PRIVACY POLICY

BlackBox is operated by BlackBox Intelligence Ltd ("we", "us", "our"). This policy explains how we collect, use, store, and protect personal data when you use the BlackBox platform at blackbox.fyi.

We are the data controller for personal data processed through the Service. For GDPR purposes, our lawful bases for processing are contract performance (generating the report you requested) and legitimate interests (platform security and abuse prevention).

We collect the following categories of data:

Third-party subject data. When you provide a subject name, email, domain, or other information about a third party for enrichment purposes, you are responsible for ensuring you have a lawful basis to process that information and that its use complies with applicable data protection law in your jurisdiction.

We use your data to:

• Generate and deliver the intelligence report you requested
• Process payments and manage your subscription
• Operate, maintain, and improve the platform
• Detect and prevent fraud, abuse, and unauthorised access
• Comply with our legal obligations
• Communicate with you about your account or the Service (not for marketing without your consent)

We do not sell your personal data to third parties. We do not use your data for targeted advertising. BlackBox products are ad-free.

We share data only with the following categories of third party, and only to the extent necessary:

• Anthropic, your report inputs are processed by Anthropic's Claude API to generate the intelligence briefing. Anthropic's privacy policy governs their handling of API data.
• Stripe, payment processing. Stripe handles card data directly and is PCI-DSS compliant. We do not see or store your card details.
• Hosting infrastructure, Replit hosts the platform. Data resides on their servers subject to their privacy and security terms.
• Public databases, enrichment queries send the subject name (and optionally domain, email, or username) to the public APIs listed in our source directory. These queries are subject to the privacy policies of the respective providers.

We will disclose personal data to law enforcement or regulatory authorities where required to do so by applicable law, or to protect the rights, property, or safety of BlackBox, our users, or third parties.

We retain report inputs and outputs for a limited period for quality assurance, abuse prevention, and legal compliance purposes. We do not retain report content indefinitely. Technical access logs are retained for up to 90 days.

Account data is retained for as long as your account is active, and for a reasonable period thereafter to comply with legal obligations and resolve disputes. You may request deletion of your data at any time (see Your Rights below).

BlackBox uses a single authentication cookie (bb_auth) to maintain your session after you enter your access code. This cookie is HTTP-only and expires after 7 days.

We do not set tracking, analytics, or advertising cookies by default. If you accept optional cookies via our consent banner, we may set analytics cookies to understand how the platform is used. You may withdraw this consent at any time by clearing your cookies or declining via the banner.

If you are a resident of the UK, European Union, or California, you have the following rights regarding your personal data:

• Access, request a copy of the personal data we hold about you
• Correction, request correction of inaccurate or incomplete data
• Deletion, request deletion of your personal data (subject to legal retention requirements)
• Data portability, receive your data in a structured, machine-readable format
• Objection, object to processing based on legitimate interests
• Restriction, request that we restrict processing in certain circumstances

To exercise any of these rights, contact us at privacy@blackbox.fyi. We will respond within 30 days. Where we cannot satisfy your request, we will explain why.

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the relevant supervisory authority (in the UK: the ICO; in the EU: your national data protection authority).

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. Access to platform systems is restricted. Sensitive configuration values are stored as environment variables, not in source code.

No method of transmission over the internet is completely secure. We cannot guarantee absolute security, but we take it seriously and will notify you if we become aware of a breach affecting your data.

Our platform is hosted on infrastructure that may process data in the United States and other jurisdictions. Where we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place, including standard contractual clauses or equivalent mechanisms recognised under applicable data protection law.

BlackBox is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately at privacy@blackbox.fyi.

We may update this Privacy Policy from time to time. Material changes will be communicated via a notice on the platform or by email. The date at the top of this page indicates when it was last updated. Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

Privacy enquiries: privacy@blackbox.fyi

General enquiries: hello@blackbox.fyi

BlackBox Intelligence Ltd · blackbox.fyi