Privacy Policy

1. Introduction

Blend AI Pty Ltd (“Blend”, “we”, “us”, “our”) is committed to protecting your privacy and handling your personal information in accordance with applicable law. This Privacy Policy explains how we collect, use, store, disclose, and protect personal information in connection with the Blend MCP Service (the “Service”).

This Privacy Policy should be read together with our Terms and Conditions, which are available at https://blendmcp.com/terms. Terms defined in the Terms and Conditions have the same meaning when used in this Privacy Policy.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we process personal data of individuals located in other jurisdictions, we also comply with applicable data protection laws, including (where relevant) the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Information We Collect

We collect the following categories of information when you use the Service:

2.1 Account and Identity Data

When you register for an account, we collect:

• First name and last name
• Email address
• Phone number (optional)
• Website URL
• Password (stored in hashed form only; we never store plain-text passwords)

2.2 Authentication and Credentials

To provide the Service, we process:

• Session tokens and authentication cookies
• OAuth tokens for connected advertising platforms (Meta, Google Ads, TikTok, Microsoft Advertising)
• MCP access tokens (JSON Web Tokens signed by Blend)

Platform OAuth tokens are stored in encrypted form and are revoked when you disconnect a platform.

2.3 Advertising Platform Data

When you connect your advertising accounts, we access and process:

• Account identifiers, business names, and account structures
• Campaign, ad set, and ad configurations (names, statuses, budgets, objectives, targeting parameters)
• Performance metrics (impressions, clicks, spend, conversions, revenue)
• Creative assets metadata (headlines, body text, image/video URLs, call-to-action settings)
• Audience and targeting data (geographic, demographic, interest, and behavioural segments)

This data is accessed in real time via platform APIs and is not permanently stored on our servers unless otherwise specified in this Policy.

2.4 AI Processing Data

When you interact with the Service through an AI Assistant, we process:

• Your natural language queries and action requests
• Business context descriptions you provide (your business type, products, advertising goals)
• AI-generated API translations and mutation specifications
• Input and output token counts from AI model calls

Natural language queries and business context are transmitted to our AI provider (Anthropic) for processing. Business context is provided per-session and is not permanently stored by Blend. You should review Anthropic's privacy practices at anthropic.com/privacy to understand how your data may be handled by the AI provider.

2.5 Logging and Audit Data

We maintain logs for security, debugging, and abuse prevention:

• API request logs: tool name, request parameters, response codes, timestamps, duration, account ID, user ID, error details
• Mutation audit logs: action ID, entity type and ID, channel, operation type, request payload, pre-mutation state, response, status, user ID
• Usage metadata: feature access frequency, error events, AI model token consumption

2.6 Billing and Payment Data

Payment processing is handled by our third-party payment processor, Stripe. We do not directly collect or store credit card numbers, bank account details, or other payment instrument data. Stripe collects and processes your payment information in accordance with their own privacy policy, available at stripe.com/privacy. We receive and store:

• Subscription status, plan name, and pricing
• Currency and renewal dates
• Billing history summaries (no raw card data)

2.7 Technical and Device Data

We automatically collect:

• IP address
• Browser type and user agent string
• Device type and operating system
• Referring URLs and page access timestamps

This information is collected through standard server logs and is used for security, fraud prevention, and debugging.

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery

• Authenticating your identity and managing your account
• Connecting to and communicating with your advertising platform accounts
• Translating your natural language queries into advertising platform API requests
• Executing the two-step preview/confirm mutation flow for campaign modifications
• Processing billing and subscription management through Stripe

3.2 Security and Integrity

• Detecting and preventing unauthorised access, fraud, and abuse
• Monitoring for anomalous activity patterns
• Enforcing usage quotas and rate limits
• Maintaining audit trails for dispute resolution

3.3 Service Improvement

• Analysing usage patterns to improve functionality and user experience
• Diagnosing and resolving technical issues
• Capacity planning and infrastructure optimisation
• Measuring AI model performance and accuracy

3.4 Legal and Compliance

• Complying with applicable laws, regulations, and legal processes
• Responding to lawful requests from government authorities
• Establishing, exercising, or defending legal claims
• Meeting tax and accounting record-keeping obligations

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

4.1 Advertising Platforms

When you connect your accounts and use the Service, your instructions (including campaign modifications) are transmitted to the relevant advertising platforms (Meta, Google Ads, TikTok, Microsoft Advertising) via their APIs. These platforms process your data under their own privacy policies.

4.2 AI Providers

Your natural language queries and business context are transmitted to Anthropic for AI processing. This data is used solely for generating responses to your requests and is subject to Anthropic's data handling practices.

4.3 Payment Processor

Billing and subscription data is shared with Stripe for payment processing, invoicing, and subscription management.

4.4 Infrastructure Providers

We use cloud hosting and infrastructure providers to operate the Service. These providers may process your data as part of hosting and delivering the Service, subject to contractual data protection obligations.

4.5 Legal Requirements

We may disclose your information where required by law, regulation, legal process, or enforceable governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.6 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Data Retention

We retain different categories of data for different periods, based on the purpose of collection and our legal obligations. The following table sets out our standard retention periods:

When retention periods expire, data is securely deleted or anonymised. Where data is required to be retained for longer periods due to legal obligations (for example, tax records), we will retain only the minimum data necessary to satisfy those obligations.

Account Deletion: Upon account termination, we will delete your personal information within 30 days, except where retention is required by law or for the purpose of resolving disputes. Ad platform OAuth tokens are revoked immediately upon account deletion or platform disconnection. Audit logs that reference your account will be anonymised after their standard retention period expires.

6. Cross-Border Data Transfers

The Service may involve the transfer of your data to servers and facilities located outside Australia, including in the United States and other jurisdictions. This occurs in the following circumstances:

• AI Processing: Natural language queries are transmitted to Anthropic's infrastructure, which may be located in the United States.
• Advertising Platform APIs: Data is transmitted to the servers operated by Meta, Google, TikTok, and Microsoft, which are located globally.
• Cloud Infrastructure: Our hosting and database services may be located in jurisdictions outside Australia.
• Payment Processing: Stripe processes payment data on servers that may be located outside Australia.

Where we transfer data outside Australia, we take reasonable steps to ensure that the overseas recipient handles your information in accordance with the APPs, or that the recipient is subject to a law or binding scheme that provides protections substantially similar to the APPs.

7. Data Security

We implement reasonable technical and organisational measures to protect your information, including:

• Encryption of sensitive data in transit (TLS/SSL) and at rest
• Hashing of passwords using industry-standard algorithms
• Encrypted storage of OAuth tokens for connected advertising platforms
• JWT-based authentication with expiration controls
• Role-based access controls and account isolation
• Security headers (via Helmet) and CORS policies
• Structured logging with sensitive field redaction
• Separate read-only and write database connections to limit exposure

No method of electronic transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

8. Your Rights

8.1 Australian Privacy Principles

Under the APPs, you have the right to:

• Access: Request access to the personal information we hold about you.
• Correction: Request correction of any inaccurate, incomplete, or out-of-date personal information.
• Complaint: Lodge a complaint if you believe we have breached your privacy.

8.2 Additional Rights (GDPR)

If you are located in the European Economic Area, you may also have the right to:

• Request erasure of your personal data
• Request restriction of processing
• Object to processing based on legitimate interests
• Request data portability
• Withdraw consent at any time (where processing is based on consent)

8.3 Additional Rights (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Opt out of the sale of personal information (note: we do not sell personal information)
• Non-discrimination for exercising your privacy rights

8.4 How to Exercise Your Rights

To exercise any of your rights, please contact us at info@blend-ai.com. We will respond to your request within 30 days (or such shorter period as required by applicable law). We may need to verify your identity before processing your request.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential cookies: Maintain your authenticated session and remember your preferences. These are necessary for the Service to function.
• Security cookies: Detect and prevent unauthorised access and fraudulent activity.

We use third-party analytics services, including Google Analytics and Amplitude, to help us understand how users interact with the Service. These services may use cookies and similar technologies to collect information about your use of the Service, such as pages visited, features used, and session duration. This data is used solely for analytics and product improvement purposes. We do not use third-party advertising tracking cookies and do not engage in cross-site tracking or behavioural advertising.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe that a child has provided us with personal information, please contact us at info@blend-ai.com and we will take steps to delete such information.

11. Third-Party Services

The Service integrates with the following third-party services, each of which has its own privacy policy:

We are not responsible for the privacy practices of these third-party services. We encourage you to review their privacy policies.

12. Data Breach Notification

In the event of an eligible data breach (as defined in the Privacy Act 1988 (Cth)), we will:

• Conduct a reasonable and expedient assessment of the breach
• Notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme
• Take reasonable steps to contain the breach and mitigate any harm

Where applicable, we will also comply with breach notification requirements under the GDPR and CCPA.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the “Last Updated” date at the top of this Policy
• Notify you by email or through the Service at least 14 days before changes take effect
• Where required by law, obtain your consent to material changes

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes.

14. Complaints

If you believe we have breached the APPs or handled your personal information improperly, you may lodge a complaint with us by contacting info@blend-ai.com. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

15. Contact Us

For any questions, requests, or complaints regarding this Privacy Policy or our handling of your personal information, please contact us:

Blend A.I. Pty Ltd
Privacy Officer
Email: info@blend-ai.com
Address: L33 264 George St, Sydney 2000
ABN: 24640882873