Blotwise

Legal

GDPR Compliance

Last updated: April 15, 2026

Our commitment

Blotwise is designed with privacy-by-default principles. We process only the minimum data necessary to deliver the service and give you full control over that data.

Lawful basis for processing

We process personal data under the following lawful bases:

  • Contract — to deliver the service you signed up for
  • Legitimate interests — security monitoring and fraud prevention
  • Consent — where we rely on consent as a lawful basis, you may withdraw it at any time without affecting the lawfulness of prior processing

Data minimisation

The browser extension does not intentionally transmit the text you type to our servers. Incident logs store only a hashed user identifier, device fingerprint, policy match summary, and timestamp — never raw conversation content.

Your rights under GDPR

  • Right of Access — export all your personal data from Settings → Data Export
  • Right to Erasure — delete your account and all associated data from Settings
  • Right to Rectification — update your name and contact details in Settings
  • Right to Portability — download your data in machine-readable JSON format
  • Right to Restrict Processing — contact us to pause processing while a dispute is resolved
  • Right to Object — opt out of any processing based on legitimate interests
  • Right not to be subject to automated decision-making — we do not make automated decisions that produce legal effects

Data Processing Agreements

We sign a Data Processing Agreement (DPA) with all customers who request one. Sub-processors (Supabase, Vercel, Brevo, Paddle, Sentry) operate under their own DPAs and are all GDPR-compliant.

Data transfers

Data is stored in the European Union by default. Where sub-processors transfer data outside the EEA, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism.

Retention

We retain your data for as long as your account is active. Incident logs are automatically purged after 90 days on the Starter plan and configurable on higher plans. Upon account deletion, all personal data is removed within 30 days per GDPR Article 17.

Breach notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in accordance with GDPR Articles 33 and 34.

Contact & supervisory authority

For GDPR-related requests, contact our privacy team at privacy@blotwise.com. You also have the right to lodge a complaint with your local supervisory authority.