Privacy Policy

Last Updated: March 23, 2026

1. Introduction

BLAZE LABS PTY LTD (ABN 66 694 592 553) ("we," "our," or "us") operates the BlazeXL platform, a governed runtime for enterprise business logic. This Privacy Policy explains what personal information we collect, how we use it, and the choices you have.

This policy applies to our website (blazexl.com), the BlazeXL web application, the Excel Add-in, and related APIs (collectively, the "Service").

2. Information We Collect

We collect information in the following categories:

  • Account Information: Name, email address, organization name, and role — collected during registration or invitation.
  • Usage Metadata: Pages visited, feature usage patterns, session duration, and device/browser information — collected automatically to improve the Service.
  • Execution Metadata: When logic is executed through BlazeXL, we log timestamps, block versions, execution surface (Excel, web, API), and actor identity. This supports audit and governance requirements.
  • Payment Information: Billing is processed by Stripe. We receive subscription status and plan tier but do not store credit card numbers or bank details.
  • Support Communications: Content of messages you send to us via email or the contact form.

3. Lawful Basis for Processing (GDPR)

Under the General Data Protection Regulation, we process personal data on the following legal bases:

  • Contract Performance: Processing account information and execution metadata is necessary to provide the Service you have subscribed to.
  • Legitimate Interest: Usage metadata is processed to maintain platform security, improve performance, and understand feature adoption. We balance this against your privacy rights.
  • Consent: Marketing communications and non-essential cookies are only used with your explicit consent, which you may withdraw at any time.
  • Legal Obligation: We may retain certain records where required by applicable law or regulation.

4. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the Service
  • Authenticate users and enforce access controls
  • Generate audit trails for governed logic execution
  • Process payments and manage subscriptions
  • Respond to support requests
  • Improve platform performance and reliability
  • Send product updates and security notices (transactional, not marketing)

5. AI and Model Training

BlazeXL does not use customer data, prompts, executed logic, or proprietary business information to train AI models. The AI Analyst operates on minimal schema context to generate code; this context is not persisted after the session ends.

6. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

  • Account data: Retained while your account is active and for 30 days after deletion request to allow recovery.
  • Execution metadata and audit logs: Retained for the duration of your subscription. Enterprise customers may configure longer retention periods.
  • Usage analytics: Aggregated within 90 days; raw events are not retained beyond this period.
  • Payment records: Retained as required by Australian tax law (generally 5 years).

7. Sub-Processors and Third Parties

We use the following categories of service providers to operate the platform:

  • Cloud Infrastructure: Compute and storage services for the Deterministic Runtime and Governance Gateway.
  • Payment Processing: Stripe, for subscription billing and payment method management.
  • Authentication: Third-party identity providers where configured by enterprise customers (OIDC/SAML).
  • Analytics: Anonymized usage analytics to understand platform adoption.

We do not sell personal information to third parties. Data is shared with sub-processors only to the extent necessary to operate the Service.

8. Cookies and Tracking Technologies

We use the following categories of cookies:

  • Strictly Necessary: Authentication tokens and session identifiers. These cannot be disabled as the Service requires them to function. Duration: session or up to 30 days.
  • Performance/Analytics: Anonymized usage metrics to help us understand how the platform is used. Enabled with your consent. Duration: up to 12 months.
  • Marketing: Used only with explicit consent to measure campaign effectiveness. Duration: up to 12 months.

You can manage your cookie preferences through our on-site cookie controls or your browser settings.

9. Execution Data and Privacy by Design

BlazeXL is designed around a logic-first model that minimizes data persistence:

  • Isolated Execution: Data processed in the Deterministic Runtime runs in ephemeral, containerized environments. Data is not retained after execution completes.
  • Logic vs. Data Separation: When logic is saved as a Blaze Block, only the code is versioned and stored. Your business data remains transient.
  • Client-Side Ingestion: Where supported, data transformations are performed in the browser. Credentials for external sources (API tokens, S3 keys) do not transit our servers.

10. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate personal data.
  • Erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact privacy@blazexl.com. We will respond within 30 days.

11. Your Rights Under CCPA/CPRA (California)

California residents have additional rights under the CCPA and CPRA:

  • Right to Know: You may request what personal information we collect and how it is used.
  • Right to Delete: You may request deletion of your personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information. We only share data with service providers necessary to operate the platform.
  • Non-Discrimination: We will not deny service or alter pricing based on your exercise of privacy rights.

12. Data Residency

By default, data is processed in the region closest to the user to support low-latency execution. Enterprise customers may request dedicated regional provisioning for data residency and sovereignty requirements.

13. Children's Privacy

BlazeXL is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or a notice within the Service at least 30 days before they take effect.

15. Contact

For privacy inquiries, data requests, or to exercise your rights under GDPR or CCPA, contact us at privacy@blazexl.com.

BLAZE LABS PTY LTD
Melbourne, Victoria, Australia