Privacy Policy
How Blacksight AI collects, uses, and protects your information.
Last updated: May 1, 2026
Blacksight AI ("Blacksight," "we," "us," or "our") operates the blacksight.ai website and the Blacksight data loss prevention platform, including the browser extension and gateway appliance (collectively, the "Service"). This Privacy Policy describes how we collect, use, and share information when you use our Service.
1. Our privacy architecture
Blacksight is designed around a privacy-first architecture. Understanding how the product works is essential to understanding this policy:
- All DLP scanning runs locally — inside the browser extension or on the gateway appliance, on your machines, on your network.
- Prompt content never leaves your perimeter unless you explicitly opt in. We do not have access to the text your employees type into AI tools.
- Only metadata is sent to Blacksight — the verdict (allowed, blocked, or redacted), the destination domain, a timestamp, the user identifier, and the policy rule that fired. This metadata powers the dashboard, alerts, and compliance reports.
2. Information we collect
2.1 Account information
When you create an account, we collect your name, email address, company name, and billing information. If you sign up via SSO (Google, Microsoft, Okta), we receive your name and email from the identity provider.
2.2 Scan metadata
When the browser extension or gateway processes a prompt, it sends the following metadata to our servers:
| Data point | Example | Purpose |
|---|---|---|
| Verdict | blocked, redacted, allowed | Dashboard, alerts |
| Destination domain | chat.openai.com | Shadow AI detection |
| Detector that fired | SSN, API_KEY | Policy reporting |
| User identifier | [email protected] | Per-user audit trail |
| Timestamp | 2026-05-01T14:23:00Z | Chronological logs |
| Token count | 3 sensitive items | Risk scoring |
We do not collect the prompt text, the AI service's response, or the content of redacted tokens — unless your organization's administrator explicitly enables full prompt logging in dashboard settings.
2.3 Usage and analytics
We collect standard analytics on website and dashboard usage: pages visited, feature interactions, browser type, and device information. We use this to improve the product.
2.4 Support communications
When you contact us for support, we collect the content of your messages and any attachments you provide.
3. How we use your information
- Provide the Service — power the dashboard, alerts, compliance reports, and policy engine.
- Billing — process payments and manage subscriptions.
- Product improvement — analyze aggregate, anonymized usage patterns to improve detection accuracy and user experience.
- Security — detect and prevent abuse, fraud, or unauthorized access.
- Communication — send transactional emails (alerts, reports, account changes) and, with your consent, product updates.
4. Information we share
We do not sell your personal information. We share information only in these circumstances:
- Service providers — hosting (cloud infrastructure), payment processing (Stripe), email delivery, and analytics providers that process data on our behalf under strict data processing agreements.
- Your organization's administrators — if you use Blacksight through a company account, your employer's administrators can access scan metadata, policy outcomes, and usage data for users in their organization.
- Legal requirements — when required by law, subpoena, or legal process, or to protect rights, property, or safety.
- Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to affected users.
5. Data retention
- Scan metadata — retained for the duration of your subscription plus 90 days, or as required by your organization's compliance settings.
- Account data — retained while your account is active and for 30 days after deletion.
- Prompt content (if opted in) — retained according to your organization's configured retention period, default 30 days.
You or your organization's administrator can request deletion of data at any time via the dashboard or by contacting us.
6. Security
We maintain SOC 2 Type II compliance and implement industry-standard security measures, including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, audit logging, and regular penetration testing. Our infrastructure is hosted in SOC 2-certified data centers.
7. Your rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate data.
- Deletion — request deletion of your personal data.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise these rights, contact us at [email protected]. We respond to all requests within 30 days.
7.1 GDPR (European Economic Area)
If you are in the EEA, our legal bases for processing are: contract performance (providing the Service), legitimate interests (product improvement, security), and consent (marketing communications). You have the right to lodge a complaint with your local data protection authority.
7.2 CCPA (California)
California residents have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.
8. Cookies
We use strictly necessary cookies for authentication and session management. We use analytics cookies only with your consent. You can manage cookie preferences in your browser settings. The Service functions fully with analytics cookies disabled.
9. International transfers
If you are located outside the United States, your information may be transferred to and processed in the United States, where our servers are located. We use Standard Contractual Clauses and other appropriate safeguards for international data transfers.
10. Children's privacy
The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our website at least 30 days before the changes take effect. Continued use of the Service after changes constitutes acceptance.
12. Contact us
If you have questions about this Privacy Policy or our data practices:
- Email: [email protected]
- Website: blacksight.ai