Privacy Policy

badge Who we are

Bulugo is a maritime fuel marketplace operated by Bulugo ("Bulugo", "we", "us"). For the purposes of UK GDPR and the Data Protection Act 2018, Bulugo is the data controller for the personal data we collect when you use the platform at my.bulugo.com and through our WhatsApp, Telegram, and email channels.

Privacy enquiries: privacy@bulugo.com.

database Data we collect

• Identity & contact: name, company, email address, phone number (used as your WhatsApp number when you sign up via WhatsApp), and Telegram user ID (when you sign up via Telegram).
• Quote data: ports, fuel types and grades, volumes, delivery dates, vessel names, and other delivery preferences you submit when requesting quotes.
• Lead and match data: which suppliers received your quote request, their responses, and your interactions with those responses.
• Usage data: messages sent and received across the web portal, WhatsApp, Telegram, and email channels; response times; channel preferences; and consent choices.
• Technical data: IP addresses captured when you interact with our webhooks (for example, metadata attached to inbound WhatsApp messages), session cookies, browser user-agent strings, and approximate location derived from IP.

smart_toy AI processing of your messages

Bulugo uses third-party large language models — primarily Anthropic's Claude (accessed via OpenRouter), and occasionally Google Gemini — to parse buyer messages, classify intent, extract quote details, and draft responses. The text of your messages, together with the context needed to respond (such as recent conversation history and quote details), may be transmitted to these providers as part of generating a reply.

These providers are configured under their commercial terms not to use Bulugo customer data to train their models. We do not share your messages with AI providers for any purpose other than producing the immediate response.

gavel Legal bases for processing

We rely on the following legal bases under Article 6 of the UK GDPR:

• Performance of a contract — to match buyers and suppliers, deliver quotes, and operate the platform you have signed up for.
• Legitimate interests — to improve the product, prevent fraud and abuse, validate webhooks by IP address, and keep the service secure. We balance these interests against your rights and freedoms.
• Consent — for non-essential cookies (analytics and marketing) and for any future marketing email beyond transactional service messages. You can withdraw consent at any time.
• Legal obligation — where we must process data to comply with applicable law (for example, accounting and audit requirements).

share Who we share your data with

• Counterparties. When you submit a quote as a buyer, we share your name, company, and contact details with the suppliers we match you to so they can respond. Suppliers' details are shared with you when they respond.
• Service providers. Amazon Web Services (hosting and SES email delivery), Meta (WhatsApp Cloud API), Telegram (Bot API), Auth0 (authentication for our MCP server), OpenRouter, Anthropic, and Google (AI inference), and Stripe (when billing is enabled).
• Authorities. Where we are required to do so by law, or where disclosure is necessary to protect Bulugo or others.

flight_takeoff International transfers

Some of our service providers (notably AWS, Anthropic, and OpenRouter) process data in the United States. Where personal data is transferred outside the UK or EEA, we rely on Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards as appropriate.

schedule How long we keep your data

• Account data — for as long as your account is active, plus 24 months after closure to meet accounting, audit, and dispute-resolution needs.
• Quote and lead data — for up to 36 months to support trend analysis, supplier-quality scoring, and dispute resolution.
• Marketing preferences — until you withdraw consent.

You can ask us to delete your data sooner; see your rights below.

verified_user Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you (a "subject access request").
• Have inaccurate or incomplete data corrected.
• Have your data erased where there is no good reason for us to keep it.
• Restrict or object to processing in certain circumstances.
• Receive your data in a portable format.
• Withdraw consent where consent is the legal basis we rely on.
• Complain to the UK Information Commissioner's Office at ico.org.uk/concerns.

To exercise any of these rights, email privacy@bulugo.com from the address registered on your account, or include enough detail for us to verify your identity.

lock Security

We protect your data with TLS encryption in transit, encryption at rest in our MySQL database, regular secret-key rotation, and the principle of least privilege for staff and service accounts. No system is perfectly secure — if you believe your account has been compromised, contact privacy@bulugo.com immediately.

cookie Cookies

For details of the cookies we set and how to control them, see our Cookie Policy.

edit_note Changes to this policy

We may update this policy from time to time. If the changes are significant, we will notify you by email or with a banner on the website. The "Last updated" date at the top of this page shows when it was last changed.

contact_mail Contact

Questions about this policy or how we handle your data? Email privacy@bulugo.com.