Legal

Privacy Policy

Effective: June 4, 2026Last Updated: June 4, 2026

1.Introduction and Scope

Black Diamond Labs LLC ("BLACK DIAMOND," "Black Diamond Labs," "we," "our," or "us") develops, owns, operates, and supports software products, websites, APIs, developer tools, AI systems, automation platforms, customer dashboards, documentation portals, enterprise software, and related services (collectively, the "Services").

This Privacy Policy explains how we collect, use, disclose, process, retain, and protect personal information when you access or use our Services, including current and future products operated by BLACK DIAMOND. It does not apply to third-party websites or services not operated by us, even if linked to from our Services.

Customer Data Processing. When customers use our Services to process information through customer-configured workflows, AI agents, automations, integrations, APIs, databases, or connected systems, the customer is generally the controller, business, or responsible organization for that information. In those situations, BLACK DIAMOND typically acts as a processor, service provider, or data handler on behalf of the customer, subject to applicable law and any applicable Data Processing Agreement. This Privacy Policy does not govern BLACK DIAMOND's processing activities in its processor capacity — those are addressed in applicable customer agreements.

2.Information We Collect

2.1 Information You Provide

  • Account registration information, including name, email address, username, company name, job title, and account identifiers.
  • Authentication and identity information, including login credentials, authentication tokens, session identifiers, and identity provider metadata.
  • Organization, workspace, project, team, and membership information.
  • Communications submitted through support requests, contact forms, surveys, feedback submissions, or other interactions with us.
  • Configuration, preferences, and settings you establish within the Services.

2.2 Billing and Subscription Information

We collect customer identifiers, plan and subscription information, invoice details, subscription status, transaction metadata, and related billing records. Billing and payment processing may be handled by third-party payment providers such as Stripe. We generally do not receive or store complete payment card numbers, bank account details, or other sensitive payment credentials that are processed directly by those providers.

2.3 Automatically Collected Information

  • Product usage information, including feature usage, configuration states, activity history, and operational metrics.
  • Device, browser, operating system, network, and connection information.
  • IP addresses, approximate location information derived from IP addresses, request metadata, and server logs.
  • Cookies, session identifiers, local storage data, and similar technologies as described in Section 11.
  • API usage metadata, including API requests, authentication events, usage statistics, rate-limit activity, and operational telemetry.
  • Security logs, audit records, diagnostics, and system monitoring information.

2.4 Information from Third Parties

We may receive information about you from identity providers, integration platforms, and other third parties in connection with your use of the Services, as described in Section 4.

3.Product and Service Data

The information processed through our Services varies depending on the product, customer configuration, connected systems, and intended use case. Depending on the Service, we may process:

  • Customer-configured content and data.
  • AI workflow configurations and automation settings.
  • Agent configurations and runtime settings.
  • Workspace, project, environment, and organizational metadata.
  • Integration and connector metadata.
  • Runtime logs and execution records.
  • Audit logs and security events.
  • API request and response metadata.
  • System health information and operational telemetry.
  • Performance metrics and reliability diagnostics.
  • Resource identifiers and access-control information.
  • Infrastructure and deployment metadata.
  • Error reports and troubleshooting information.

For AI systems, automation platforms, APIs, developer tools, and agent-based products, runtime information may include workflow identifiers, execution metadata, timestamps, status information, latency measurements, policy evaluations, approval states, action histories, integration activity, connector results, and related audit context.

The specific information processed depends on customer choices, enabled features, integrations, permissions, and service configurations.

4.Information from Third Parties

We may receive information from service providers, partners, integrations, and third-party platforms used to operate the Services. Examples include:

  • Clerk for authentication, identity management, account verification, and session management.
  • Stripe for subscription management, billing, invoicing, and payment-related metadata.
  • GitHub for repository access, installation information, account metadata, and customer-authorized integration activity.
  • Vercel for hosting, deployment infrastructure, performance monitoring, analytics, and delivery services.
  • Neon and other database providers for managed database infrastructure.
  • PostHog and similar analytics providers for product usage analytics and operational insights.
  • Sentry and similar monitoring providers for application diagnostics, debugging, and error reporting.
  • Cloud infrastructure providers that support hosting, storage, networking, security, and service delivery.
  • Identity providers used by customers for single sign-on and authentication.
  • Analytics, security, and fraud-prevention providers that help us operate and secure the Services.

The information we receive depends on customer configurations, user actions, and the services involved.

5.How We Use Information

5.1 Service Delivery and Operations

  • Providing, operating, maintaining, and delivering the Services.
  • Authenticating users, customers, agents, applications, and connected systems.
  • Managing accounts, organizations, workspaces, projects, permissions, and subscriptions.
  • Processing billing, payments, renewals, cancellations, and related support requests.
  • Supporting AI systems, automation workflows, APIs, agent platforms, and related product functionality.

5.2 Security, Safety, and Integrity

  • Monitoring performance, reliability, availability, and service health.
  • Detecting, investigating, preventing, and responding to abuse, fraud, unauthorized access, and security incidents.
  • Generating logs, audit trails, operational records, and compliance-related records.
  • Protecting our rights, customers, personnel, systems, and business operations.

5.3 Product Improvement and Analytics

  • Improving product performance, usability, reliability, and feature quality.
  • Analyzing usage patterns and operational trends.

5.4 Communications and Support

  • Responding to inquiries, providing customer support, and communicating with users.
  • Sending service-related communications, including security notices, account notifications, and policy updates.

5.5 Legal and Compliance

  • Complying with legal obligations and regulatory requirements.
  • Enforcing our agreements and policies.

We do not sell personal information. We do not use personal information for cross-site behavioral advertising.

7.Error Monitoring and Diagnostics

We use monitoring, observability, logging, and diagnostic tools — including providers such as Sentry — to identify software defects, investigate incidents, improve performance, maintain reliability, and secure the Services.

Depending on the issue and service configuration, diagnostic information may include error messages, stack traces, request metadata, session information, browser and device information, application state information, performance metrics, infrastructure telemetry, account or workspace identifiers necessary for troubleshooting, and security-related event information.

We implement reasonable controls to limit the collection of sensitive information in diagnostic systems. We do not intentionally transmit passwords, authentication secrets, payment card data, encryption keys, private credentials, or unrelated customer content to diagnostic providers. Where feasible, we apply filtering, minimization, redaction, and access-control measures designed to reduce exposure of sensitive information.

8.Data Retention

We retain information for as long as reasonably necessary to provide the Services, fulfill contractual obligations, maintain security, comply with legal requirements, resolve disputes, and enforce agreements. Retention periods vary by category:

  • Account, organization, workspace, and subscription information: Retained while accounts are active and for a reasonable period afterward to support reactivation, dispute resolution, and legal compliance.
  • Billing and financial records: Retained as required for tax, accounting, auditing, fraud prevention, and legal compliance — typically seven years or as required by applicable law.
  • Runtime logs, operational logs, and telemetry: Retained based on product configuration, service plans, operational requirements, and customer retention settings.
  • Security logs and audit records: Retained for periods appropriate for incident investigation, abuse prevention, compliance, and security purposes.
  • Backup data: Retained for disaster recovery and operational resilience; deleted information may remain in encrypted backup systems for a limited period before scheduled deletion or rotation.

Upon account deletion or at the end of a customer relationship, we process deletion or anonymization in accordance with our agreements and applicable law. Some information may be retained where required or permitted by law.

9.How We Share Information

We share information only when reasonably necessary to operate the Services or comply with legal obligations.

9.1 Service Providers and Infrastructure Vendors

We share information with vendors that provide hosting, cloud infrastructure, authentication, monitoring, analytics, billing, customer support, security, storage, communications, and operational services. These vendors are contractually obligated to use information only as directed and to maintain appropriate security and confidentiality measures.

9.2 Customer-Directed Integrations

When customers connect third-party platforms, APIs, databases, repositories, identity providers, cloud services, or other systems, information may be exchanged as necessary to provide the requested functionality and under the customer's instructions.

9.3 Legal, Security, and Compliance

We may disclose information when required by law or when we reasonably believe disclosure is necessary to:

  • Comply with a legal obligation or respond to valid legal process, such as a court order, subpoena, or government request.
  • Protect the rights, safety, or property of BLACK DIAMOND, our customers, users, or others.
  • Investigate, prevent, or respond to fraud, abuse, unauthorized access, or security incidents.
  • Enforce our agreements, policies, and legal rights.

Where permitted by law and not prohibited by the applicable demand, we will attempt to notify affected customers before disclosing their information in response to legal process.

9.4 Business Transactions

Information may be transferred as part of a merger, acquisition, financing transaction, corporate restructuring, bankruptcy proceeding, or sale of assets. Where required by applicable law, we will notify affected users through the Services or by email before personal information is transferred and becomes subject to a different privacy policy.

9.5 What We Do Not Do

BLACK DIAMOND does not sell personal information to third parties. BLACK DIAMOND does not share personal information with third parties for their own advertising or marketing purposes.

10.Data Security

We maintain technical, administrative, and organizational safeguards designed to protect information processed through the Services. Security measures may include:

  • Encryption in transit using industry-standard protocols (TLS).
  • Encryption at rest where supported and appropriate.
  • Access controls and authorization systems with role-based access management.
  • Identity verification, authentication safeguards, and multi-factor authentication support.
  • Network security controls and infrastructure monitoring and logging.
  • Security reviews and vulnerability management practices.
  • Audit logging and security event monitoring.
  • Secure credential and secrets management practices.

No method of electronic transmission, storage, or processing can guarantee absolute security, and we cannot guarantee that security measures will be effective in every circumstance. If you become aware of a potential security issue, please contact us at privacy@black-diamond.tech.

11.Cookies and Tracking Technologies

We use cookies and similar technologies to operate, secure, and improve the Services. These technologies may be used for:

  • Authentication, login management, and session security.
  • Fraud prevention and bot detection.
  • User preferences and settings.
  • Service functionality.
  • Performance monitoring.
  • Product analytics and operational insights.

Third-party providers may set cookies or similar technologies on our behalf to support these functions.

We do not use advertising cookies for cross-site behavioral advertising, and we do not participate in advertising networks that track users across unrelated websites for targeted advertising purposes.

Users may manage cookie preferences through browser settings, although disabling certain cookies may affect Service functionality.

Do Not Track. The Services do not currently respond to browser-level Do Not Track (DNT) signals, as there is no consistent industry standard for such signals. We do, however, treat Global Privacy Control (GPC) signals as described in Section 12.3.

12.Your Rights and Choices

Depending on your location and applicable law, you may have rights regarding your personal information. We will not discriminate against you for exercising applicable rights. To submit a privacy request, contact us at privacy@black-diamond.tech. We may need to verify your identity or authority before fulfilling requests. Certain information may be retained where permitted or required by law, contractual obligations, security requirements, dispute resolution needs, or legitimate business purposes.

12.1 Rights Available to All Users

Regardless of location, you may:

  • Access and review account information through your account settings.
  • Correct or update inaccurate account information through your account settings or by contacting us.
  • Delete your account by contacting us, subject to applicable retention requirements.
  • Opt out of marketing communications by following the unsubscribe instructions in any marketing email or by contacting us.

12.2 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR or UK GDPR:

  • Right of access: Obtain confirmation of whether we process your personal data and receive a copy of that data.
  • Right to rectification: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of personal data in certain circumstances.
  • Right to restriction: Request that we limit processing of your personal data in certain circumstances.
  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to data portability: Receive your personal data in a structured, machine-readable format in certain circumstances.
  • Right to withdraw consent: Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: Lodge a complaint with the data protection authority in your jurisdiction. For EU residents, this is typically the authority of your member state. For UK residents, this is the Information Commissioner's Office (ico.org.uk).

Data Controller. For purposes of the GDPR and UK GDPR, BLACK DIAMOND acts as a data controller for personal information collected in connection with your direct use of our Services as described in this Privacy Policy.

International Transfers. Where we transfer personal data from the EEA or UK to third countries, including the United States, we implement appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Addendum (UK Addendum), or other lawful transfer mechanisms. Contact us for more information about the transfer mechanisms applicable to your data.

12.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected. In the preceding 12 months, we have collected the following CCPA categories of personal information:

  • Identifiers: such as name, email address, IP address, account ID, and session identifiers.
  • Customer records information: such as account registration details and billing information.
  • Commercial information: such as subscription and transaction records.
  • Internet or other electronic network activity: such as usage logs, API activity, and diagnostic data.
  • Geolocation data: approximate location derived from IP addresses.
  • Professional or employment-related information: such as company name and job title, where provided.
  • Inferences: drawn from usage data to support product analytics and service improvement.

Sensitive Personal Information. We do not collect or use sensitive personal information (as defined by the CPRA) for purposes beyond those permitted under the CPRA without offering you the right to limit such use.

Your California Rights:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the third parties with whom we share it.
  • Right to Delete: Request deletion of personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: We do not sell personal information and do not share it for cross-context behavioral advertising. No opt-out is required, but you may signal your preference via the Global Privacy Control (GPC).
  • Right to Limit Use of Sensitive Personal Information: To the extent we collect sensitive personal information, you may request that we limit its use to what is necessary to provide the Services.
  • Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your CCPA/CPRA rights.

Global Privacy Control. We treat browser-level GPC signals as an opt-out of the sale and sharing of personal information for purposes of the CPRA.

Authorized Agents. California residents may designate an authorized agent to submit requests on their behalf. We may require verification of the agent's identity and written authorization before processing agent-submitted requests.

Shine the Light. California Civil Code Section 1798.83 permits California residents to request information about personal information shared with third parties for their direct marketing purposes during the prior calendar year. We do not share personal information with third parties for direct marketing purposes.

12.4 Other U.S. State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with applicable comprehensive privacy laws may have similar rights, including rights to access, correct, delete, and port personal data, and to opt out of targeted advertising, sale of personal data, and profiling used to make consequential decisions about individuals.

To exercise applicable rights, contact us at privacy@black-diamond.tech. We will respond in accordance with applicable law. If we decline a rights request, you may appeal by contacting us with the word "Appeal" in your subject line and explaining the basis for your appeal.

13.Automated Decision-Making

BLACK DIAMOND does not use automated decision-making — including profiling — to make legally significant or similarly consequential decisions about individuals without human review. We may use automated tools to analyze usage patterns for product improvement and service health purposes, but these activities do not produce legal or similarly significant effects on individuals.

14.Children's Privacy

The Services are intended for businesses, organizations, developers, and professional users and are not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, please contact us at privacy@black-diamond.tech so that we can investigate and take appropriate action.

15.International Operations

BLACK DIAMOND is based in the United States and operates internationally. When you use the Services from outside the United States, your information may be transferred to, processed in, and stored in the United States or other countries where we, our affiliates, or our service providers maintain infrastructure.

When required by applicable law, we implement appropriate safeguards for international transfers of personal information, including Standard Contractual Clauses, the UK International Data Transfer Addendum, and other legally recognized mechanisms. By using the Services from outside the United States, you acknowledge that your information may be processed in the United States, where privacy laws may differ from those in your jurisdiction.

16.Third-Party Services and Integrations

Customers control which third-party services, APIs, repositories, databases, identity providers, cloud platforms, communication tools, AI systems, and other integrations they connect to the Services. BLACK DIAMOND may process information necessary to enable and support those integrations under customer instructions.

Customers remain responsible for:

  • Selecting and authorizing connected services and ensuring they are appropriate for intended use cases.
  • Managing permissions and access controls for third-party integrations.
  • Reviewing third-party privacy policies and terms of service.
  • Maintaining appropriate credentials and security practices for connected systems.
  • Complying with obligations to their own users when third-party integrations involve personal data.

Third-party services operate independently under their own privacy practices, terms, and security controls.

17.Enterprise Customers and Data Processing Agreements

Enterprise customers who process personal data through the Services on behalf of their own end users may be eligible for a Data Processing Agreement (DPA) that governs our processing activities in our capacity as a processor or service provider. Contact us at privacy@black-diamond.tech to request a DPA or for information about sub-processor relationships.

18.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our business, products, legal requirements, technology, security practices, or operational needs.

For non-material updates, we may revise the "Last Updated" date above. For material changes, we will provide at least 30 days' advance notice through the Services, by email, or through other appropriate communication channels, unless a shorter timeframe is required for legal, security, or operational reasons. Your continued use of the Services after the effective date of a material change constitutes acceptance of the updated policy.

19.Contact Information

If you have questions, requests, concerns, or complaints regarding this Privacy Policy or our privacy practices, please contact us:

Black Diamond Labs LLC

Email: privacy@black-diamond.tech

Website: https://black-diamond.tech

For privacy rights requests, include "Privacy Request" in your subject line to help us route your inquiry.