for every processing activity. Where consent is legally required, we will request it separately.
1. Data controller and scope
For personal data collected for our own business purposes, the data controller is:
SaaS Factory OÜRegistry code: 16191717
Harju maakond, Tallinn, Kesklinna linnaosa, Sakala tn 7-2, 10141, Estonia
Email: [email protected]
This privacy policy applies to personal data processed through the general B2BLIX platform and all B2BLIX services, including product-data processing, supplier-feed management, marketplace monitoring, price-comparison monitoring, price calculations, exports, integrations, reporting, support, and related account functions.
Individual services may include additional privacy notices, service terms, data processing terms, or interface notices explaining processing specific to that service. If an additional notice conflicts with this privacy policy regarding a particular service, the more specific notice applies to that processing.
2. Our role as controller and processor
B2BLIX acts as a data controller when we determine why and how personal data is processed, including for:
- account registration and administration;
- billing, subscriptions, and payment records;
- security, fraud prevention, and platform protection;
- website analytics and service improvement;
- customer support and business communications;
- marketing communications where permitted;
- legal compliance and enforcement of our agreements; and
- management of our business relationships.
B2BLIX may act as a data processor when we process personal data contained in customer data solely to provide a service on behalf of a customer. In such cases, the customer generally acts as the data controller and is responsible for providing required notices, establishing a lawful basis, responding to data-subject requests, and issuing lawful processing instructions.
Processing performed in our role as a processor may be governed by a separate data processing agreement. If you submit a request concerning personal data controlled by one of our customers, we may direct the request to that customer.
3. Information we collect
The personal data we collect depends on how you interact with the platform, which services your organization activates, and which information you or your organization provides.
3.1 Account and identity information
- full name;
- business or company name;
- job title, role, or department;
- email address;
- telephone number;
- username and account identifiers;
- preferred language and communication preferences;
- physical, registered, or billing address;
- country, tax residence, and VAT identification information; and
- information confirming authority to act for a customer.
3.2 Authentication and login information
- encrypted or securely hashed passwords;
- authentication records and session identifiers;
- multi-factor authentication information;
- login history and security events;
- identifiers and basic profile information received from Google, Facebook, or another authentication provider where social or third-party login is offered; and
- account recovery and verification information.
We do not receive your password for a third-party login provider where authentication is performed through that provider’s standard authorization process.
3.3 Billing and transaction information
- billing contact details;
- invoice and subscription information;
- payment status and transaction references;
- selected subscription plan and activated services;
- usage records, credits, quotas, and chargeable operations;
- refund, cancellation, and payment-dispute information; and
- tax, accounting, and compliance records.
Payment-card details are generally collected and processed directly by Stripe or another approved payment provider. We may receive limited payment information, such as card type, last digits, expiration information, billing country, payment status, and transaction identifiers, but we do not normally store complete payment-card numbers.
3.4 Customer data and service configuration
Depending on the activated services, customer data may include:
- supplier-feed URLs and source configuration;
- API keys, access tokens, integration credentials, and authentication headers;
- marketplace account identifiers, shop names, profile names, or store domains;
- product identifiers such as EAN, SKU, product ID, and variant ID;
- product titles, descriptions, categories, manufacturers, images, prices, stock, and availability;
- supplier, marketplace, comparison-platform, and store information;
- search queries and product-monitoring instructions;
- field mappings, category relationships, formulas, transformation rules, and filtering rules;
- minimum and maximum prices, coefficients, pricing strategies, and calculation settings;
- synchronization, monitoring, translation, import, and export schedules;
- generated files, reports, logs, processing results, and troubleshooting information;
- internal notes entered by the customer;
- uploaded files and information submitted to support or AI-assisted tools; and
- other information required to configure and operate an activated service.
Most customer data concerns businesses, products, and commercial activity rather than individuals. However, customer data may constitute personal data where it identifies or can be linked to an individual, including a sole trader, account representative, supplier contact, store operator, or other natural person.
3.5 Public and third-party marketplace information
Certain services collect or process publicly available product and offer information from marketplaces, price-comparison platforms, supplier sources, store websites, or other sources selected by the customer. This information may include:
- public seller or shop names;
- store domains and public profile links;
- product and offer information;
- public prices and availability indicators;
- product images, titles, and URLs;
- marketplace or comparison-platform positions; and
- timestamps and other information associated with public observations.
Public business information may be treated as personal data where it identifies an individual or sole trader.
3.6 Communications and support information
- emails and other correspondence;
- support requests and troubleshooting details;
- live-chat and AI-chat conversations;
- meeting notes and call information;
- feedback, survey responses, and feature requests;
- files, screenshots, and documents submitted to us; and
- records of notices, approvals, complaints, and disputes.
3.7 Technical and usage information
- IP address;
- browser type and version;
- device type and operating system;
- language, time zone, and approximate location derived from an IP address;
- referral source and visited pages;
- session, cookie, and similar identifiers;
- login times and platform activity;
- feature usage and navigation events;
- request, error, diagnostic, and performance logs;
- integration status and technical response information; and
- security, abuse-prevention, and fraud-detection signals.
3.8 Marketing information
- marketing preferences;
- newsletter subscription status;
- campaign engagement information;
- source of an inquiry or business lead; and
- information about products or services that may interest your organization.
4. How we collect information
We collect information from the following sources:
- Directly from you: when you register, complete a form, configure a service, contact support, participate in a chat, upload a file, request a demonstration, subscribe, or communicate with us.
- From your organization: when another administrator or representative creates an account for you, invites you, provides your contact information, or manages your access.
- Automatically: through cookies, server logs, application logs, monitoring tools, security systems, and similar technologies.
- From connected services: when you authorize us to obtain information from a supplier, marketplace, comparison platform, online store, spreadsheet, feed, API, or other integration.
- From public sources: including public marketplace pages, price-comparison results, store websites, company registers, and other publicly accessible business sources.
- From service providers: including payment, authentication, hosting, analytics, communications, fraud-prevention, and technical-support providers.
- From business partners and referrals: where permitted by applicable law.
5. Why we use personal data
We may use personal data for the following purposes:
5.1 Providing and administering the platform
- creating and maintaining accounts;
- authenticating users and managing permissions;
- activating and operating services;
- processing customer instructions and configurations;
- connecting supplier, marketplace, store, and other integrations;
- performing imports, monitoring, calculations, transformations, translations, and exports;
- generating reports and usage summaries;
- providing support and resolving technical issues; and
- communicating service, account, billing, and security information.
5.2 Billing and commercial administration
- processing subscriptions and usage charges;
- issuing invoices and maintaining accounting records;
- administering trials, credits, quotas, refunds, and cancellations;
- detecting payment errors, fraud, or abuse;
- collecting overdue amounts; and
- complying with tax, bookkeeping, and financial-reporting requirements.
5.3 Security and platform integrity
- protecting accounts, credentials, integrations, and infrastructure;
- detecting unauthorized access, malware, misuse, and suspicious activity;
- enforcing rate limits, usage restrictions, and acceptable-use requirements;
- investigating incidents and preserving evidence;
- maintaining backups and business continuity; and
- preventing harm to B2BLIX, customers, users, and third parties.
5.4 Improving and developing our services
- understanding how the platform is used;
- diagnosing errors and performance problems;
- testing and improving interfaces, algorithms, and functionality;
- developing new features and services;
- conducting internal analytics and capacity planning; and
- creating aggregated or anonymized statistics.
5.5 Communication and marketing
- responding to inquiries and requests;
- providing product updates and educational information;
- sending offers and marketing communications where permitted;
- managing events, demonstrations, and business-development activities; and
- measuring the effectiveness of communications and campaigns.
5.6 Legal and compliance purposes
- complying with laws, regulations, court orders, and lawful authority requests;
- maintaining legally required records;
- establishing, exercising, or defending legal claims;
- investigating violations of our agreements or rights;
- supporting audits and corporate transactions; and
- protecting our legal, commercial, and intellectual-property interests.
6. Legal bases for processing
Where the General Data Protection Regulation or similar law applies, we rely on one or more of the following legal bases:
- Performance of a contract: where processing is necessary to create an account, provide requested services, administer a subscription, provide support, or perform our agreement with the customer.
- Legitimate interests: where processing is necessary for security, fraud prevention, platform administration, service improvement, internal analytics, business communications, direct marketing to business contacts, or establishment and defence of legal claims, provided those interests are not overridden by the rights and freedoms of the affected individual.
- Legal obligation: where processing is necessary to comply with tax, accounting, regulatory, sanctions, law-enforcement, or other legal requirements.
- Consent: where we request consent for optional cookies, certain marketing communications, or another activity for which consent is legally required.
Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect processing that was lawful before consent was withdrawn.
Where we rely on legitimate interests, you may request further information about the balancing of those interests by contacting us.
7. Customer responsibilities
Customers must ensure that they have a lawful basis and all necessary permissions to provide customer data to B2BLIX and to instruct us to process it.
The customer is responsible for:
- providing legally required privacy notices to affected individuals;
- limiting customer data to information necessary for the intended service;
- avoiding the submission of unnecessary sensitive or special-category personal data;
- obtaining required permissions for connected accounts, feeds, APIs, and integrations;
- maintaining accurate account and contact information;
- configuring access permissions appropriately;
- protecting credentials and access tokens; and
- responding to requests from individuals where the customer acts as controller.
Customers must not use the platform to collect or process personal data unlawfully or to access information without authorization.
8. Confidential business information
Customer data may include confidential business information that is not personal data, such as private supplier-feed URLs, product catalogs, unpublished prices, formulas, mappings, access credentials, commercial strategies, internal reports, and account activity.
We handle such information in accordance with the confidentiality provisions of the applicable terms of service, service terms, and other agreements. This privacy policy applies only to the extent that the information is also personal data.
9. AI-assisted features
The platform may include AI-assisted chat, mapping, categorization, translation, content-processing, support, or recommendation features.
When you use an AI-assisted feature, the information you submit may be transmitted to OpenAI or another AI technology provider acting as our service provider or subprocessor. Submitted information may include prompts, files, product content, instructions, and relevant technical context required to provide the requested output.
You should not submit personal data, credentials, confidential information, or sensitive content to an AI-assisted feature unless it is necessary and you are authorized to do so.
AI-generated outputs may be inaccurate or incomplete. Customers remain responsible for reviewing outputs before using, publishing, or relying on them.
Information submitted to an AI provider is processed subject to our agreement with that provider and the transfer safeguards described in this privacy policy.
10. Cookies and similar technologies
We use cookies, local storage, pixels, log files, and similar technologies to operate and improve our websites and platform.
These technologies may be used for:
- authentication and session management;
- security and fraud prevention;
- remembering preferences and settings;
- maintaining platform functionality;
- measuring traffic, usage, and performance;
- understanding how visitors interact with our websites; and
- marketing or campaign measurement where permitted.
We may use analytics services such as Google Analytics or Yandex Metrica where those services are enabled and disclosed through our cookie controls.
Where required by law, non-essential cookies are used only after consent. You may adjust your choices through the available cookie settings or through your browser. Disabling essential cookies may prevent parts of the platform from functioning correctly.
More information about specific cookies, providers, purposes, and retention periods may be provided in our cookie policy or cookie-consent interface.
11. How we share personal data
We do not sell personal data for monetary consideration.
We may disclose personal data to the following categories of recipients where necessary for the purposes described in this privacy policy:
11.1 Hosting and infrastructure providers
We may use cloud hosting, storage, database, backup, content-delivery, monitoring, and infrastructure providers. These providers may include DigitalOcean or equivalent service providers.
11.2 Payment providers
Subscription and payment information may be processed by Stripe or another approved payment processor.
11.3 AI and technology providers
Information submitted through AI-assisted features may be processed by OpenAI or another AI service provider. We may also use providers for translation, email delivery, authentication, error monitoring, security, support, and software operations.
11.4 Analytics and cookie providers
Technical and usage information may be processed by analytics providers where enabled and permitted by your cookie choices.
11.5 Professional advisers
We may disclose information to lawyers, accountants, auditors, insurers, banks, and other professional advisers where reasonably necessary.
11.6 Authorities and legal recipients
We may disclose information to courts, arbitration bodies, regulators, tax authorities, law-enforcement agencies, or other public authorities where required by law or reasonably necessary to protect rights, safety, property, or the integrity of the platform.
11.7 Corporate transactions
Information may be disclosed in connection with a proposed or completed financing, merger, acquisition, restructuring, sale of assets, transfer of business, insolvency, or similar transaction, subject to appropriate confidentiality protections.
11.8 At the customer’s direction
We may transmit data to a supplier, marketplace, comparison platform, online store, spreadsheet provider, export destination, API, or other third-party service selected or configured by the customer.
The customer is responsible for reviewing the privacy and security practices of third-party destinations it chooses to connect.
11.9 Other account users
Account administrators and other authorized users within the same customer organization may be able to view account details, configurations, activity, reports, and information associated with other users, depending on their permissions.
Service providers processing personal data on our behalf are contractually required to process it only for authorized purposes and to apply appropriate safeguards.
12. International data transfers
We primarily operate from the European Economic Area, but some service providers, integrations, customers, or data recipients may be located outside the European Economic Area.
Where personal data is transferred to a country that has not been recognized as providing an adequate level of data protection, we use an appropriate legal transfer mechanism where required. This may include:
- European Commission adequacy decisions;
- European Commission standard contractual clauses;
- supplementary contractual, organizational, or technical measures;
- another legally recognized transfer mechanism; or
- a permitted legal exception for a specific transfer.
You may contact us to request more information about the safeguards applicable to a particular transfer. Certain details may be limited to protect confidential information and security.
13. Data retention
We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, including providing the platform, maintaining security, complying with law, resolving disputes, and enforcing agreements.
Retention is generally determined as follows:
- Account information is retained while the account is active and for a reasonable period after closure where needed for reactivation, support, security, disputes, or legal compliance.
- Customer data and service configurations are retained while necessary to provide the activated services and may be deleted or anonymized after termination in accordance with the applicable agreement, service settings, and backup cycles.
- Credentials and access tokens are retained while the relevant integration is enabled or until they are replaced, revoked, or no longer required.
- Billing, invoice, tax, and transaction records are retained for the period required by applicable accounting, tax, and commercial laws.
- Security and technical logs are retained for a limited period based on security, troubleshooting, abuse-prevention, and operational requirements.
- Support and correspondence records are retained while necessary to resolve the matter and for a reasonable period afterwards.
- Marketing information is retained until you opt out or until it is no longer relevant, subject to retention of a suppression record to respect your choice.
- Cookie and analytics information is retained according to the relevant cookie or provider settings.
Data may remain temporarily in encrypted or access-restricted backups until those backups are overwritten according to our normal backup cycle.
We may retain information for a longer period where required by law, necessary to establish or defend legal claims, required to investigate fraud or abuse, or requested through a lawful preservation order.
We may retain aggregated or anonymized information that can no longer reasonably identify an individual.
14. Data security
We use reasonable technical and organizational measures designed to protect personal data against unauthorized access, accidental loss, destruction, alteration, disclosure, or misuse.
Depending on the nature of the information and processing, these measures may include:
- encryption in transit and at rest where appropriate;
- secure password hashing and authentication controls;
- restricted access based on business need;
- additional protection for access tokens and integration credentials;
- logging, monitoring, and incident-detection measures;
- backups and recovery procedures;
- vendor and subprocessor controls;
- employee and contractor confidentiality obligations; and
- security review and maintenance procedures.
No internet transmission, electronic storage method, or security system is completely secure. We cannot guarantee absolute security or that unauthorized access will never occur.
Customers are responsible for using secure devices, protecting credentials, configuring access permissions, reviewing account activity, and promptly notifying us of suspected compromise.
If a personal-data breach occurs, we will investigate and provide notifications to affected customers, individuals, or authorities where required by applicable law.
15. Your data protection rights
Depending on your location and the applicable law, you may have some or all of the following rights:
- the right to receive information about how your personal data is processed;
- the right to request access to your personal data;
- the right to request correction of inaccurate or incomplete personal data;
- the right to request deletion of personal data in applicable circumstances;
- the right to request restriction of processing;
- the right to receive certain personal data in a portable format;
- the right to object to processing based on legitimate interests;
- the right to object to direct marketing at any time;
- the right to withdraw consent where processing is based on consent;
- rights relating to certain solely automated decisions and profiling; and
- the right to lodge a complaint with a competent data protection authority.
These rights may be subject to legal conditions, exceptions, identity-verification requirements, and the rights of other persons.
To exercise a right, contact us at [email protected]. Please describe your request and identify the account, organization, or interaction concerned.
We may request information necessary to verify your identity and authority. We will respond within the period required by applicable law.
If B2BLIX processes the relevant data solely on behalf of a customer, we may forward the request to that customer or ask you to contact the customer directly.
16. Direct marketing
We may send service information, product updates, newsletters, and other business communications where permitted by law.
You may opt out of marketing emails at any time by using the unsubscribe link in the message or contacting us. Opting out of marketing does not prevent us from sending necessary account, billing, security, support, or legal communications.
17. Automated processing and profiling
B2BLIX services may use automated rules, algorithms, classifications, translations, calculations, and recommendations to process product and commercial data.
These functions are designed to assist business users with product-data processing, monitoring, pricing, feed generation, and related operations. They are not generally intended to make decisions about individuals that produce legal or similarly significant effects.
We do not ordinarily make solely automated decisions about individuals that produce legal or similarly significant effects. If this changes for a particular feature, we will provide additional information and any legally required rights or controls.
18. California privacy notice
This section applies only to California residents and only where B2BLIX is subject to the California Consumer Privacy Act, as amended.
18.1 Categories collected
During the preceding twelve months, we may have collected the following categories of personal information:
| Category | Examples | Main purposes |
|---|---|---|
| Identifiers | Name, email address, IP address, account ID, online identifiers | Accounts, authentication, support, security, communications |
| Customer-record information | Business contact details, address, telephone number, billing information | Contract administration, billing, support, compliance |
| Commercial information | Subscriptions, transactions, services, usage, credits, and purchase history | Service delivery, billing, analytics, customer administration |
| Internet or electronic-network activity | Browser, device, login, session, usage, cookie, and diagnostic information | Functionality, analytics, security, troubleshooting |
| Approximate geolocation | Approximate location derived from an IP address | Security, localization, fraud prevention, analytics |
| Professional or employment information | Company, role, department, and business authority | Business relationships, account administration, communications |
| Audio, electronic, or similar information | Support communications, chat records, screenshots, and meeting records | Support, documentation, dispute resolution, service improvement |
| Inferences | Likely service interests or account-security indicators | Business communications, fraud prevention, service improvement |
| Sensitive personal information | Account credentials, authentication data, and payment-account access information | Authentication, security, payment processing, and service operation |
We collect these categories from the sources described in section 4 and use them for the purposes described in section 5.
We may disclose these categories to service providers, contractors, payment processors, analytics providers, professional advisers, connected third parties selected by customers, authorities, and parties involved in corporate transactions as described in section 11.
18.2 Sale and sharing
We do not sell personal information for monetary consideration.
We do not knowingly share personal information for cross-context behavioral advertising. If our practices change, we will update this privacy policy and provide any legally required opt-out mechanism.
Where legally required and relevant to our processing, we will recognize applicable browser-based opt-out preference signals.
18.3 Sensitive personal information
We use sensitive personal information only for purposes reasonably necessary to provide requested services, authenticate users, process payments, protect accounts and systems, prevent fraud, and comply with law. We do not use sensitive personal information to infer characteristics about individuals.
18.4 California rights
Subject to applicable conditions and exceptions, eligible California residents may have the right to:
- know the categories and specific pieces of personal information collected about them;
- know the sources, purposes, and categories of recipients involved;
- request deletion of personal information;
- request correction of inaccurate personal information;
- opt out of the sale or sharing of personal information;
- limit certain uses of sensitive personal information; and
- receive equal service and not be discriminated against for exercising privacy rights.
You or an authorized agent may submit a request by contacting [email protected]. We may take reasonable steps to verify the request and the authority of an agent.
19. Children’s privacy
The platform is intended exclusively for business and professional use and is not intended for individuals under the age of 18.
We do not knowingly collect personal data directly from children. If you believe that a child has provided personal data to us, contact [email protected] so that we can investigate and take appropriate action.
20. Third-party websites and services
The platform may contain links to or integrations with third-party websites and services. Their processing is governed by their own privacy policies and terms.
We do not control and are not responsible for the privacy, security, content, or practices of third parties, including services selected or connected by a customer.
21. Changes to this privacy policy
We may update this privacy policy to reflect changes to our services, processing activities, providers, legal obligations, or security practices.
The updated version will be published with a revised effective date. Where a change is material, we may provide additional notice through the platform, by email, or by another reasonable method.
Where applicable law requires consent for a new processing activity, continued use alone will not replace the required consent.
22. Contact and complaints
Questions, requests, and concerns regarding this privacy policy or our processing of personal data may be sent to:
SaaS Factory OÜRegistry code: 16191717
Harju maakond, Tallinn, Kesklinna linnaosa, Sakala tn 7-2, 10141, Estonia
Email: [email protected]
If you are located in the European Economic Area, you may also lodge a complaint with the supervisory authority in your country of residence, place of work, or place of the alleged infringement.
The supervisory authority responsible for data protection in Estonia is:
Estonian Data Protection InspectorateTatari 39, Tallinn 10134, Estonia