Privacy Policy
On this page
This Privacy Policy explains how GenerateBizPlan (the "Service"), operated by Mill AI sp. z o.o. (the "Controller", "we", "us"), collects, processes, stores, and protects your personal data when you use our free AI tool that generates 1-page Lean Business Canvas PDFs.
We designed this Service with one principle: collect as little data as possible, and tell you exactly what we do with it. This policy complies with the EU General Data Protection Regulation (GDPR / Regulation 2016/679) and the California Consumer Privacy Act (CCPA).
1. Who we are
The data controller responsible for your personal data is:
Mill AI sp. z o.o. (in registration)
Address: [Address — to be added after company registration]
NIP: [NIP — to be added after company registration]
KRS: [KRS — to be added after company registration]
Email: contact@millai.eu
You can reach our privacy team at contact@millai.eu. We have not appointed a statutory Data Protection Officer (DPO) because our processing does not meet the mandatory criteria under Art. 37 GDPR, but the address above serves as the single privacy contact point.
2. Data we collect
We collect only what we need to generate and deliver your PDF:
2.1 Information you provide
- Email address — mandatory; used exclusively to deliver your generated PDF and, if you opt in, occasional product updates.
- 7-field form inputs — text you enter describing your business idea (problem, solution, target customer, revenue model, unfair advantage, 30-day next steps, language preference). This content is sent to an AI processor to generate your canvas.
- Consent signals — timestamped acknowledgment that you have read the AI disclaimer and our Terms of Service.
2.2 Information we collect automatically
- Technical data — IP address (truncated), browser type, device type, referrer URL, timestamp of visit. Used for security, abuse prevention, and aggregated analytics.
- Analytics events — page views, form starts, form submits, PDF generation events. Collected via Google Analytics 4 only if you consent through our cookie banner.
2.3 What we do NOT collect
- We do not collect your name, phone number, payment data, or identity documents. The Service is free and does not require an account.
- We do not use advertising cookies, retargeting pixels, or third-party marketing trackers in the MVP.
- We do not scrape, enrich, or combine your data with third-party profiles.
3. Why we process your data
| Purpose | Data used |
|---|---|
| Generating and delivering your 1-page PDF | Form inputs + email |
| Preventing abuse (prompt injection, spam, scraping) | Technical data, rate-limit signals |
| Sending product updates & cross-sell from Mill AI portfolio | Email (only with explicit opt-in) |
| Improving the Service (aggregated analytics, error logs) | Technical data, GA4 events (consent-based) |
| Complying with legal obligations (tax, GDPR requests) | Minimum necessary records |
4. Legal basis (GDPR Art. 6)
| Processing | Legal basis |
|---|---|
| Generating PDF & delivering by email | Art. 6(1)(b) — performance of a service you requested |
| Preventing abuse & securing the Service | Art. 6(1)(f) — legitimate interest (protecting the Service) |
| Analytics via Google Analytics 4 | Art. 6(1)(a) — consent (via Consent Mode v2) |
| Marketing emails / cross-sell | Art. 6(1)(a) — explicit opt-in consent |
| Tax, accounting, legal compliance | Art. 6(1)(c) — legal obligation |
You can withdraw any consent-based processing at any time without affecting processing that already happened. See Section 8.
5. Data retention
- Form inputs (business idea content): automatically purged from our systems within 24 hours of PDF generation. We do not archive your idea content.
- Email address: retained until you unsubscribe (one-click unsubscribe link in every email) or request erasure. If you do not open any of our emails for 12 consecutive months, we will remove you from active sending.
- Technical / security logs: up to 90 days (IP addresses are truncated after 30 days).
- Consent records: 3 years (to demonstrate GDPR compliance).
- Accounting records (if applicable): 5 years (mandatory under Polish tax law).
6. Third parties & processors
We only share data with trusted processors who help us run the Service. Each has a Data Processing Agreement (DPA) under GDPR Art. 28:
- Anthropic, PBC (USA) — provides the Claude Haiku 4.5 model that generates your canvas. Your form inputs are sent to the Anthropic API with "no training" settings. Privacy policy →
- Cloudflare, Inc. (EU + USA) — hosting, CDN, Workers (form processing), DNS, DDoS protection. Privacy policy →
- Zoho Corporation (EU + India) — transactional email delivery for your PDF. Privacy policy →
- Resend, Inc. (USA) — backup email delivery provider (failover only). Privacy policy →
- Google LLC (EU + USA) — Google Analytics 4 (traffic analytics) — only if you consent. Privacy policy →
We do not sell, rent, or trade your personal data. We share data only when (a) a processor needs it to provide the Service, (b) you have given specific consent, or (c) we are legally compelled.
7. International transfers
Some of our processors (Anthropic, Resend, partially Cloudflare/Google) process data in the United States. Transfers take place under the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework. We apply additional technical safeguards: TLS 1.3 in transit, encryption at rest, data minimization, and truncation of identifiers.
8. Your rights
Under GDPR (and equivalent provisions under CCPA for California residents), you have the right to:
- Access — receive a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure ("right to be forgotten") — request deletion.
- Restriction — limit how we process your data.
- Portability — receive your data in a machine-readable format.
- Object — object to processing based on legitimate interest or direct marketing.
- Withdraw consent — at any time, with future effect.
- Lodge a complaint with the President of the Personal Data Protection Office (PUODO, Poland) or your local EU supervisory authority.
- CCPA specific — right to know, right to delete, right to opt out of the "sale" of data (we do not sell data), right to non-discrimination.
To exercise any right, email contact@millai.eu. We respond within 30 days (up to 60 days for complex requests, as allowed by Art. 12(3) GDPR). We will never charge a fee for reasonable requests.
9. AI processing & automated decisions
Transparency notice under the EU AI Act (Regulation 2024/1689): This Service uses a generative AI system (Claude Haiku 4.5 by Anthropic) to produce the content of your 1-page canvas. The output is AI-generated, illustrative, and for planning purposes only. It is not a substitute for professional financial, legal, tax, or business advice. See our Terms of Service for the full AI disclaimer.
Our AI processing does not make automated decisions producing legal effects or similarly significant effects on you within the meaning of Art. 22 GDPR. The generated canvas is informational output — you remain in full control of any decisions about your business.
We do not use your form inputs to train AI models. Our DPA with Anthropic excludes your data from any model training pipeline.
10. Children's privacy
The Service is not intended for children under 16 (GDPR) or under 13 (COPPA, for users in the United States). We do not knowingly collect data from children. If you believe a child has submitted data, contact us and we will erase it.
11. Security
- HTTPS / TLS 1.3 on all traffic.
- Encryption at rest (AES-256) for data stored on Cloudflare and Zoho infrastructure.
- Least-privilege access controls; API keys stored in encrypted secret managers.
- Rate limiting, prompt-injection filters, and automated abuse detection.
- Regular security reviews by our internal Security Officer.
- Incident notification within 72 hours for any breach affecting your personal data (Art. 33–34 GDPR).
No system is perfectly secure. If you suspect unauthorized access to your data, contact contact@millai.eu immediately.
12. Cookies
Cookie usage is governed by our separate Cookie Policy. We use Google Consent Mode v2 and load non-essential cookies only after you consent.
13. Changes to this policy
We may update this Privacy Policy to reflect changes in law, technology, or our Service. Material changes will be communicated at least 30 days in advance by email (to subscribers) and via a banner on generatebizplan.com. Continued use of the Service after the effective date of a change constitutes acceptance of the revised policy.
14. Contact
Mill AI sp. z o.o. — operator of GenerateBizPlan
Email: contact@millai.eu
For data protection matters, please put "PRIVACY" in the subject line so your request is routed promptly.