Legal

Privacy Policy

Last updated · 2026-05-31

This is a first-draft policy written in plain language for early users. It reflects how blindcat actually operates today. Before relying on it for regulated or contractual purposes, have it reviewed by qualified counsel in your jurisdiction.

1. Who we are

blindcat is a multi-tenant SaaS platform for mushroom cultivation operations — lifecycle inventory, live environment sensors, yield analytics and multi-site management. The service is operated by blindcat LLC, registered in Tbilisi, Georgia.

For any privacy question, write to [email protected]. We aim to respond within seven days.

2. What we collect

We collect only what the service needs to function:

Account information

Email address (required for sign-in and service notifications)
Password — stored only as a salted bcrypt hash; we never see or store the plaintext
Site name and optional business metadata (address, city, timezone, contact) that you enter
Display name, if you set one for your user account

Operational data

Sensor readings ingested from devices you connect — temperature, humidity, CO₂, wind, pressure and any custom metric you push
Inventory records you create — strains, batches, items, quantities, notes
Calendar entries, finance entries and any other content you generate inside the app
An audit log of significant actions (logins, device commands, plan changes, deletions)

Technical data

IP address at sign-up and on suspicious-activity checks (used for rate limiting and abuse prevention)
Browser user-agent string and basic request metadata in server logs
A single session cookie set at login (see Cookies below)

We do not run third-party analytics, behavioural trackers, advertising pixels or session-replay tools. There is no tracking layer to opt out of.

3. How we use your data

To run the service — store your inventory, chart your sensors, send your alerts, render your dashboards.
To communicate with you — email verification, password resets, security notifications, occasional service updates. We do not send marketing email without a separate opt-in.
To keep the service safe — detect abuse, rate-limit signups, investigate incidents.
To comply with law — respond to lawful requests, meet our tax and accounting obligations.

4. Legal bases (GDPR)

If you are in the EU/UK, our legal bases for processing are:

Contract — most processing is necessary to provide the service you signed up for.
Legitimate interest — security, fraud prevention, basic server logs.
Legal obligation — tax records, lawful information requests.
Consent — anything optional (e.g. opting into a non-essential newsletter), which you can withdraw at any time.

5. Where your data lives

The primary application database runs on a DigitalOcean droplet in Frankfurt, Germany (EU). Static assets for this marketing site and TLS termination for both the marketing site and the application are handled by Cloudflare's global edge network — your request is routed to whichever Cloudflare data center is closest.

Cloudflare may briefly cache static, non-personal assets (CSS, fonts, images) at its edge. Authenticated API responses and your dashboard data are not cached.

6. Sub-processors

These are the third parties that process some of your data on our behalf. We pick vendors that are GDPR-aligned and we keep this list short on purpose.

Vendor	Purpose	Region
DigitalOcean, LLC	Application hosting, primary database	Frankfurt, DE (EU)
Cloudflare, Inc.	DNS, CDN, TLS termination, DDoS protection	Global edge
Resend, Inc.	Transactional email delivery (verification, alerts)	United States
Telegram Messenger Inc.	Alert delivery (only if you connect a Telegram bot)	Global
Glitchtip OÜ	Server-side error tracking (stack traces, request context — sensitive fields scrubbed before send)	Estonia (EU)

We update this list when it changes. Material changes are announced in-app and via email before they take effect.

7. How long we keep things

Sensor history — retained for the window granted by your plan: 14 days (Free), 60 days (Hobby), 360 days (Pro), unlimited (Commercial). Older readings are pruned automatically.
Inventory, calendar, finance and audit-log records — retained for the lifetime of the account.
Account data — kept as long as the account is active. When you delete the account, you enter a 30-day grace window during which the account can be restored on request; after 30 days, account data is permanently erased from primary storage. Backup snapshots roll off within an additional 60 days.
Server logs — typically retained for up to 90 days for security and debugging.
Financial records — retained as required by Georgian tax law (currently six years).

8. Your rights

Regardless of where you live, you can ask us to:

Confirm what data we hold about you
Export your account and operational data in a portable format
Correct anything inaccurate
Delete your account and the data tied to it
Restrict or object to certain processing

Most of these you can already do yourself inside the app (account settings → export, delete). For anything you can't do in-product, write to [email protected].

If you believe we've mishandled your data, you have the right to complain to a supervisory authority — for users in Georgia, that is the Personal Data Protection Service of Georgia; for users in the EU, your local data-protection authority.

9. Cookies

The application uses a single, first-party session cookie to keep you signed in. It is HTTP-only, secure, and contains an opaque session identifier — no personal data is encoded in the cookie itself.

This marketing site (blindcat.app) sets no cookies. There is no consent banner because there is nothing to consent to.

10. Security

All traffic is served over TLS 1.2+ (HTTPS), end to end.
Passwords are stored as bcrypt hashes; the plaintext never touches our database or logs.
Cloudflare provides DDoS protection and bot mitigation in front of every request.
The application database runs in a private network on the host and is not exposed to the public internet.
We back the database up daily, with snapshots retained off-host.

No system is bulletproof. If you discover a vulnerability, please report it privately to [email protected] and we will work with you to address it.

11. International transfers

Your primary data sits in the EU. When you visit the site or the app, Cloudflare and Resend may process some metadata (IP, request headers, email envelope data) in regions outside the EU/EEA. Where applicable, these transfers rely on Standard Contractual Clauses or equivalent safeguards published by the vendor.

12. Children

blindcat is a tool for commercial and serious-hobbyist cultivation operations. It is not directed at, and not intended for, anyone under the age of 16. We do not knowingly collect data from minors. If you believe a child has signed up, write to us and we will delete the account.

13. Changes to this policy

We will post any update to this page and bump the "Last updated" date at the top. If the change is material — for example, a new sub-processor, or a substantively different use of your data — we will also send a notice to the email on your account before it takes effect.

14. Contact

blindcat LLC
Tbilisi, Georgia
[email protected]