1. Introduction
BlobBridge LTD(“we”, “us”, “our”) is committed to protecting your personal data and respecting your privacy. This policy explains how we collect, use, share and protect information in accordance with the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulations (PECR) and the Data (Use and Access) Act 2025.
2. What data we collect
We collect the following categories of personal data:
- Identity data: name, company name, Microsoft 365 tenant ID.
- Contact data: e‑mail address, billing address.
- Transaction data: Stripe payment ID, amount, currency, last 4 digits of card.
- Technical data: IP address, browser type and version, operating system (captured via server logs).
3. How we use your data & legal bases
| Purpose | Data | Legal basis |
|---|---|---|
| Process your purchase and issue licence | Identity, Contact, Transaction | Contract (Article 6 (1)(b)) |
| Provide support and respond to enquiries | Identity, Contact, Tenant ID | Legitimate interest – to deliver customer service (Article 6 (1)(f)) |
| Maintain financial records for HMRC | Transaction, Identity | Legal obligation (Article 6 (1)(c)) |
| Measure site usage (Google Analytics 4) | Usage data, device/browser details, truncated IP address | Consent (Article 6(1)(a)) for UK/EU visitors; Legitimate interest (Article 6(1)(f)) elsewhere |
4. Who we share data with
We use trusted third‑party service providers (“processors”):
| Processor | Service | Data shared | Safeguards |
|---|---|---|---|
| Stripe Payments Europe Ltd | Payment processing | Identity, Contact, Transaction | UK extension to EU–US DPF |
| Cloudflare Inc. | Licence delivery, CDN & security | Identity, Contact, IP | UK extension to EU-US DPF |
| apilayer AG (ipapi.co) | Country lookup for cookie compliance | IP address (transient lookup) | Standard Contractual Clauses |
| Formspree Inc. | Contact-form relay | Identity, Contact, Message | Standard Contractual Clauses |
| MailChannels Corporation | Transactional e‑mail | Identity, Contact, Tenant ID | SCCs + data-at‑rest encryption |
We do not sell or share your data with unrelated third parties for marketing purposes.
5. International transfers
Your data may be processed outside the UK/EEA (e.g., in the United States). Where this occurs we rely on:
- UK extension to the EU–US Data Privacy Framework, or
- Standard Contractual Clauses approved by the UK ICO.
6. Data retention
We retain:
- Billing and licence data for six years to comply with tax law.
- Support e‑mails for two years after resolution.
7. Your rights
You have the right to:
- Request access to your personal data.
- Request rectification of inaccurate data.
- Request erasure (“right to be forgotten”).
- Object to processing or request restriction.
- Request data portability.
- Lodge a complaint with the ICO.
To exercise any right, e‑mail [email protected].
8. Cookies
We use Google Analytics 4 (GA4) to understand how our website is used and to improve it. Visitors located in the United Kingdom, European Union, European Economic Area or Switzerland see a consent banner and GA4 loads only if you accept. Visitors in all other countries have GA4 enabled automatically because PECR/ePrivacy consent rules do not apply.
To make that decision we query ipapi.co (operated by apilayer AG) once per new visit. The request shares your IP address so we can receive a two-letter country code; we do not store the IP address or country code after deciding whether to enable cookies.
Your choice is saved in your browser's localStorage (bb_analytics_consent) for six months so we remember it on future visits. You can change it any time using the "Cookie settings" link in the footer.
8a. Analytics cookies (GA4)
When GA4 is active (either because you granted consent or because you access the site from outside the UK/EU), Google may set the following cookies:
_ga(2 years): Distinguishes users (random identifier)._ga_<container-id>(2 years): Persists session state.- Additional short-lived cookies may be set for session attribution.
We do not use Google Ads or remarketing on this site. IP addresses may be truncated and aggregated by Google. See Google's Privacy Policy.
If you decline analytics or we cannot determine your location, GA4 will not load and no analytics cookies will be set.
9. Security
We employ TLS 1.3 encryption, strict CSP headers, vulnerability scans and role‑based access controls. Our Stripe integration is PCI DSS Level 1 compliant.
10. Children
Our site is not intended for children under 13. We do not knowingly collect their data.
11. Changes to this policy
We may update this notice periodically. Significant changes will be announced on the website or by e‑mail.
12. Contact
E‑mail: [email protected]