B BlackBit Brain
Book a demo
Legal

Effective ·

This Privacy Policy explains how BlackBit Brain (“BBB”, “we”, “us”) collects, uses, and safeguards personal data when you visit blackbitbrain.com or use our products. We are headquartered in Doha, Qatar, and we operate within the framework of:

  • The Saudi Arabia Personal Data Protection Law (PDPL)
  • The UAE Personal Data Protection Law (UAE PDPL)
  • The Qatar Personal Data Protection Privacy Law (PDPPL)
  • The EU General Data Protection Regulation (GDPR), where applicable

Where these frameworks differ, we apply the most protective standard.

What we collect

We collect the minimum necessary personal data for the purposes described below:

  • Account data: name, business email, company, role.
  • Billing data: handled by Stripe, our payment processor. We do not store credit card numbers; Stripe assigns each customer a token we use for billing references.
  • Usage data: aggregated metrics about how you use BBB (departments activated, message volume, complaint cases opened). This stays per-tenant — never aggregated across customers.
  • Inbound social messages: when you connect a social account, BBB ingests messages directed at that account. These are stored in your tenant’s encrypted columns and are accessible only via your authenticated session.
  • Tenant credentials: OAuth tokens for connected platforms. These are sealed under your tenant-specific data encryption key (DEK), itself wrapped by your master key (KEK), which you control.

How we use your data

We use your data only for purposes you would reasonably expect:

  • To provide BBB’s product (drafts, complaint workflow, audit logs, etc.).
  • To bill for the services you use.
  • To communicate about service changes, security incidents, and important updates.
  • To improve the product in aggregate (we never inspect individual messages without your explicit request, e.g. for support).

We do not:

  • Sell your data to third parties.
  • Use your data to train our AI models. Your messages stay in your tenant.
  • Add you to marketing newsletters without explicit opt-in.

How we protect your data

  • Per-tenant DEK encryption for all sensitive columns (OAuth tokens, integration credentials).
  • Row-level security on every database table, scoped to your organization.
  • Data residency in ap-south-1 (Mumbai), aligned with PDPL adequacy provisions. On-prem deployment available for Enterprise customers.
  • Write-once audit log of every state change. Tamper-evident by design.
  • TLS 1.3 for all data in transit.
  • Backups encrypted with separate keys; daily snapshots; retention configurable per tier.

Your rights

Under PDPL, GDPR, and the other frameworks above, you have the right to:

  • Access the personal data we hold about you (Data Subject Access Request, or DSR).
  • Correct inaccurate data.
  • Delete your data (subject to legal retention obligations, e.g. tax records).
  • Export your data in a portable format. We provide JSON / CSV exports via API or admin UI at any time.
  • Object to specific processing activities.
  • Withdraw consent for any consent-based processing.

To exercise any of these rights, email us at [email protected]. We respond within 30 days (often within 5 business days).

Sub-processors

We use a small set of trusted sub-processors. Current list:

  • Supabase (database + auth) — Mumbai region (ap-south-1)
  • Cloudflare (CDN, DDoS protection, edge functions) — global
  • Stripe (billing, payments) — global, PCI-DSS Level 1
  • Resend (transactional email) — US

We will publish updates to this list as they happen. If a new sub-processor is added in a way that affects your data residency, we will notify Enterprise customers in advance.

Cookies

The marketing site uses cookies only for:

  • Preserving your language preference (when we ship Arabic).
  • Privacy-respecting analytics (Plausible — no individual tracking, no cross-site profiles).

We do not use Google Analytics, Facebook Pixel, or any third-party tracking that profiles you across sites.

Children

BBB is a B2B product. It is not directed at children under 16. We do not knowingly collect data from children.

Changes to this policy

We may update this policy as the product evolves. The effective date at the top of the page reflects the most recent change. We will notify customers via email of any material changes.

Contact