Privacy policy

Blacksmith, Inc. (“Blacksmith”, “we”, “us”) operates a software platform for physical security integrators. This Privacy Policy explains what data we collect, how we use it, who we share it with, and what rights you have. We try to write it the way an operator would want it written: short, specific, and honest about what we don't know yet.

If anything below is unclear, email privacy@goblacksmith.ai and a human will reply.

We collect three categories of data:

• Account data — your email, name, workspace, role, and the third-party integration credentials you choose to connect.
• Usage data — the actions you take inside Blacksmith (lead scoring runs, email generations, saved views, and so on), along with standard request telemetry like timestamps and IP addresses.
• Content data — the lead, account, contact, and pipeline records you create or import.

We do not knowingly collect personal data from anyone under 18. We don't purchase advertising data and we don't build behavioral profiles for ad targeting.

We use the data above to:

• Provide and maintain the Blacksmith service.
• Run AI lead scoring and outbound generation on your behalf, using vendor models you've enabled in Settings.
• Send transactional email (invites, notifications, security alerts).
• Diagnose and fix bugs, including limited error reports.
• Improve the product based on aggregated, de-identified usage.

We do not train any third-party model on your content data. Calls to OpenAI and OpenRouter are made via their standard enterprise endpoints, which honor a no-training default for API traffic.

Every table in our Postgres database is scoped by Supabase Row-Level Security (RLS) to the authenticated workspace. That means: another customer's rows cannot be returned by your queries even if there were an application-level bug. The isolation is enforced at the database engine, not in application code.

Service-role credentials, which can bypass RLS, are used only by server-side endpoints (e.g. onboarding writes, billing). They never reach a browser and are stored as environment secrets.

We use a small, deliberate set of vendors. Each one has a DPA on file with us.

• Supabase — Postgres hosting, auth, row-level security.
• OpenAI — lead scoring and email generation. No-training default.
• OpenRouter — web-search-enabled enrichment models.
• Resend — transactional email delivery (workspace invites, notifications).
• Ionos — sender domain registration and DNS configuration on your behalf.
• HeyReach — LinkedIn outreach integration when enabled by you.

A current list is maintained at privacy@goblacksmith.ai. Material changes are notified to customers 30 days in advance where reasonable.

We retain workspace content for the duration of your subscription plus 30 days after cancellation, in case of billing disputes or accidental closure. After that, content is hard-deleted from production within 30 additional days and from backups within 90 days.

Account-level data (name, email) is retained for the purpose of audit trails for up to two years after final deletion, then purged.

You can request to access, correct, export, or delete your personal data at any time by emailing privacy@goblacksmith.ai. Workspace admins can perform most of these operations self-serve from Settings → General.

If you're a resident of the European Economic Area or the United Kingdom, you have additional rights under GDPR, including the right to object to processing and to lodge a complaint with a supervisory authority.

We take security seriously. Highlights of our program:

• TLS for data in transit, AES-256 for data at rest in Supabase.
• Integration credentials encrypted at rest with pgcrypto and a per-database integration secret.
• Database-level RLS on every customer table.
• Least-privilege access controls; production access logged and reviewed quarterly.
• SOC 2 Type I controls in place; Type II audit in progress.

Report a security issue to security@goblacksmith.ai. We acknowledge within 48 hours.

Blacksmith is a B2B product intended for use by adults in a professional capacity. We do not knowingly collect data from anyone under 18. If you believe we have inadvertently received such data, please contact us and we will delete it.

Blacksmith processes data in the United States and the European Union. When transferring personal data internationally, we rely on Standard Contractual Clauses or equivalent safeguards with our subprocessors.

We'll update the “last updated” date at the top of this page whenever we make changes. Material changes (i.e. new subprocessors, expanded data collection) are emailed to workspace owners at least 30 days in advance where reasonable.

For any privacy-related question, email privacy@goblacksmith.ai.

Blacksmith, Inc. · 548 Market St, PMB 39201 · San Francisco, CA 94104 · United States.