Privacy Policy

1. Introduction

BlinkOS ("we," "our," or "us"), operating under the laws of British Columbia, Canada, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI assistant platform at blinkos.ai (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Data Controller

For the purposes of applicable data protection laws (including the GDPR), the data controller is:

• Name: BlinkOS
• Location: British Columbia, Canada
• Contact: [email protected]

Where we process personal data on your behalf (for example, conversation data processed through AI providers to generate responses), we act as a data processor. Where we determine the purposes and means of processing (for example, account management, billing, service improvement), we act as a data controller. A Data Processing Agreement (DPA) is available upon request for enterprise or business users by contacting [email protected].

3. Information We Collect

3.1 Information You Provide

• Account Information: Email address, name, and password (or OAuth credentials via Google or Apple) when you create an account
• Profile Information: Agent name, personality preferences, and usage preferences
• Payment Information: Billing details processed securely through Stripe (we do not store full card numbers, CVVs, or complete payment credentials)
• Conversation Data: Messages you send to and receive from your AI assistant, including memory and context data
• Imported Data: Chat history you choose to import from other platforms
• API Keys: Third-party API keys you provide for BYOK (Bring Your Own Key) functionality, stored encrypted (AES-256-GCM)
• Files and Documents: Files you upload, create, or manage through the Service
• Calendar and Email Data: Information from integrated calendar and email services, if you enable those integrations
• Support Communications: Information you provide when contacting us for support

3.2 Information Collected Automatically

• Usage Data: Features used, session duration, interaction patterns, and service preferences
• Device Information: Browser type and version, operating system, and device identifiers
• Log Data: IP address, access times, pages viewed, referring URLs, and error logs
• Authentication Data: Login timestamps, authentication method used, and session tokens

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

4.1 Performance of Contract (Article 6(1)(b) GDPR)

• Account creation and management
• Providing AI assistant services (processing conversations, generating responses)
• Processing payments and managing subscriptions
• Storing and managing your files, memory, and configurations
• Executing automations and scheduled tasks you configure

4.2 Legitimate Interest (Article 6(1)(f) GDPR)

• Improving and optimizing the Service
• Detecting, preventing, and addressing fraud, abuse, and security issues
• Analyzing usage patterns to enhance user experience (in aggregate)
• Communicating service updates and important notices

4.3 Consent (Article 6(1)(a) GDPR)

• Processing optional integrations you choose to enable (calendar, email)
• Sending non-essential communications (if applicable)
• Using cookies beyond those strictly necessary for the Service

Where we rely on consent, you may withdraw it at any time by contacting [email protected] or adjusting your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

4.4 Legal Obligation (Article 6(1)(c) GDPR)

• Retaining billing and payment records as required by tax and financial regulations
• Responding to valid legal requests from authorities
• Complying with breach notification requirements

5. How We Use Your Information

We use the information we collect to:

• Provide, operate, maintain, and improve the Service
• Process transactions and send related billing information
• Send technical notices, security alerts, updates, and support messages
• Respond to your comments, questions, and support requests
• Monitor and analyze usage patterns to improve user experience (in aggregate and anonymized form)
• Detect, prevent, and address technical issues, fraud, and abuse
• Personalize your AI assistant based on your preferences and memory settings
• Enforce our Terms of Service and other policies
• Comply with legal obligations and respond to lawful requests

6. AI Provider Data Sharing

To provide AI assistant functionality, your conversation messages are sent to third-party AI providers. These may include:

• Anthropic (Claude models)
• OpenAI (GPT models)
• Google (Gemini models)
• Other providers you select or that we may add in the future

Important: We use API configurations that opt out of training on your data where available. Your conversations are processed for generating responses only and are not used to train AI models by us. Please review each provider's privacy policy for their specific data handling practices.

BYOK (Bring Your Own Key) Users: When you use your own API keys, your conversation data flows directly through the third-party AI provider associated with that key. This data is subject to that provider's privacy policy, data retention practices, and terms of service — not ours. BlinkOS does not control how these providers process, store, or use data transmitted via your API keys. We strongly recommend reviewing the privacy policies of any AI provider whose API keys you use with BlinkOS.

7. Automated Decision-Making and AI Processing

In accordance with GDPR Article 22, we inform you that:

• The Service uses AI models to generate responses, recommendations, and automated actions based on your inputs and conversation history
• AI processing is central to the Service's functionality and is performed under the legal basis of contract performance
• We do not use automated decision-making that produces legal effects or similarly significantly affects you without human involvement
• Automated actions (scheduled tasks, automations) are configured by you and execute based on your instructions — you maintain control over these configurations
• You may contact us at [email protected] to request human review of any AI-generated output or to express concerns about automated processing

8. Data Storage and Security

• Isolation: Each user's data is stored in an isolated environment (dedicated Fly.io VM)
• Encryption: Data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• API Keys: Your API keys are encrypted using AES-256-GCM before storage
• Backups: Automated backups are stored encrypted on Cloudflare R2
• Access Controls: Strict access controls limit who can access user data; administrative access is logged
• Infrastructure: We use Fly.io (VM hosting), Cloudflare (CDN and security), and Hetzner (VPS) for our infrastructure

9. Data Retention

We retain your data according to the following schedule:

• Conversation Data and Memory: Retained while your account is active, plus thirty (30) days after account deletion to allow for recovery if deletion was accidental
• Account Information: Retained while your account is active, deleted within thirty (30) days of account deletion
• Payment and Billing Records: Retained for seven (7) years after the transaction date, as required by tax and financial regulations
• Server Logs: Retained for ninety (90) days, then automatically purged
• API Keys: Deleted immediately upon account deletion or when you remove them from your account
• Files and Documents: Retained while your account is active, deleted within thirty (30) days of account deletion
• Support Communications: Retained for up to two (2) years for quality assurance and legal purposes

You can export your data at any time from your account settings. You can also delete specific conversations, files, or your entire account and all associated data (subject to the retention periods above for legal obligations).

10. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Portability: Receive your data in a structured, commonly used, machine-readable format
• Objection: Object to processing of your data based on legitimate interest
• Restriction: Request restriction of processing under certain circumstances
• Withdraw Consent: Where processing is based on consent, withdraw it at any time
• Lodge a Complaint: File a complaint with your local data protection authority

10.1 How to Exercise Your Rights

To exercise any of these rights:

1. Email us at [email protected] with your request, specifying which right(s) you wish to exercise
2. Include verification: Provide sufficient information to verify your identity (e.g., your account email address)
3. Response time: We will acknowledge your request within 72 hours and respond substantively within thirty (30) days. If we need additional time (up to 60 additional days for complex requests), we will notify you
4. No fee: We do not charge a fee for exercising your rights, unless requests are manifestly unfounded or excessive

You can also manage much of your data directly through your account settings, including exporting data, deleting conversations, and deleting your account.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

11.1 Categories of Personal Information Collected

• Identifiers: Name, email address, IP address, account credentials
• Commercial Information: Subscription plan, payment history, transaction records
• Internet/Electronic Activity: Usage data, browsing history within the Service, interaction logs
• Geolocation Data: Approximate location derived from IP address
• Professional/Employment Information: Only if voluntarily shared in conversations
• Inferences: Preferences and settings derived from your usage of the Service

11.2 Sale and Sharing of Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes. We share personal information with third-party AI providers solely as necessary to provide the Service (as described in Section 6), which constitutes a "business purpose" disclosure, not a "sale" or "share" under the CCPA/CPRA.

11.3 Your California Rights

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell or share, but you may still submit a request)
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights

To exercise these rights, contact us at [email protected] or follow the process in Section 10.1 above.

12. European Data Protection (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent local laws:

• All rights listed in Section 10 above apply
• Our legal bases for processing are detailed in Section 4
• You have the right to lodge a complaint with your local supervisory authority (data protection authority)
• A Data Processing Agreement (DPA) is available upon request for business users

12.1 International Data Transfers

Your data may be transferred to and processed in countries outside the EEA, including Canada and the United States. Canada has received an adequacy decision from the European Commission for transfers under PIPEDA. For transfers to other jurisdictions, we rely on:

• European Commission adequacy decisions where available
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Other appropriate safeguards as required by applicable law

You may request a copy of the safeguards in place by contacting [email protected].

13. Third-Party Services

We use the following third-party services that may process your data:

• Stripe: Payment processing (Privacy Policy)
• Cloudflare: CDN, security, and backup storage (Privacy Policy)
• Fly.io: Infrastructure hosting — isolated VMs (Privacy Policy)
• Hetzner: VPS hosting (Privacy Policy)
• Google: OAuth authentication (Privacy Policy)
• Apple: OAuth authentication (Privacy Policy)
• Anthropic: AI model provider (Privacy Policy)
• OpenAI: AI model provider (Privacy Policy)
• Google AI: AI model provider — Gemini (Privacy Policy)

13.1 Analytics

We do not currently use third-party analytics services. If we add analytics tools in the future, we will update this Privacy Policy and notify users accordingly. Any usage analysis we perform is done internally using our own server logs, in aggregate and anonymized form.

14. Cookies and Similar Technologies

We use minimal cookies necessary for the Service to function:

• Strictly Necessary Cookies: Authentication cookies to keep you logged in and session management cookies
• Preference Cookies: To remember your settings and preferences

We do not use advertising, tracking, or third-party analytics cookies. Because we only use strictly necessary cookies, a cookie consent banner is not required under most privacy laws. However, you can control cookies through your browser settings. Note that disabling cookies may impair the functionality of the Service.

15. Children's Privacy

The Service is intended for users aged 18 and older (or 16 with parental consent, as described in our Terms of Service). The Service is not directed at children under the age of 16.

We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without appropriate consent, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at [email protected].

This policy is consistent with the requirements of the U.S. Children's Online Privacy Protection Act (COPPA), the GDPR provisions regarding children's data, and Canada's PIPEDA.

16. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by applicable law (including GDPR Article 33)
• We will notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Notifications will include: the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach
• We will document all breaches, including those that do not require notification, in accordance with our internal policies

For breach-related inquiries, contact [email protected].

17. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including Canada, the United States, and other jurisdictions where our infrastructure providers and AI providers operate.

We ensure appropriate safeguards are in place for such transfers:

• Canada: Recognized by the European Commission as providing an adequate level of data protection under PIPEDA
• United States and other jurisdictions: We rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms where required
• Third-party providers: We select providers that maintain appropriate data protection measures and, where applicable, have their own SCCs or binding corporate rules in place

18. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will:

• Provide at least thirty (30) days' notice before the changes take effect
• Notify you via email to your registered address and/or by posting a prominent notice on the Service
• Update the "Last updated" date at the top of this page

Your continued use of the Service after the effective date of changes constitutes acceptance of the revised policy. If you do not agree with the changes, you should discontinue use of the Service.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

• Privacy inquiries: [email protected]
• General support: [email protected]
• Legal inquiries: [email protected]

We aim to respond to all privacy-related inquiries within 72 hours.