Privacy Policy

1. Company and Scope

• Operator: KERNL LIMITED, a private limited company incorporated in England and Wales.
• Product: BlackStack (SaaS web app and Chrome extension).
• Audience: Primarily B2B, though B2C users are permitted.
• Age Restriction: You must be 18 years or older to use the Service.

2. Personal Data We Collect

We only collect what is necessary to provide our service. This includes:

• Account Data: Email address, name (if provided), and authentication identifiers.
• Workspace Data: Organization details and membership information.
• Customer Content: User-created content, including code snippets.
• System Logs: Usage logs and security logs.
• Billing References: Payment processor customer/subscription identifiers and invoice metadata. Note: We do not store credit card details; all payments are securely handled by our third-party payment provider.

We do not sell personal data, nor do we use it for advertising purposes.

3. How We Use Personal Data

We process your information to:

• Provide, operate, and maintain the BlackStack service.
• Create and manage accounts and organizational access.
• Process subscriptions, invoices, and billing administration.
• Provide customer support and respond to user requests.
• Monitor, prevent, and investigate security incidents, abuse, and fraud.
• Improve overall performance, reliability, and user experience.

4. Lawful Bases for Processing (GDPR Article 6)

We process your data under the following lawful bases:

• Contract Necessity: To provide and operate the Service you requested.
• Legitimate Interests: For security, fraud prevention, service integrity, abuse prevention, and performance monitoring.
• Consent: Strictly for non-essential cookies or analytics, where required by applicable law.

5. Data Sharing and Subprocessors

We share personal data with trusted Subprocessors and service providers solely to operate the Service. We may also share data with authorities or legal advisors where required by law, to enforce our rights, or to protect our users and the Service.

Our categories of Subprocessors include providers of:

• Cloud hosting and infrastructure.
• Database and authentication management.
• Secure payment processing and billing.
• Email delivery and transactional communications.
• Third-party authentication (e.g., Single Sign-On, if enabled by the user).

6. International Transfers

Due to our use of global Subprocessors, your data may be processed in the United States and other jurisdictions where the level of data protection may differ from your home country. Where required, we rely on appropriate international transfer mechanisms, such as Standard Contractual Clauses (SCCs) or other lawful safeguards.

7. Cookies and Analytics

We use privacy-friendly analytics to help us understand how users interact with BlackStack so we can improve the Service. We do not use cookies or cross-site trackers. The analytics data we collect is aggregated and does not track your personal activity across other websites.

8. Security and Risk Assumption

We implement reasonable and appropriate security measures to protect your personal data. However, no system is entirely secure. You use the Service at your own risk and remain responsible for the data you choose to upload.

Prohibited Sensitive Data

You must not upload, submit, or process any:

• Special Category Data (Under GDPR Article 9): Including health/medical data, biometric data, genetic data, racial or ethnic origin, political opinions, religious beliefs, or trade union membership.
• Highly Confidential Data: Payment card numbers, passwords, security secrets, credentials, or confidential client data.
• Irreplaceable Data: BlackStack is a productivity tool, not a secure backup vault. You must not upload the sole copy of any data, code, or snippets that you cannot afford to lose.

Violating this prohibition may result in immediate content removal, account suspension, or termination.

9. Data Retention

• Logs: Usage and security logs are retained for 90 days.
• Account Data: Your Account Data and Customer Content are retained while your account is active.
• Post-Deletion: When you delete your account, you will maintain access to your data for 30 days (a grace period for recovery). After 30 days, your account will be disabled and queued for permanent deletion. All associated personal data and snippets will be fully and permanently deleted from our servers within 90 days of your initial deletion request, unless further retention is strictly required by law (e.g., for tax or invoicing records).