Blobify Privacy Policy

Effective date: 9 June 2026

This Privacy Policy explains how Blobify collects and uses personal data when you visit our website, create or use a Blobify account, communicate with us, or use Blobify's dashboard, APIs, Model Context Protocol ("MCP") tools, and related services (collectively, the "Service").

1. Controller

The controller for the processing described in this Policy is:

Slidesome ehf
Icelandic company registration number (kennitala): 410618-0790
Iceland
Email: [email protected]

In this Policy, "Blobify", "we", "us", and "our" refer to that entity.

2. Blobify's Role

Blobify has two different data protection roles:

  1. Controller. We are a controller for personal data used to operate the Blobify business and Service, including account, authentication, billing, security, support, and service-usage data.
  2. Processor. A Customer is the controller, and Blobify is its processor, when Blobify handles personal data contained in content or assets in the Customer's bucket solely to provide the Service under the Customer's instructions. That processing is governed by our Data Processing Agreement ("DPA").

If your personal data appears in a Blobify Customer's content, contact that Customer first. We will assist the Customer with requests as required by the DPA and applicable law.

3. The Bucket-First Model

Blobify is designed so that Customer content, schemas, assets, drafts, published files, indexes, routing configuration, and content history are stored in an Amazon S3, Cloudflare R2, or compatible bucket controlled by the Customer.

Blobify sends instructions to that bucket when authorized users create, edit, publish, archive, restore, upload, or delete material. Customer websites and applications normally read published content directly from the bucket rather than through Blobify.

The Customer chooses:

  • the storage provider and region;
  • whether a bucket or particular objects are public;
  • bucket policies, encryption, versioning, backup, and lifecycle settings;
  • what content and personal data to store;
  • who may access each organization and space; and
  • when to export, delete, or migrate Customer Content.

Deleting a Blobify organization removes its active Blobify-side organization record, memberships, API keys, invites, and webhooks and initiates deletion of stored bucket credentials. It does not delete Customer Content from the Customer's bucket. The Customer retains direct access and may keep, move, or delete those objects independently.

4. Personal Data We Collect

Depending on how you use the Service, we collect the following categories.

Account and identity data

  • user ID, name, email address, and email-verification status;
  • password hash for password-based accounts;
  • authentication provider and provider user identifier for federated login;
  • organization memberships, roles, and permitted spaces; and
  • identity-provider subject and group/role mapping data where organization SSO is used.

We do not store passwords in plain text.

Authentication and security data

  • hashed refresh tokens, API keys, password-reset tokens, email-verification tokens, OAuth authorization codes, and OAuth bearer tokens;
  • token creation, expiry, consent, rotation, revocation, and last-used timestamps;
  • user-agent information associated with login sessions;
  • registered OAuth client names and redirect URIs;
  • webhook URLs, signing secrets, subscribed events, and recent delivery status; and
  • security, error, and diagnostic log data, which may include IP addresses, request paths, identifiers, timestamps, and technical error details.

Organization and configuration data

  • organization name and identifiers;
  • locales, spaces, roles, usage limits, history settings, preview domains, public bucket URLs, drop-zone settings, and related configuration;
  • storage provider, endpoint, region, bucket name, and encrypted storage credentials or a secure reference to them;
  • connected application and API-key metadata; and
  • identity-provider configuration, including encrypted client secrets.

Billing and commercial data

Where relevant, we may collect:

  • plan, subscription status, and billing period;
  • billing contact name, email, company, VAT number, and billing address;
  • external payment-provider customer and subscription identifiers; and
  • transaction, invoice, and tax records.

We do not intend to store full payment-card details. A payment provider will process those details under its own privacy notice if card payments are introduced or used.

Communications and support data

  • messages you send to us;
  • support requests and troubleshooting information;
  • survey responses and feedback; and
  • records of service, security, legal, or account communications.

Customer Content

Customer Content may contain personal data selected by the Customer. Blobify does not determine the categories of individuals or personal data in Customer Content. We process it only to perform Customer instructions, provide support, secure the Service, and meet legal obligations.

5. Sources of Personal Data

We obtain personal data:

  • directly from you;
  • from your employer, organization administrator, or another member who invites you;
  • from an identity provider or connected application you authorize;
  • automatically from your browser, device, and use of the Service;
  • from storage providers when we perform requested bucket operations; and
  • from payment, email, security, and infrastructure providers used to operate the Service.

6. Purposes and Legal Bases

We process personal data for the following purposes and legal bases under the GDPR.

PurposeTypical dataLegal basis
Create accounts, authenticate users, provide organizations, and deliver the ServiceAccount, identity, membership, configuration, session, and Customer instruction dataPerformance of a contract or steps requested before entering a contract
Operate bucket connections, APIs, MCP, OAuth, SSO, webhooks, and integrationsConfiguration, credential, authorization, and technical dataPerformance of a contract
Secure the Service, prevent abuse, investigate incidents, enforce limits, and maintain logsSecurity, usage, device, network, authentication, and diagnostic dataLegitimate interests in security, fraud prevention, service integrity, and legal compliance
Send verification, password-reset, invitation, security, and operational messagesName, email, account, organization, and security dataPerformance of a contract and legitimate interests in operating and securing the Service
Provide support and respond to requestsContact, account, configuration, and troubleshooting dataPerformance of a contract and legitimate interests in customer support
Administer subscriptions, invoices, tax, and accountingBilling, contact, plan, and transaction dataPerformance of a contract and compliance with legal obligations
Improve reliability, usability, and performanceAggregated usage, feature, error, and diagnostic dataLegitimate interests in improving the Service
Establish, exercise, or defend legal claims and comply with lawful requestsRelevant account, communication, security, and transaction dataLegal obligation and legitimate interests in protecting legal rights
Send optional marketing communicationsName, email, organization, and communication preferencesConsent where required, otherwise legitimate interests subject to the right to object

Where we rely on legitimate interests, we consider the necessity and impact of the processing and the rights of affected individuals. You may object as described in Section 12.

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect processing already carried out lawfully.

7. Cookies and Similar Technologies

Blobify uses technologies that are necessary to authenticate users, maintain sessions, preserve security state during login and SSO flows, remember essential settings, and operate the Service.

We will request consent before using non-essential cookies or similar technologies where required by law. Our public website and Service do not use personal data for third-party behavioural advertising unless this Policy and the relevant consent controls are updated first.

8. Recipients and Subprocessors

We disclose personal data only as needed to the following categories:

  • Infrastructure and hosting providers, including Amazon Web Services for compute, database, encrypted parameter storage, key management, monitoring, and logs;
  • Email delivery providers, currently Cloudflare, for account verification, invitations, password resets, and operational email;
  • Customer-selected storage providers, including Amazon S3, Cloudflare R2, or another compatible provider;
  • Customer-authorized integrations, such as AI assistants, OAuth clients, identity providers, webhook endpoints, and deployment services;
  • Payment and accounting providers, if used for a paid subscription;
  • Professional advisers, such as lawyers, auditors, insurers, and accountants, under confidentiality duties;
  • Authorities or other recipients required by law, or where necessary to protect rights, safety, and service integrity; and
  • Transaction counterparties and advisers in a merger, financing, reorganization, or sale, subject to appropriate safeguards.

For Customer Content, the current subprocessor list and change-notification process will be maintained in the DPA or a linked subprocessor notice.

We do not sell personal data.

9. European and International Processing

Blobify is established in Iceland and operates its core API, account database, credential storage, and operational logging infrastructure in the European Economic Area, currently in the AWS eu-west-1 region in Ireland.

Customers select the location and provider of their own bucket. Customer Content may therefore be stored outside the EEA if the Customer chooses a non-EEA region or provider.

Some providers or their support personnel may process personal data outside the EEA. Where required, we use an adequacy decision, the European Commission's Standard Contractual Clauses, or another lawful transfer mechanism, together with supplementary measures where appropriate. You may contact us for more information about applicable safeguards.

10. Retention

We retain personal data only as long as necessary for the purposes described in this Policy, including legal, accounting, security, and dispute-resolution requirements.

Current service-level retention includes:

  • access tokens are short-lived and ordinarily expire after 15 minutes;
  • login refresh-token records expire after 7 days or are deleted on logout or revocation;
  • password-reset records expire after 1 hour;
  • email-verification records expire after 24 hours;
  • OAuth authorization-code records expire after 10 minutes and are single-use;
  • OAuth access grants ordinarily expire after 30 days, while refresh grants remain until rotated, revoked, disconnected, or otherwise deleted;
  • production application logs are ordinarily retained for 30 days;
  • invitations expire after their configured invitation period;
  • webhook delivery metadata is retained while the webhook is configured;
  • active account and organization data is retained while needed to provide the Service; and
  • billing, tax, fraud-prevention, legal, and transaction records may be kept for longer where required by law or necessary for legal claims.

Deletion from active systems may not immediately remove data from encrypted, access-restricted backups or provider recovery systems. Such copies are not restored for ordinary use and are deleted or overwritten according to the applicable backup cycle, unless preservation is legally required.

Customer Content retention is controlled by the Customer's bucket, versioning, archive, backup, and lifecycle settings. Blobify content-history limits apply inside that bucket and can be configured by the Customer. A Customer may also permanently delete individual content entries and their history using available Service functions.

11. Security

Blobify uses technical and organizational measures appropriate to the risks, including:

  • password hashing;
  • hashing of refresh tokens, password-reset tokens, verification tokens, authorization codes, and API credentials where plaintext recovery is not required;
  • encryption of storage and identity-provider credentials where plaintext recovery is required to perform Customer instructions;
  • AWS secure parameter storage and managed key encryption for production bucket credentials;
  • role-based and space-scoped access controls;
  • short-lived access tokens and credential revocation;
  • webhook signing;
  • production infrastructure in the EEA;
  • provider logging and recovery controls; and
  • separation of each Customer's configured storage.

No system can be guaranteed completely secure. Customers must protect their accounts, configure their buckets appropriately, restrict credentials to the permissions needed, and review public access settings.

If you believe an account or credential has been compromised, contact [email protected] promptly.

12. Your Rights

Subject to the GDPR and applicable exceptions, you may have the right to:

  • receive information about our processing;
  • access your personal data;
  • correct inaccurate or incomplete data;
  • request erasure;
  • restrict processing;
  • receive data you provided in a structured, commonly used, machine-readable format and transmit it to another controller;
  • object to processing based on legitimate interests;
  • object at any time to direct marketing;
  • withdraw consent at any time; and
  • not be subject to a decision based solely on automated processing that produces legal or similarly significant effects, where applicable.

Blobify does not currently use solely automated decision-making that produces legal or similarly significant effects.

To exercise a right, email [email protected]. We may need to verify your identity and authority. We will respond without undue delay and normally within one month, subject to permitted extensions.

Some data may be exempt from a request, or may need to be retained, for example to comply with law, protect another person's rights, or establish, exercise, or defend legal claims.

13. Organization Administrators

If your account is provided through an organization, its administrators may:

  • access your membership information;
  • assign or remove roles and spaces;
  • create or revoke organization credentials and integrations;
  • view activity metadata made available by the Service; and
  • remove your access.

Your organization is responsible for its own processing of your personal data. Questions about its decisions should be directed to that organization.

14. Children

The Service is intended for business and professional users aged 18 or older. Blobify does not knowingly collect personal data directly from children for its own purposes. Customers must not use the Service to process children's personal data unless they have a lawful basis and implement all safeguards required by applicable law.

15. Complaints

Please contact us first so we can try to resolve your concern.

You also have the right to complain to the supervisory authority in Iceland:

Persónuvernd (Icelandic Data Protection Authority)
https://www.personuvernd.is/

You may instead contact the supervisory authority in the EEA country where you live, work, or believe an infringement occurred.

16. Changes to This Policy

We may update this Policy to reflect changes to the Service, law, or our processing. The updated version will state its effective date. We will provide reasonable notice of material changes through the Service, by email, or by another appropriate method.

17. Contact

For privacy questions, rights requests, or complaints:

Slidesome ehf
Kennitala: 410618-0790
Iceland
[email protected]