privacy · BlackMenta

tl;dr

    > summary in plain english:
    we only collect your email and what you type into your profile
we count how often you query our AI · but not what you ask (only hashed)
we do not log your IP address anywhere · not even hashed
we use no third-party analytics · no ad pixels · no cross-site tracking
you can opt out of query counts · download everything · delete your account · all from your profile page
we delete query-activity rows after 30 days automatically

  

1. who we are

BlackMenta Ltd is a UK private limited company registered at Companies House under number 16988667, with registered office in London, United Kingdom.

For the purposes of UK GDPR and applicable data protection law, BlackMenta Ltd is the data controller for all personal data processed through blackmenta.com, auth.blackmenta.com, and api.blackmenta.com.

Contact for privacy matters: privacy@blackmenta.com. We respond within 72 hours.

2. what data we collect

category	what	when	why
email	your email address	you enter it to request a login link	send the link · identify your account
profile	display name, company, country, intent	you fill the form on your profile page	improve your experience · context for our outreach
session	session cookie token (30-day lifetime), user-agent string	on every login	keep you logged in · detect suspicious session reuse
query activity	SHA-256 hash of your query · agent name · tier · blocked-or-not · latency	each time you query the AI terminal (only if telemetry is on)	improve content coverage · identify red-line blocks
magic links	one-time login tokens	when you request a login link	issue a single-use authenticated session

    > what we specifically DO NOT collect:
    IP addresses. Not stored in our database. Not even hashed.
The content of your queries in plaintext. We store only a SHA-256 hash — unreadable by us.
Cross-site browsing behavior. No third-party trackers load on our pages.
Device fingerprints. No canvas fingerprinting, no font enumeration, none of that.
Analytics pixels. No Google Analytics, Plausible, Mixpanel, Segment, etc.

  

3. legal bases

Under UK GDPR Article 6, we rely on the following lawful bases:

Art. 6(1)(a) · consent — you consent by submitting the login form after reading the inline notice.
Art. 6(1)(b) · contract — profile and session data processing is necessary to perform our service for you.
Art. 6(1)(f) · legitimate interests — security monitoring (rate limits, red-line enforcement) uses minimal, purpose-specific data.

We do not rely on legitimate interests as cover for behavioral profiling, advertising, or anything you might be surprised by.

4. how long we keep data

data	retention
email + profile	as long as your account exists · you can delete anytime
session tokens	30 days max · shorter if you log out
query activity	30 days rolling · older rows auto-deleted by nightly job
magic links	15 minutes · single-use · expired links purged weekly
server access logs (nginx)	14 days · compressed, then deleted · IPs are truncated

5. your rights

Under UK GDPR and equivalent frameworks (EU GDPR, California CPRA), you have the following rights. All can be exercised directly from your profile page, or by emailing privacy@blackmenta.com.

Art. 15 · Access — see everything we have on you · one-click JSON download from /me
Art. 16 · Rectification — correct incorrect data · editable in /me
Art. 17 · Erasure — delete your account · one-click from /me · irreversible, no soft-delete
Art. 18 · Restriction — request we stop processing · email us
Art. 20 · Portability — export as JSON · one-click from /me
Art. 21 · Objection — opt out of query telemetry · toggle in /me
Art. 7(3) · Withdraw consent — deleting your account withdraws all consent simultaneously
Art. 77 · Complain — file with the UK ICO at ico.org.uk

6. who sees your data

We share personal data with the following processors, each under a GDPR-compliant Data Processing Agreement:

processor	role	data shared	location
Resend	transactional email (magic links)	your email · nothing else	EU / US (SCCs)
Hetzner Online GmbH	server hosting (database + app)	all stored data at rest	Germany (EEA)
Cloudflare	DNS · TLS termination (passthrough)	request metadata only · no persistent storage	global edge
Anthropic (Claude)	LLM for AI terminal responses (phase 3)	query text · no email · no profile	US (SCCs)

We do not sell, rent, or trade personal data. Ever. Not even in aggregate.

7. cookies

We use one cookie: bm_session. It exists to keep you logged in. It is HttpOnly, Secure, SameSite=Lax, with a 30-day lifetime. No tracking cookies. No advertising cookies. No third-party cookies of any kind.

Because we use only a strictly-necessary functional cookie under UK GDPR and PECR, no banner consent is required — and we don't use one, because those banners are the worst of the modern web.

8. international transfers

Some of our processors (Resend, Anthropic) are based outside the UK/EEA. Transfers to these providers are covered by:

UK International Data Transfer Agreement (IDTA), or
EU Standard Contractual Clauses (SCCs), together with supplementary measures where needed.

Documentation available upon request to privacy@blackmenta.com.

9. security

We apply these technical and organizational measures:

encrypted at rest · database on encrypted volume
encrypted in transit · TLS 1.3 · HSTS enforced
magic-link tokens are cryptographically random (secrets.token_urlsafe(32)) · single-use · 15-minute expiry
session tokens never logged · never emitted to third parties
access to production database is restricted to one named operator
offsite encrypted backups · daily · 30-day retention

If you believe you've found a security issue, please email security@blackmenta.com. We respond within 24 hours for anything flagged as security.

10. children

Our service is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have, email us and we'll delete immediately.

11. changes to this policy

If we materially change how we process your data, we will notify you by email before the change takes effect and give you the chance to delete your account first. Minor clarifications are dated at the top of this page.

Historical versions of this policy are kept in our git history and available on request.

12. contact

Privacy / data questions: privacy@blackmenta.com
Security disclosures: security@blackmenta.com
Everything else: hello@blackmenta.com
Postal: BlackMenta Ltd · London, United Kingdom · № 16988667

UK Supervisory Authority: Information Commissioner's Office · ico.org.uk

privacy & data