Privacy Policy
Last updated: May 8, 2026
Blend is a BYOK (Bring Your Own Key) AI chat platform. We deliberately collect as little personal data as possible. This page documents exactly what we collect, what we do NOT collect, and how it is protected — based on our production source code.
1. What We Collect
When you use Blend, the following anonymous data is sent to our servers:
| Field | Purpose | Retention |
|---|
userId (random UUID) | Cohort retention analytics — never linked to your name, email, or device. | 90 days (auto-deleted) |
country (2-letter code) | Country distribution. Derived from your IP by Cloudflare; your raw IP is never stored. | 90 days |
os (iOS / Android / macOS / Windows / Linux) | Device-class stats. Derived from your User-Agent string client-side. | 90 days |
provider, model | Which AI providers/models are most used (e.g. OpenAI / Anthropic / Google). | 90 days |
inputTokens, outputTokens, cost | Aggregate cost analytics. Numbers only — message content is NEVER sent. | 90 days |
event (e.g. menu_click) | Anonymous usage of menus (chat / billing / settings, etc.). | 30 days (Vercel Analytics) |
You can disable analytics anytime in Settings → Analytics. We do not use advertising, fingerprinting, or cross-site tracking cookies.
2. What We Do NOT Collect
- Account information — Blend has no sign-up, no login, no profile. We do not have your name, email, phone number, or date of birth.
- API keys — Your AI provider keys (OpenAI / Anthropic / Google / DeepSeek / Groq) are stored only in your browser, encrypted with AES-256-GCM (see §5).
- Chat conversations — Your messages and AI responses are sent directly from your browser to the AI provider you chose, using your own API key. Our servers never receive them.
- Audio recordings & meeting files — Uploaded directly to the AI provider's Files API (e.g. Google Gemini Files) using your own key. Auto-deleted within 48 hours by the provider.
- RAG documents & embeddings — All parsed documents, vector embeddings, and search indexes are stored only in your browser's IndexedDB. They never leave your device.
- Credit card / payment info — Handled entirely by Paddle / Toss Payments / Xendit (PCI-DSS certified). Blend code never receives card numbers.
- Raw IP address — Cloudflare returns only your 2-letter country code; the IP itself is not logged.
- Browser fingerprint — No canvas, font, or hardware fingerprinting.
3. OAuth Tokens (Google Drive / OneDrive)
When you connect a cloud data source for RAG, an OAuth refresh token is issued by Google or Microsoft. Blend's policy:
- Storage — Tokens are stored in Cloudflare KV with encryption-at-rest, accessible only by our webhook worker.
- Rotation — Refresh tokens auto-rotate every 24 hours. Watch channels and Graph subscriptions are renewed every 12 hours via cron.
- Immediate revoke — When you click "Disconnect" on a data source, the token is deleted from KV and the upstream subscription is cancelled within seconds. The IndexedDB partition for that source is also wiped.
- Scope — Read-only access to the specific folders you select. Blend never requests write access.
4. How We Use the Anonymous Data
- Compute aggregate metrics (daily active users, country/OS distribution, model popularity, cost trends) for product decisions.
- Detect abuse and rate-limit violators at the worker layer.
- Generate the daily operational summary delivered to the Blend operator. The summary contains only aggregate numbers — never any individual user's data.
5. Data Security
- API keys at rest — Encrypted with
AES-256-GCM using a non-extractable Web Crypto key bound to your browser. The key never leaves the browser via any API. - Transport — All requests use HTTPS with HSTS. Strict CSP blocks injected scripts.
- Storage — Local data lives in
localStorage and IndexedDB within your browser's same-origin sandbox. - Server side — Cloudflare KV / Workers Analytics Engine: encryption-at-rest, 90-day TTL, no PII fields.
No method of internet transmission is 100% secure. We continually review our threat model and patch vulnerabilities promptly.
6. Third-Party Services
- Cloudflare — Edge runtime, KV, Analytics Engine (encryption-at-rest, 90-day TTL).
- Vercel — Static hosting, anonymous pageview analytics (30-day retention; opt-out in Settings).
- ipapi.co — One-time country lookup. Cached 24h locally; blocks subsequent calls.
- Paddle / Toss Payments / Xendit — Card payment processing (PCI-DSS).
- AI providers (OpenAI / Anthropic / Google / DeepSeek / Groq) — Direct browser-to-provider calls using your own API key. Blend does not proxy or log.
- Google Drive API / Microsoft Graph API — Optional, for RAG. Read-only scopes.
7. Your Rights
- Right to be forgotten — Clear your browser's site data for
blend.ai4min.com. All chat history, API keys, embeddings, and your anonymous UUID are removed instantly. The 90-day server-side aggregates expire automatically. - Right to opt out of analytics — Toggle off in Settings → Analytics.
- Right to disconnect cloud sources — Click "Disconnect" on any RAG source; OAuth tokens and indexed data are deleted within seconds.
- Right to inquiry — Email blend@ai4min.com for any privacy question.
8. Cookies
Blend uses no advertising or cross-site tracking cookies. Browser local storage is used only to save your settings, chat history, and preferences — all on your device.
9. Operator
Blend is operated by MIN Company. Privacy inquiries:blend@ai4min.com.
10. Changes to This Policy
Material changes will be reflected in the "Last updated" date above and announced in-app. Continued use after a change constitutes acceptance of the revised policy.