This Privacy Policy describes how Blitz Agent ("we", "us") collects, uses, shares, and protects personal data when you use our website at blitzagent.studio, web application, and APIs (collectively, the "Service").
For questions or requests, contact [email protected].
1. Who we are
Blitz Agent is an AI agent and system prompt builder for teams. We act as the data controller for personal data described in this policy, except where we process data solely on behalf of customers as a processor under a separate agreement.
2. Data we collect
Account and profile data
- Email address, display name, and authentication identifiers
- Account preferences and subscription or billing status
Product and usage data
- Prompts, agent configurations, projects, versions, and saved outputs
- Evaluation runs, chat history, and feature usage within the Service
- Support messages and feedback you submit
Payment data
Payments are handled by Stripe. We receive billing metadata (such as customer ID, plan, and transaction status) but do not store full payment card numbers on our servers.
Technical data
- IP address, browser type, device information, and request logs
- Session and security cookies required for authentication (see Cookie Policy in the product footer)
- Aggregated analytics if you accept analytics cookies
- Error and performance data via Sentry (with PII scrubbing in production)
3. How we use data
We process personal data to:
- Provide, operate, and maintain the Service
- Authenticate users and secure accounts
- Process subscriptions, credits, and billing
- Send transactional emails (e.g. sign-in, billing, security notices)
- Respond to support requests and improve reliability
- Detect abuse, fraud, and violations of our Terms
- Comply with legal obligations
We do not use your prompts or project content to train public foundation models. When you invoke AI features, your inputs are transmitted to the LLM provider needed to fulfill that request.
4. Legal bases (EEA/UK)
Where GDPR applies, we rely on:
- Contract — to provide the Service you request
- Legitimate interests — security, fraud prevention, and product improvement (balanced against your rights)
- Legal obligation — tax, accounting, and regulatory requirements
- Consent — where required, e.g. non-essential analytics cookies
5. Sharing and subprocessors
We share data with service providers that help us operate the Service:
- Stripe — payment processing
- LLM providers (e.g. OpenRouter, Google, OpenAI, Anthropic) — AI generation you request; only content needed for the specific request is sent
- Resend — transactional email delivery
- Sentry — error monitoring and diagnostics
- Hosting and infrastructure — cloud providers that store and run our application
Providers are bound by contractual obligations to protect data and process it only on our instructions. We may also disclose data if required by law or to protect rights, safety, and security.
6. International transfers
We may process data in countries other than your own. Where required, we use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms for transfers from the EEA/UK.
7. Retention
We retain personal data while your account is active and for a limited period afterward where needed for billing, security, dispute resolution, or legal compliance. You may export or delete your account from Account privacy settings. Some logs or backups may persist for a short period before automatic deletion.
8. Security
We implement technical and organizational measures appropriate to the risk, including encryption in transit, access controls, and monitoring. No method of transmission or storage is completely secure; please use a strong password and protect your credentials.
9. Your rights
Depending on your location, you may have the right to:
- Access, correct, or delete your personal data
- Export your data in a portable format
- Object to or restrict certain processing
- Withdraw consent where processing is consent-based
- Lodge a complaint with your local data protection authority
California residents may have additional rights under the CCPA/CPRA, including knowing what personal information is collected and requesting deletion, subject to exceptions. We do not sell personal information as defined by the CCPA.
Submit requests via Account privacy settings or email [email protected]. We may verify your identity before fulfilling requests.
10. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children. Contact us if you believe a child has provided data and we will delete it.
11. Cookies
We use essential cookies for sign-in and optional Google Analytics. Details are available in our Cookie Policy, accessible from the site footer and cookie banner.
12. Changes
We may update this policy when our practices change. We will post the revised policy here and update the "Last updated" date. Material changes may be communicated by email or in-product notice where appropriate.