1. Introduction
BlobBridge (“we”, “us”, “our”) is committed to protecting your personal data and respecting your privacy. This policy explains how we collect, use, share and protect information in accordance with the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulations (PECR) and the Data (Use and Access) Act 2025.
2. What data we collect
We collect the following categories of personal data:
- Identity data: name, company name, Microsoft 365 tenant ID.
- Contact data: e‑mail address, billing address.
- Transaction data: Stripe payment ID, amount, currency, last 4 digits of card.
- Technical data: IP address, browser type and version, operating system (captured via server logs).
3. How we use your data & legal bases
| Purpose | Data | Legal basis |
|---|---|---|
| Process your purchase and issue licence | Identity, Contact, Transaction | Contract (Article 6 (1)(b)) |
| Provide support and respond to enquiries | Identity, Contact, Tenant ID | Legitimate interest – to deliver customer service (Article 6 (1)(f)) |
| Maintain financial records for HMRC | Transaction, Identity | Legal obligation (Article 6 (1)(c)) |
| Measure site performance (aggregated, cookieless analytics) | Legitimate interest | Consent (Article 6 (1)(f)) |
4. Who we share data with
We use trusted third‑party service providers (“processors”):
| Processor | Service | Data shared | Safeguards |
|---|---|---|---|
| Stripe Payments Europe Ltd | Payment processing | Identity, Contact, Transaction | UK extension to EU–US DPF |
| Cloudflare Inc. | Licence delivery, CDN & security | Identity, Contact, IP | UK extension to EU–US DPF |
| Formspree Inc. | Contact‑form relay | Identity, Contact, Message | Standard Contractual Clauses |
| MailChannels Corporation | Transactional e‑mail | Identity, Contact, Tenant ID | SCCs + data-at‑rest encryption |
We do not sell or share your data with unrelated third parties for marketing purposes.
5. International transfers
Your data may be processed outside the UK/EEA (e.g., in the United States). Where this occurs we rely on:
- UK extension to the EU–US Data Privacy Framework, or
- Standard Contractual Clauses approved by the UK ICO.
6. Data retention
We retain:
- Billing and licence data for six years to comply with tax law.
- Support e‑mails for two years after resolution.
7. Your rights
You have the right to:
- Request access to your personal data.
- Request rectification of inaccurate data.
- Request erasure (“right to be forgotten”).
- Object to processing or request restriction.
- Request data portability.
- Lodge a complaint with the ICO.
To exercise any right, e‑mail [email protected].
8. Cookies
We use Cloudflare Web Analytics in cookieless mode; no persistent identifiers or personal data are stored. We do not set any marketing or analytics cookies. Cloudflare Web Analytics collects traffic metrics without cookies or localStorage. Your browser may still receive a transient ‘__cf_bm’ security cookie, set by Cloudflare to mitigate bots; it expires within 30 minutes.
9. Security
We employ TLS 1.3 encryption, strict CSP headers, vulnerability scans and role‑based access controls. Our Stripe integration is PCI DSS Level 1 compliant.
10. Children
Our site is not intended for children under 13. We do not knowingly collect their data.
11. Changes to this policy
We may update this notice periodically. Significant changes will be announced on the website or by e‑mail.
12. Contact
E‑mail: [email protected]