Privacy Policy
Last updated: February 12, 2026
This Privacy Policy explains how Blend (“we,” “us,” or “our”) collects, uses, stores, and protects your information when you use our website at blend.do, our application at app.blend.do, and any related services (collectively, the “Service”).
By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address — used for authentication, account recovery, and essential service communications.
- Password — securely hashed and stored; we never have access to your plaintext password.
- Display name — optionally provided by you for personalization.
If you sign up or log in using Google, we receive your email address and display name from Google. We do not receive or store your Google password.
1.2 User Content
The core purpose of Blend is to let you create and organize content. When you use the Service, you may create:
- Blends — your personal dashboards.
- Blocks — modular content units within blends, including Notes, Todos, Kanban Boards, Bookmarks, Text documents, Now (clock display), Wiki (Wikipedia content), Embed (from YouTube, Vimeo, Spotify, SoundCloud, Twitter/X), and Image blocks.
- Collections — organizational groups for your blends.
All user content is stored securely in our database and associated with your account.
1.3 Uploaded Files
You may upload media files to the Service, including:
- Images — for Image blocks (up to 10 MB per file; JPEG, PNG, WebP, GIF, HEIC formats).
- Kanban attachments — images, documents, spreadsheets, presentations, code files, archives, audio, and video (up to 50 MB per file).
- Profile avatars — profile images (up to 5 MB; JPEG, PNG, WebP formats).
Uploaded files are stored securely using our infrastructure provider (see Section 3). Images may be compressed on your device before upload to improve performance.
1.4 Automatically Collected Information
We automatically collect minimal technical information necessary to operate the Service:
- Authentication cookies — session cookies managed by our authentication provider to keep you logged in. These are essential and cannot be disabled.
- Local storage data — we store user preferences locally in your browser (theme preference, UI states). These are stored on your device only and never transmitted to our servers.
1.5 Information We Do NOT Collect
We want to be transparent about what we don’t do:
- We do not use analytics or tracking tools (no Google Analytics, no Facebook Pixel, no Vercel Analytics).
- We do not track your behavior, clicks, or usage patterns.
- We do not serve advertisements.
- We do not sell, rent, or trade your personal information.
- We do not use your content to train AI models.
- We do not collect your IP address for tracking purposes.
2. How We Use Your Information
We use your information solely to:
| Purpose | Data Used |
|---|---|
| Provide and maintain the Service | Account info, user content, uploaded files |
| Authenticate your identity | Email, password (hashed), Google OAuth tokens |
| Enable sharing features you initiate | Content you choose to make public |
| Send essential communications | Email (e.g., password reset, critical service notices) |
| Improve and fix the Service | Aggregate, anonymized error logs |
| Comply with legal obligations | Account info as required by law |
We do not use your information for marketing, advertising, profiling, or automated decision-making.
3. Third-Party Service Providers
We use a limited number of third-party providers to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, authentication, file storage | Account data, user content, uploaded files |
| Google Sign-In option | Email and name (only if you choose Google login) | |
| Vercel | Application hosting and delivery | Standard web request data (IP in server logs, retained briefly) |
We do not share your personal data with any other third parties.
Third-Party Content in Embeds
When you use the Embed block, content is loaded directly from the third-party platform (YouTube, Vimeo, Spotify, SoundCloud, or Twitter/X) in your browser. These platforms may set their own cookies and collect data according to their own privacy policies. We only store the URL you provide.
Wikipedia Content
The Wiki block displays content from Wikipedia’s public API. No personal data is sent to Wikipedia.
4. Public Sharing
Blend allows you to optionally share your content publicly:
- You can enable public sharing on any blend or individual block.
- When enabled, a unique public link is generated that anyone with the link can use to view the content in read-only mode.
- Sharing is always off by default.
- Public content may be indexed by search engines.
- You can disable public sharing at any time, which immediately revokes access via the public link.
Important: When you make content public, any information within that blend or block becomes visible to anyone with the link. Do not share content publicly if it contains sensitive or personal information.
5. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in transit — all data transmitted via TLS (HTTPS).
- Encryption at rest — database and file storage encrypted at rest.
- Row Level Security (RLS) — database-level access controls ensure each user accesses only their own data.
- Password hashing — passwords are securely hashed using bcrypt.
- Secure tokens — session tokens managed with HTTP-only cookies.
- Access control — administrative access is restricted and audit-logged.
While we take security seriously, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using reasonable measures.
6. Data Retention
- Active accounts — we retain your data for as long as your account is active.
- Deleted content — when you delete a blend, block, or file, it is permanently removed. We do not retain soft-deleted copies.
- Account deletion — contact us at support@blend.do to request complete, permanent deletion of your account and all associated data.
- Server logs — hosting provider server logs are retained briefly and automatically purged.
7. Your Rights
For All Users
- Access — request a copy of your personal data.
- Correction — request correction of inaccurate data.
- Deletion — request deletion of your account and all data.
- Data portability — request an export in a machine-readable format.
For Users in the EEA and UK (GDPR)
You additionally have the right to:
- Restrict or object to processing of your personal data.
- Withdraw consent at any time.
- Lodge a complaint with your local data protection authority.
| Activity | Legal Basis |
|---|---|
| Providing the Service | Performance of a contract (Art. 6(1)(b)) |
| Essential cookies for authentication | Legitimate interest (Art. 6(1)(f)) |
| Responding to support requests | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
For Users in Turkey (KVKK)
Under the Turkish Personal Data Protection Law (KVKK, Law No. 6698), you have the right to:
- Learn whether your personal data has been processed.
- Request information about the purpose and use of processing.
- Know the third parties to whom your data has been transferred.
- Request correction of incomplete or inaccurate data.
- Request deletion or destruction of your personal data.
- Object to any result arising from analysis by automated means.
- Request compensation for damages arising from unlawful processing.
To exercise any of these rights, contact us at support@blend.do. We will respond within 30 days.
8. International Data Transfers
Our infrastructure providers may process data in various locations globally. Where your data is transferred outside your country of residence, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, and contractual obligations requiring equivalent data protection.
9. Children’s Privacy
The Service is not intended for anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete that information promptly.
If you believe a child under 16 has provided us with personal data, please contact us at support@blend.do.
10. Cookies and Local Storage
Essential Cookies
We use only essential cookies required for the Service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase auth cookies | Maintain your login session | Session / up to 7 days |
We do not use any advertising, analytics, or tracking cookies.
Local Storage
We store preferences locally on your device (theme, UI states, dialog preferences). This data never leaves your browser. You can clear it at any time through your browser settings.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date and may notify you via email or a prominent notice within the Service.
Your continued use of the Service after changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:
Email: support@blend.do
Website: blend.do
This Privacy Policy is effective as of February 12, 2026.