Legal
Privacy Policy
BlnkSpace collects only what we need to run the service. We do not sell your data. We do not use your content to train AI models. This policy explains exactly what we collect, why, who sees it, and how long we keep it. If you are in the EU, UK, or California, additional rights apply to you and are described below.
Section 01
Who we are
BlnkSpace is operated by BlnkSpace ("we", "us", "our"), a business registered in Malaysia.
- Company: BlnkSpace
- Country: Malaysia
- Privacy contact: privacy@blnkspace.com
- General contact: hello@blnkspace.com
For GDPR purposes, BlnkSpace acts as the data controller for user personal data. When users store data about their own customers (buyers, email contacts), the user is the data controller and BlnkSpace acts as a data processor.
Section 02
Data we collect and why
We collect the minimum data necessary to operate BlnkSpace.
Account and identity data
When you sign up, we receive your email address, name, and profile photo from Clerk (our authentication provider) or your OAuth provider (Google etc.). We store a unique user ID. We use this to identify your account, send transactional emails, and personalise your workspace.
Content you create
Everything you write in BlnkSpace — documents, blocks, database rows and cells, product listings, variants, category pages, email templates, contact lists, campaign records — is stored in our database. We do not read your content, sell it, or use it to train AI models.
Media files
Images you upload (product photos, hero backgrounds, carousel images, avatars) are stored in AWS S3 under a path that includes your user ID, served via Amazon CloudFront CDN. We store each file's size, MIME type, context, and CDN URL for storage limit enforcement.
Subscription and billing data
When you upgrade to a paid plan, Stripe processes your payment. We store your Stripe customer ID and subscription ID. We never see or store your card number, expiry, or CVV — those stay with Stripe. We store your plan tier, subscription status, and renewal date.
Seller / Stripe Connect data
If you connect Stripe to accept payments, we store your Stripe Connect account ID. When a buyer completes checkout, Stripe sends us their shipping address, phone number, email, and order details as an order record. We do not store buyer card details.
Usage metrics
We track: published page count, storage used, and monthly AI interaction count per user — for plan enforcement and your usage dashboard. Not used for advertising or profiling.
Collaboration data
Live cursor positions and real-time edits are synchronised through our Hocuspocus server on Railway. This data is ephemeral — cursor positions and keystrokes are not persistently logged. Finished document state is saved to our main database.
Technical and log data
Infrastructure providers (Neon, Railway, AWS, Vercel) automatically collect server logs including IP addresses, request paths, timestamps, and HTTP status codes, used for debugging and security monitoring.
Section 03
Legal basis for processing (GDPR)
For EU/UK users, we rely on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Creating and maintaining your account | Contract — necessary to provide the service |
| Storing your documents and content | Contract |
| Processing subscription payments | Contract |
| Enabling seller commerce (Stripe Connect) | Contract |
| Storing order records for fulfilment | Contract + Legal obligation (tax/record-keeping) |
| Enforcing plan limits via usage metrics | Legitimate interest — fair service operation |
| Security monitoring and fraud prevention | Legitimate interest |
| Sending transactional emails (receipts, password resets) | Contract |
| Sending product updates or announcements | Legitimate interest / Consent — unsubscribe anytime |
Section 04
Third-party data processors
We share data with the following sub-processors. All are bound by data processing agreements consistent with GDPR requirements.
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Clerk | Authentication and identity management | Email, name, OAuth tokens, session data | United States |
| Stripe | Subscription billing and seller payments | Email, billing info, Stripe IDs, order data | United States |
| Neon | Primary database hosting (Postgres) | All user content, account, and usage data | United States |
| AWS S3 | Media file storage | Uploaded image and media files | Configurable region |
| Amazon CloudFront | Media CDN delivery | Serves stored media files to visitors | Global edge network |
| Railway | Real-time collaboration server (Hocuspocus) | Ephemeral document collaboration state | United States |
| Vercel | Application hosting and edge functions | Request logs, IP addresses | Global edge network |
| Upstash | Redis caching and rate limiting | Minimal — request metadata, rate limit counters | United States |
| Resend | Transactional email delivery | Recipient email address, email content | United States |
We do not sell your data. We do not share your data with advertising networks or data brokers.
Section 05
How long we keep your data
| Data type | Retention period |
|---|---|
| Account and profile data | Until you delete your account or request deletion |
| Documents, blocks, and content | Until you delete them or close your account |
| Media files (S3) | Deleted immediately when you remove them from your workspace |
| Order records (buyer data) | 7 years from transaction date (legal and tax requirement) |
| Subscription billing records | 7 years (tax and accounting requirement) |
| Usage metrics | Reset monthly (AI writes); retained until account deletion (storage, pages) |
| Collaboration session data | Ephemeral — not persisted after session ends |
| Server logs | 30–90 days (varies by infrastructure provider) |
| Email contact lists | Until user deletes them or closes account |
Section 06
Your rights
Rights available to all users
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your account and personal data
- Portability — request an export of your data in a machine-readable format
Additional rights under GDPR (EU/UK users)
- Restriction — request we stop processing your data in certain circumstances
- Objection — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent, withdraw at any time
- Lodge a complaint — with your local data protection authority
Additional rights under CCPA (California users)
- Know — the categories of personal information collected and their purposes
- Delete — request deletion of your personal information
- Opt out of sale — we do not sell personal information, so this does not apply
- Non-discrimination — we will not discriminate for exercising your rights
Additional rights under PDPA (Malaysia)
- Access and correction — request access to or correction of your personal data
- Withdraw consent — withdraw consent to process your personal data
- Limit processing — request we limit how we process your data
To exercise any of these rights, email privacy@blnkspace.com. We will respond within 30 days. We may need to verify your identity first.
Section 07
International data transfers
BlnkSpace is operated from Malaysia. Our infrastructure providers are based in the United States. When you use BlnkSpace, your data is transferred to and processed in the United States.
For EU/UK users, we rely on our processors' Standard Contractual Clauses (SCCs) and adequacy mechanisms. Each processor's transfer mechanism:
- Clerk — SCCs and Data Processing Agreement
- Stripe — SCCs and Privacy Shield successor frameworks
- Neon — SCCs and Data Processing Agreement
- AWS — SCCs and AWS Data Processing Addendum
- Vercel — SCCs and Data Processing Agreement
- Railway — Data Processing Agreement
Section 08
Security
Our security measures include:
- All data in transit is encrypted using TLS 1.2 or higher
- Database credentials and API keys are stored as environment secrets, never in source code
- Stripe handles all payment card data — card numbers never reach our servers
- AWS S3 bucket has public access blocked — media is served only via CloudFront
- Authentication is handled by Clerk using industry-standard security practices
- Stripe webhook payloads are verified using cryptographic signatures before processing
- User file uploads are ownership-verified by key path before deletion is permitted
If you discover a security vulnerability, please report it to security@blnkspace.com.
In the event of a personal data breach likely to result in risk to your rights, we will notify affected users and relevant authorities as required by applicable law (within 72 hours for GDPR purposes).
Section 09
Children's privacy
BlnkSpace is not directed at children under 13 (or 16 where required by applicable law, including GDPR). We do not knowingly collect personal data from children under these ages. If you believe a child has provided us with personal data, contact privacy@blnkspace.com and we will delete it promptly.
Section 10
AI features and your content
BlnkSpace includes an AI writing assistant that operates using an API key you provide from your own account with an AI provider (such as Anthropic or OpenAI). When you use it:
- Your prompts are sent directly to your AI provider using your API key
- BlnkSpace does not store, log, or read the content of your AI interactions
- BlnkSpace does not use your content to train any AI model
- Your AI provider's privacy policy governs how they handle data sent via their API
We track only a count of AI interactions per month for plan enforcement — we do not store the content of those interactions. (redacted - blnkspace stores chat's for users history, as well as include agents.)
Section 12
Seller and data controller obligations
If you use BlnkSpace to sell products or collect email contacts, you become a data controller for your buyers' and subscribers' personal data. Your obligations include:
- Having a lawful basis to collect and process your customers' data
- Providing your customers with a privacy notice
- Honouring data subject requests from your customers
- Complying with applicable marketing and spam laws when sending email campaigns
- Ensuring you are permitted to use any contact lists you upload to BlnkSpace
BlnkSpace acts as your data processor for this data, processing it only on your instructions and not for our own purposes.
Section 13
Changes to this policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email and in-app notice at least 14 days before changes take effect. Continued use of BlnkSpace after the effective date constitutes your acceptance of the updated policy.
Section 14
Contact us
- Privacy enquiries: privacy@blnkspace.com
- General: hello@blnkspace.com
We aim to respond to all privacy requests within 30 days. If you are unsatisfied, you have the right to lodge a complaint with your local data protection authority.