This Website Uses Cookies
Cookie PreferencesRejectaccept
Platform
Blekline Solutions
MCP ServerControl PlaneGithub Open-SourceBrowser Extension
Docs
Blekline DOcumentation
AI Enablement StackWhy IngressEU AI Act & ComplianceQuick Start
News & Research
Pricing
Get Started with Blekline
Ask AI about Blekline
Cookie PreferencesGet in Contact
Try on github

Privacy Policy

I. Effective date

Updated on 7 June 2026.

The Wall d.o.o. (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share personal information when you use Blekline — including our marketing website (blekline.com), the Blekline web application (app.blekline.com), the Blekline browser extension, MCP server and connectors, REST APIs, ingress proxy or sidecar components, and related services (together, the “Services”).

By accessing or using the Services, you acknowledge that you have read this Privacy Policy. Where required by law, we rely on a specific legal basis (for example, contract, legitimate interests, or consent), as described below.

This Privacy Policy should be read together with our Terms and Conditions and Cookie Policy (published at https://blekline.com/terms and https://blekline.com/cookies).

II. Who is responsible for your data?

The data controller for Blekline is **The Wall d.o.o.**, Mestni trg 10, 1000 Ljubljana, Republic of Slovenia.

The Wall d.o.o. (družba z omejeno odgovornostjo) is a Slovenian private limited company — the equivalent of a “Ltd” in English-speaking jurisdictions. There is no separate UK company. Where this policy refers to “The Wall” or “we”, that means The Wall d.o.o.

Slovenščina: Upravljavec osebnih podatkov za Blekline je The Wall d.o.o., Mestni trg 10, 1000 Ljubljana, Slovenija.

If you use Blekline on behalf of an organisation, that organisation may also be a controller for some information (for example, workspace membership and business contact details). In that case, we may process such data as a processor on documented instructions — see Section XV.

III. Definitions

- Cookie: a small file or similar technology stored on your device — see our [Cookie Policy](./BLEKLINE_COOKIE_POLICY.md).

- Customer / you: a natural person who uses the Services, or the organisation they represent where applicable.

- Device: any phone, tablet, computer, or other device used to access the Services.

- Extension: the Blekline browser extension for supported browsers.

- MCP Services: Blekline Model Context Protocol server, remote connector (`app.blekline.com/api/mcp/remote`), proxy, and related AI client integrations.

- Personal data / personal information: information relating to an identified or identifiable natural person.

- Processor: a vendor that processes personal data on our instructions (e.g. hosting or payments).

- Services: Blekline websites, web app, Extension, MCP Services, APIs, and related support.

- Workspace: the collaborative environment in the Blekline app tied to your subscription or trial.

IV. What information do we collect?

We collect information in the following categories, depending on how you use the Services:

A. Account and identity

- Name (if you provide it)

- Email address

- Authentication identifiers (e.g. user ID, session tokens)

- If you sign in with a third party (**Google**, **GitHub**, **LinkedIn**, or similar), we may receive basic profile information that provider shares with us according to your settings there

B. Workspace and product usage

- Workspace ID, role (e.g. owner, member), and configuration you or your admins create

- Workspace API tokens (stored hashed; we do not display full tokens after creation)

- Operational data needed to run Blekline: masking rules metadata, MCP tool policy settings, integration settings, usage counters, audit or activity logs as implemented in the product

- Support communications you send us (email content, attachments you choose to provide)

C. Billing

- Billing contact email and plan details

- Payment transactions are processed by our payment provider (Stripe). We do not store full payment card numbers on our servers; Stripe processes card data subject to its own privacy policy.

D. Technical and security data

- IP address, approximate location derived from IP, browser type, device type, user agent

- Dates/times of requests, diagnostic logs, error reports

- Security signals (e.g. rate limits, abuse prevention hashes where we implement them)

E. Browser extension

- The Extension interacts with supported AI web applications and your Blekline workspace to apply masking and policy before send.

- When you use cloud masking, prompt or message text you submit for masking may be transmitted to Blekline servers and, for authoritative PII detection, to Microsoft Azure (see Section VI).

- We process configuration sync, authentication state, and metadata-only governance events (e.g. action taken, entity counts) as designed in the product.

- We do not use the Extension to sell your browsing history to advertisers. We do **not** collect unrelated browsing activity outside supported sites.

- You remain responsible for compliance with applicable law and third-party site terms.

F. MCP Services and OAuth connector

- When you connect an MCP client (e.g. Cursor, Claude Desktop) via workspace token or **OAuth connector**, we process authentication tokens, granted scopes, client surface identifiers, and tool invocation metadata.

- MCP tool calls may transmit **text you submit for masking** or **tool names and arguments** for policy evaluation. Default audit events store **metadata only** (action, risk tier, entity counts, tool name) — not full prompt bodies or complete tool argument payloads in persisted records.

- Remote MCP endpoint: `https://app.blekline.com/api/mcp/remote`

G. Marketing and communications

- If you subscribe to marketing emails, we process your email and preferences

- We may send product and lifecycle messages (e.g. onboarding, billing) based on contract or legitimate interests, with unsubscribe where required

- If we connect Blekline events to an email tool (e.g. MailerLite) via automation platforms (e.g. Make), we transfer minimal data (such as email and segment labels) as needed for those messages

H. Forms and lead capture

- Information you submit on contact, demo, enterprise, or lead forms (e.g. name, company, email, message)

I. Cookie and consent data

- Consent choices, consent ID, timestamp, policy version, and region mode when you use our cookie consent manager on **blekline.com** (stored locally in your browser unless we later enable server-side consent logging)

We do not knowingly collect special categories of data (e.g. health) through the Services unless you voluntarily include them in free-text fields; avoid sending sensitive data unless necessary.

V. How we use information (purposes)

We use personal data to:

- Provide and operate the Services (account creation, authentication, workspace features, Extension and MCP functionality) — **contract** / legitimate interests

- Apply masking and policy when you invoke mask or enforce features — contract / legitimate interests

- Process payments and manage subscriptions — contract / legal obligation (e.g. tax records)

- Secure the Services, prevent fraud and abuse, enforce our terms — legitimate interests / legal obligation

- Improve reliability and performance (analytics where consented, debugging) — legitimate interests / consent

- Communicate with you (service notices, support responses) — contract / legitimate interests

- Send marketing where permitted — consent or legitimate interests (with opt-out where required)

- Comply with law and respond to lawful requests — legal obligation

Where GDPR applies, we identify the legal basis per purpose as above. Where we rely on **consent**, you may withdraw it without affecting prior lawful processing.

VI. Masking, Azure, and data flows

When you use cloud masking (via the app, Extension, MCP `blekline_mask_prompt`, or `/api/mask`):

1. Text you submit is sent over HTTPS to the Blekline control plane.

2. For authoritative PII detection, text may be forwarded to Microsoft Azure Cognitive Services (Text Analytics PII detection) under our contract with Microsoft.

3. We return masked text and operational metadata (e.g. entity counts, action). Original sensitive values are not stored in default persisted audit events.

Local / fast-path modes: Where configured (e.g. enterprise local-only sidecar), masking may occur without sending content to Azure. Configuration determines the path.

Default audit events: Workspace Activity and `/api/events` ingest store **metadata only** unless your organisation enables extended logging under separate agreement.

See our [Trust boundaries documentation](https://app.blekline.com/docs/security/trust-boundaries) and [Subprocessor List](./BLEKLINE_SUBPROCESSORS.md).

VII. Cookies and similar technologies

We use cookies and similar technologies as described in our [Cookie Policy](./BLEKLINE_COOKIE_POLICY.md):

- Strictly necessary operation (e.g. session, security)

- Functional preferences where applicable

- Analytics and marketing scripts on the marketing site only with consent where required

You can manage preferences via our cookie banner (“Manage Cookies”) or your browser. Blocking strictly necessary cookies may break login or core features.

VIII. Do we share personal data?

We share personal data with:

A. Service providers (processors) who assist us under contract — see our [Subprocessor List](./BLEKLINE_SUBPROCESSORS.md), including:

- Vercel — hosting and delivery

- Stripe — payments

- Microsoft Azure — PII detection for cloud masking

- Google / GitHub / LinkedIn — OAuth sign-in (when you choose social login)

- Resend (or comparable) — transactional email

- MailerLite and Make — marketing automation (minimal fields)

- Database hosting — PostgreSQL for application data

B. Professional advisers (lawyers, accountants) where confidential.

C. Authorities or third parties when we believe in good faith that disclosure is required to comply with law, respond to valid legal process, protect rights, safety, and security, or investigate abuse.

D. Business transfers: if we merge, are acquired, or sell assets, personal data may transfer to the successor under safeguards; we will notify you where required.

We do not sell your personal data. We do **not share** data with unrelated advertisers for their independent advertising unless we introduce such a programme and update this policy.

IX. International transfers

We and our processors may process data in the United Kingdom**, the European Economic Area, the United States, and other countries. Where we transfer personal data from the EEA/UK to countries not deemed adequate, we use appropriate safeguards such as **Standard Contractual Clauses** approved by the European Commission or UK Addendum, plus supplementary measures where required.

Enterprise customers may request **EU data residency** — contact us with `dataResidency=EU`.

X. How long we keep information

| Category | Typical retention |

|----------|-------------------|

| Account data | Life of account + up to 90 days after deletion (recovery, disputes) unless law requires longer |

| Billing / tax records | 7 years or as required by accounting and tax law |

| Security / access logs | 30–90 days unless needed for incident investigation or legal hold |

| Support tickets | 24 months after resolution |

| Marketing subscriptions | Until unsubscribe + suppression list retention as required |

| Consent records (browser) | Until cleared by user or browser; recommend 13 months if server-side logging enabled |

| Default audit / governance events | Per workspace plan settings; metadata-only by default |

| Backups | Residual copies may persist up to 30 days before overwrite |

When retention ends, we delete or anonymise data where feasible.

XI. Security

We implement technical and organisational measures appropriate to the risk (encryption in transit, access controls, hashed tokens, vendor due diligence). No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

XII. Your rights (EEA, UK, and similar jurisdictions)

Subject to local law, you may have the right to:

- Access your personal data

- Rectify inaccurate data

- Erase data (“right to be forgotten”) in certain cases

- Restrict processing in certain cases

- Data portability for data you provided and that we process by automated means under contract or consent

- Object to processing based on legitimate interests (including profiling in some cases)

- Withdraw consent where processing is consent-based

- Lodge a complaint with a supervisory authority

EEA: you may contact your local authority; in Slovenia, the Information Commissioner Informacijski pooblaščenc).

UK: ICO (Information Commissioner’s Office).

To exercise rights, email hello@blekline.com. We may need to verify your identity. You may also use in-app privacy export and account deletion where available (`/api/privacy/export`, `/api/privacy/account`). If you are an end user of an organisation’s workspace, that organisation may need to submit or approve certain requests.

XIII. US state privacy rights

Residents of certain US states (including California, Colorado, Virginia, and others) may have additional rights such as access, deletion, correction, and opt-out of sale or sharing of personal information.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. If our practices change, we will update this policy and provide required opt-out mechanisms.

To submit a request, email hello@blekline.com with “US Privacy Request” in the subject. We will verify your identity as required by law.

XIV. Accuracy and account deletion

You may update some information in the app. You may request account deletion where the product allows it or by contacting us. Some records may persist where law requires (e.g. invoices). Backups may retain residual copies for a limited time before overwrite.

XV. Organisations, workspaces, and DPAs

If you use Blekline for a company or team, your organisation (e.g. workspace owner) may decide why and how certain data is processed (such as inviting members, naming workspaces, or configuring policies). In those cases your organisation may be an independent controller, and we may process that data as a processor on its instructions.

Where we offer a Data Processing Agreement (DPA) for business customers, it forms part of the contract between your organisation and us — see [BLEKLINE_DPA_OUTLINE.md](./BLEKLINE_DPA_OUTLINE.md). Individuals with questions about workspace data should often contact their organisation administrator first; we will direct or fulfil requests as required by law and contract.

XVI. Automated decision-making

We do not use fully automated decisions that produce legal or similarly significant effects solely by automated means. We may use automated systems for security, abuse detection, and product features (e.g. policy application) without such legal effect.

XVII. Third-party sites and AI tools

The Services may link to third-party websites or allow you to connect third-party AI tools, sandboxes, or data sources. Their privacy practices are governed only by their policies. We are not responsible for how third parties process data you send them directly.

XVIII. Children’s privacy

The Services are not directed at children under 16 (or the minimum age in your country if higher). We do not knowingly collect personal data from children. If you believe a child has provided data, contact us and we will take appropriate steps to delete it.

XIX. Changes to this Privacy Policy

We may update this policy to reflect product, legal, or regulatory changes. We will post the new version and change the “Updated” date. Where required, we will provide additional notice (e.g. email or in-app). Continued use after the effective date may constitute acceptance where permitted by law.

When we materially change this policy, update `policyVersion` in the Blekline consent manager on the marketing site.

XX. Governing law

This Privacy Policy is governed by the laws of England and Wales, without prejudice to mandatory rights under the law of your country of residence (including GDPR/UK GDPR for applicable individuals). Courts of England and Wales have jurisdiction subject to non-waivable consumer rights to sue in your home country where EU/UK law requires.

XXI. Contact

Questions or requests regarding this Privacy Policy or your personal data:

- Email: hello@blekline.com

- Controller: The Wall d.o.o. (Blekline)

- Registered address: Mestni trg 10, 1000 Ljubljana, Slovenia

- Matična številka: 9710370000

- Davčna številka: SI28305400

Related policies: [Terms](./BLEKLINE_TERMS_AND_CONDITIONS.md) · [Cookie Policy](./BLEKLINE_COOKIE_POLICY.md) · [Subprocessors](./BLEKLINE_SUBPROCESSORS.md)