Privacy Policy

1. Introduction

BlazeDocs is operated by Kyle Greig, a sole trader based in the United Kingdom (“we”, “us”, or “our”). We are committed to protecting your privacy and handling your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights in relation to that data when you use the BlazeDocs website at https://blazedocs.io and our related services (collectively, the “Services”).

2. Data Controller

The data controller responsible for your personal data is:

3. What Data We Collect

3.1 Account Information

When you create an account via our authentication provider (Clerk), we collect your name and email address. If you sign up using a third-party provider (such as Google), we receive the name and email associated with that account. We also store a unique user identifier to link your account to your conversion history and usage data.

3.2 Document Data

When you upload a PDF for conversion, the document is processed in memory by our AI systems. We do not permanently store your original PDF files. Only the resulting Markdown output is stored in our database so you can access your conversion history. You may delete your conversions at any time from your dashboard.

3.3 Usage Data

We track usage metrics including the number of conversions, pages processed, and tokens consumed. This data is used to enforce your subscription plan limits and to provide usage statistics on your dashboard.

3.4 Payment Information

Subscription payments are handled by our billing provider (Clerk Billing, which uses Stripe as the underlying payment processor). We do not directly collect or store your credit card number or full payment details. We receive confirmation of payment events (such as subscription status and plan type) to manage your account access.

3.5 Analytics and Cookies

We use the following analytics services to understand how visitors use our site and to improve the Services:

• PostHog — product analytics to track feature usage, page views, and conversion events. PostHog uses cookies and identifies signed-in users by their user ID and email address.
• Google Analytics — website traffic analysis using cookies to collect anonymous usage data such as pages visited, session duration, and referral source.
• Vercel Analytics — performance and web analytics provided by our hosting platform.

You can control cookie preferences through your browser settings. Disabling cookies may affect certain functionality of the Services.

3.6 Newsletter Subscriptions

If you subscribe to our newsletter, we collect your email address and the source of the subscription. You can unsubscribe at any time using the link provided in each email.

3.7 Marketing Attribution

We may collect UTM parameters (source, medium, campaign) from the URL you used to visit our site. This helps us understand which marketing channels are effective. This data is linked to your account if you sign up.

3.8 API Keys

If you use our API, we store a hashed version of your API key along with a short prefix for identification. We do not store your full API key after initial generation.

4. Lawful Basis for Processing

Under the UK GDPR, we process your personal data on the following lawful bases:

• Contract — processing your account data and document conversions is necessary to provide the Services you have requested (Article 6(1)(b)).
• Legitimate interests — analytics, fraud prevention, service improvement, and marketing attribution are based on our legitimate interest in operating and improving the Services (Article 6(1)(f)).
• Consent — where you have opted in to receive our newsletter or marketing communications (Article 6(1)(a)). You may withdraw consent at any time.

5. How We Use Your Data

We use the data we collect to:

• Provide, operate, and maintain the Services, including PDF conversion and document chat features.
• Manage your account, subscription, and usage quotas.
• Process payments and prevent fraud.
• Send you service-related communications (such as usage alerts or account notifications).
• Send marketing communications where you have consented.
• Analyse usage patterns to improve and develop the Services.
• Enforce our Terms of Use and protect the security of the Services.

6. AI Processing and Your Documents

Your PDF documents are processed using third-party AI models (including Mistral AI and Google Gemini) to perform conversion, classification, extraction, and chat features. When a document is sent to these AI providers for processing:

• The document content is transmitted to the AI provider's API for processing only.
• We do not use your documents to train our own AI models or allow third-party AI providers to use your data for training purposes under our API agreements.
• Original PDF files are processed in memory and are not permanently stored on our servers.
• Only the resulting Markdown output and any extracted metadata are stored in our database.

7. Third-Party Services and Data Sharing

We share your personal data with the following categories of third-party service providers, solely to the extent necessary for them to perform services on our behalf:

• Clerk (authentication and billing) — processes your account credentials and payment information. Based in the United States.
• Stripe (payment processing) — processes subscription payments. Based in the United States.
• Convex (database) — stores your account data, conversion history, and usage metrics. Based in the United States.
• Mistral AI (AI processing) — processes document content for conversion. Based in the European Union (France).
• Google (Gemini AI, Google Analytics) — processes document content for AI features and collects analytics data. Based in the United States.
• PostHog (product analytics) — collects usage and behavioural analytics. US cloud instance.
• Vercel (hosting and analytics) — hosts the website and collects performance analytics. Based in the United States.
• Cloudflare (image storage, CDN) — stores extracted document images via R2. Based in the United States.

We do not sell your personal data to any third party. We do not share your data with third parties for their own marketing purposes.

8. International Data Transfers

Several of our service providers are based in the United States. When your data is transferred outside the United Kingdom, we rely on appropriate safeguards including the UK International Data Transfer Agreement (UK IDTA) or UK Addendum to the EU Standard Contractual Clauses, or transfers to countries that have been granted an adequacy decision by the UK Secretary of State, to ensure your data remains protected to UK GDPR standards.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes set out in this policy:

• Account data — retained for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required by law to retain it.
• Conversion history — retained until you delete individual conversions or your account. You can delete conversions from your dashboard at any time.
• Usage and analytics data — retained in accordance with our analytics providers' retention policies (typically 12–24 months).
• Payment records — retained for up to 7 years as required by UK tax and accounting regulations.
• Newsletter subscriptions — retained until you unsubscribe.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
• Authentication is handled by Clerk, which provides industry-standard security including password hashing and session management.
• API keys are stored as one-way cryptographic hashes (SHA-256) rather than in plain text.
• PDF documents are processed in memory only and are not written to persistent storage.
• Access to production systems and databases is restricted to authorised personnel.

While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

11. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access — you can request a copy of the personal data we hold about you.
• Right to rectification — you can ask us to correct inaccurate or incomplete data.
• Right to erasure — you can ask us to delete your personal data in certain circumstances.
• Right to restrict processing — you can ask us to limit how we use your data.
• Right to data portability — you can request your data in a structured, machine-readable format.
• Right to object — you can object to processing based on legitimate interests, including profiling.
• Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at kylegreig93@gmail.com. We will respond to your request within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. You can contact the ICO at ico.org.uk.

12. Children's Privacy

The Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by posting the updated policy on this page with a revised “Last updated” date. We encourage you to review this page periodically. Your continued use of the Services after any changes constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your data protection rights, please contact us at: