· LEGAL

Privacy Policy.

Effective April 16, 2026 · Version 0.1 · GDPR + CCPA compliant

TL;DR — We collect only what we need to run Blam: your account info, the content you choose to upload, how you use the product, and payment metadata via Stripe. We don't sell your data, nor do we look at it. We don't train third-party foundation models on your content. You can export or delete everything with one click. Ask us anything: privacy@useblam.com.

Table of contents

Who we are
Data we collect
How we use it
Legal bases (GDPR)
AI processing
Third-party platforms
Sub-processors
Cookies & tracking
Retention
Security
Your rights
California rights
International transfers
Children
Changes
Contact

Who we are

This Privacy Policy explains how Blam Labs, Inc. (“Blam”, “we”) collects, uses, and shares personal data in connection with the Blam service (app, marketing site, emails, support). We're the data controller for your account and usage data. For customers in the EU/UK, our representative is listed at the bottom of this page.

Data we collect

You give us

Account info. Name, email, password hash (or Google OAuth identifier), optional profile avatar, optional social handles (TikTok, Instagram, YouTube, X).
Team info. Team name, logo, website, billing contact, invited member emails.
Your Content. Collections, Library uploads (mp4, mov, jpg, png, pdf), Memory text & attached files, Workspace items and chat messages, saved prompts, tracked creator lists.
Payment info. Card details go directly to Stripe, our payment processor — we never see or store the full number. We retain the last 4 digits, brand, expiration, and a Stripe customer ID.
Support messages. Anything you send via chat, email, or feedback forms.

We collect automatically

Usage data. Pages visited, features used, credits consumed, timestamps, session duration, click paths — via PostHog.
Device & log data. IP address (truncated after 30 days), browser type, OS, referrer, error stack traces — via Sentry + server logs.
Cookies & local storage. See §8.

We receive from third parties

Public video metadata scraped from TikTok & Instagram by managed scraping partners — creator handles, follower counts, post views/likes/comments, captions, thumbnails. This is not your personal data; it's data about public videos indexed in the Viral Database.
Auth data from Google OAuth if you sign in that way (email, name, avatar, Google sub).
Billing data from Stripe (subscription status, invoice history).

How we use it

Operate the Service: auth, workspaces, AI generation, Spy scheduling, Memory injection, billing.
Meter credits accurately and prevent fraud.
Communicate with you: transactional email (receipts, password resets, usage alerts), product updates you've opted into, support replies.
Analyze usage in aggregate to improve Blam.
Secure the Service — detect abuse, bots, and policy violations.
Comply with legal obligations.

Legal bases (GDPR)

Purpose	Legal basis
Providing the Service you signed up for	Contract (Art. 6(1)(b))
Billing & fraud prevention	Contract + legitimate interests (Art. 6(1)(b), (f))
Product analytics & improvement	Legitimate interests (Art. 6(1)(f))
Marketing emails	Consent (Art. 6(1)(a)) — you can withdraw any time
Legal/regulatory compliance	Legal obligation (Art. 6(1)(c))

AI processing

Content you put in Workspaces, prompts you send in the Remix Studio, and Memory content are sent to our AI provider (currently Anthropic) to generate responses. We have a Data Processing Agreement in place that prohibits Anthropic from training foundation models on your data. Anthropic may retain inputs and outputs for up to 30 days for abuse monitoring before deletion.

Video transcription is done by Whisper or a contracted equivalent under the same no-training terms.

We do not use Your Content to train any models, first- or third-party. Aggregate, anonymized usage signals (e.g. “feature X was used N times this month”) are used to improve the product.

Third-party platforms

The Viral Database and Account Spy index public metadata from TikTok and Instagram. We respect rate limits and publish an opt-out process at optout@useblam.com — creators can request removal of their profile and content from our indexes. We process removals within 14 days.

Videos are displayed via embedded players or cached thumbnails. Clicking through takes you to the original platform, which has its own privacy policy.

Sub-processors

We share personal data only with the following sub-processors, each under a DPA:

Provider	Purpose	Region
Vercel	Hosting / edge compute	US / EU
Supabase	Database, auth	US / EU (region-pinned)
Cloudflare R2	File & video storage	Global
Mux	Video playback	US
Anthropic	LLM inference	US
Stripe	Payments	US / EU
Apify	Public-metadata scraping	EU
Resend	Transactional email	US
PostHog	Product analytics	EU
Sentry	Error monitoring	US
Intercom	In-app live chat	US

Cookies & tracking

We use strictly necessary cookies for auth and session management. We use analytics cookies (PostHog, self-hosted in EU) only if you've accepted them via the cookie banner, except in the US where accept-by-default is legal. We don't use third-party advertising or retargeting cookies. You can clear cookies any time; it'll log you out.

Retention

Account data — kept while your account is active. Deleted within 30 days of account deletion, except backups (up to 90 days) and financial records (7 years, legal minimum).
Workspace chats — kept until you delete them. Exported with your account on request.
Log data — IPs truncated after 30 days; logs rotated at 90 days.
Support tickets — kept 3 years for pattern analysis, then deleted.

Security

We encrypt data in transit (TLS 1.2+) and at rest (AES-256). Passwords are hashed with bcrypt. Production access is limited to on-call engineers via SSO + MFA, logged for audit. We run third-party penetration tests annually once we're past Series A. Report vulnerabilities to security@useblam.com. We'll acknowledge within 48 hours. No security is bulletproof — if we suffer a breach affecting you, we'll notify you without undue delay and in any case within 72 hours as required by GDPR.

Your rights

Regardless of where you live, you have the right to:

Access — see what we hold about you.
Rectify — correct anything wrong.
Delete (“right to be forgotten”) — one-click in Settings → Account → Danger Zone, or email us.
Export — download your data as JSON + media files.
Object — opt out of legitimate-interest processing (e.g. analytics).
Restrict processing while a dispute is being resolved.
Port your data to another service.
Withdraw consent for marketing emails any time.
Lodge a complaint with your local supervisory authority.

California rights (CCPA / CPRA)

California residents have the right to know what personal information we collect, the right to delete it, the right to correct inaccuracies, and the right to opt out of “sale” or “sharing” — we don't sell or share personal info in the legal sense, but the option is honored. We don't use Sensitive Personal Info for purposes beyond providing the Service. Exercise any right at privacy@useblam.com. We won't discriminate against you for asking.

International transfers

Your data may be processed in the US, EU, or UK depending on the sub-processor. For transfers out of the EEA/UK, we rely on Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. We do not transfer data to jurisdictions without adequate protection.

Children

Blam is not directed to users under 13 (or under 16 in the EU/UK). We don't knowingly collect data from children. If you believe a child has signed up, email privacy@useblam.com and we'll delete the account.

Changes

Material changes will be announced at least 30 days before they take effect (email + in-app banner). An archive of prior versions lives at /legal/archive.

Contact

Data questions: privacy@useblam.com
Security: security@useblam.com

→ Read the Terms of Service Back to Blam