Privacy Policy

This Privacy Policy explains how Ganemo LLC ("Blenau," "we," "us") collects, uses, shares, and protects information when you use blenau.com and the related API, dashboard, MCP server, and integrations (together, the "Service"). By using the Service you agree to the practices described here.

1. What we collect

We collect the following categories of information:

• Account data: workspace name and slug, your name, email address, password hash (if you sign up with email/password), and — if you sign in with GitHub — your GitHub username, numeric ID, and the primary verified email address returned by GitHub.
• Billing data: plan, subscription status, and a reference to a Stripe customer ID. Payment card details are entered on Stripe's hosted checkout and never touch our servers or database.
• Content you submit: documents, sections, crystallized agent sessions, assets you upload, repository metadata of GitHub repos you connect, and related metadata (titles, paths, headings).
• Usage and technical data: API requests and MCP tool calls, timestamps, IP address, browser/user-agent, and an audit log of writes (who did what, when, on which resource).
• Cookies and local storage: we store your session JWT in browser localStorage. We do not use third-party analytics or advertising cookies.

2. How we use your information

• Operate and deliver the Service (authentication, storage, search, AI assistance, integrations).
• Process payments and manage subscriptions through Stripe.
• Maintain security, detect abuse, prevent fraud, and enforce the Terms of Service.
• Respond to support requests and communicate operational notices.
• Improve the Service using aggregated, non-identifying usage patterns.
• Comply with legal obligations, respond to lawful requests, and protect our rights.

We do not sell your personal information. We do not use your content to train machine-learning models for third parties. Your content is used only to serve your own workspace.

3. Sub-processors

To provide the Service, we share limited data with the following sub-processors, under their own privacy and security commitments:

• Amazon Web Services (AWS): hosting, compute, storage, and database (region us-east-1).
• Stripe, Inc.: subscription billing, checkout, and customer portal.
• OpenAI, L.L.C.: embeddings and language-model inference for search and crystallization. Your content sent to OpenAI is not used by OpenAI to train their models under their API terms.
• GitHub, Inc.: repository access (read/write) via our installed GitHub App, and OAuth identity if you choose that sign-in method.
• Cloudflare, Inc.: DNS, TLS termination, and basic DDoS protection at the edge.

We will update this list when the set of sub-processors changes materially. Contact us if you would like advance notice.

4. Where your data is stored

All primary storage is located in the United States (AWSus-east-1). If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service you consent to that transfer.

5. Retention

We retain your content and account data for as long as your workspace is active and for up to 90 days after your account is closed, to allow recovery in the event of accidental deletion. After that, your content and personal data are deleted from our primary systems. Backups are retained for up to 30 days before rotation. Audit-log and billing records required for legal and tax purposes may be kept longer as the law requires.

6. Your rights

Subject to applicable law (including the GDPR and the CCPA where they apply), you may:

• Access and export your data.
• Correct information that is inaccurate or out of date.
• Delete your workspace and associated personal data.
• Object to or restrict certain processing.
• Withdraw consent where we rely on consent as the legal basis.
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

7. Security

We protect your data with TLS in transit, encrypted storage at rest, principle-of-least-privilege access controls, short-lived JWT sessions, and an audit log of writes. No system is perfectly secure; we cannot guarantee absolute security, but we follow industry-standard practice and notify affected users as required by law in the event of a breach that materially impacts them.

8. Age restrictions

The Service is not directed to children under 16 years of age (or, where the COPPA applies, 13 years). We do not knowingly collect personal information from children. If you believe a child has provided us with information, contact us and we will delete it promptly.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to workspace admins and by updating the "Effective" date at the top. Continued use of the Service after changes become effective constitutes acceptance.

10. Contact

Questions about this policy, data-protection requests, or security concerns: [email protected]. The controller of your personal data is Ganemo LLC.