Legal
Privacy Policy
Effective: 2 May 2026
1. Who we are
Obsidian Dynamics Limited (“we”, “us”, “our”) is the data controller for personal data processed in connection with BLACKGLASS. We are registered in England & Wales under Company Number 16663833.
Contact: [email protected] | obsidiandynamics.co.uk
2. What data we collect
We process the following categories of personal data:
| Account data | Name, email address, password hash | Account creation and authentication |
| Billing data | Billing email, Stripe customer ID, subscription status | Processing payments and managing your subscription |
| Usage data | IP address, browser/device type, pages visited, session duration | Security, fraud prevention, service improvement |
| Host configuration metadata | Configuration state of Linux hosts you enrol (ports, users, packages, kernel params, etc.) | Core service — computing drift and generating reports |
| Audit log data | Timestamped record of operator actions within BLACKGLASS | Security and compliance audit trail |
| Support communications | Emails and messages you send us | Responding to support requests |
What we do not collect:
- File contents from your hosts
- Environment variables or application secrets from your hosts
- SSH private keys (credentials are held in memory only for the duration of a scan)
3. Legal basis for processing (UK GDPR)
| Data type | Legal basis |
|---|---|
| Account and billing data | Contract performance (Art. 6(1)(b)) — necessary to provide the Service |
| Usage and security data | Legitimate interests (Art. 6(1)(f)) — fraud prevention and service security |
| Host configuration metadata | Contract performance (Art. 6(1)(b)) — the core function of the Service |
| Marketing communications | Consent (Art. 6(1)(a)) — you may opt in or out at any time |
4. How we use your data
- Provide, maintain, and improve the Service
- Process subscription payments and manage billing
- Send service-critical communications (receipts, security alerts, downtime notices)
- Detect and prevent fraud and abuse
- Comply with legal obligations
- With your consent: product updates and new feature announcements
5. Third-party processors
We share data with the following sub-processors under appropriate data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and billing portal | United States (SCCs in place) |
| DigitalOcean, LLC | Cloud infrastructure hosting (App Platform, Spaces) | United States / EU (SCCs in place) |
| Sentry (Functional Software, Inc.) | Error monitoring and performance tracing | United States (SCCs in place) |
We do not sell your personal data to third parties.
6. Data retention
| Data type | Retention period |
|---|---|
| Account data | Duration of account plus 30 days after closure |
| Billing records | 7 years (HMRC requirement) |
| Host configuration metadata | Per plan: 30 days (Local), 180 days (Team), custom (Fleet) |
| Audit logs | Per plan retention window; append-only during retention |
| Usage/security logs | 90 days |
7. Your rights under UK GDPR
You have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (“right to be forgotten”) where no legal retention obligation applies
- Restriction — ask us to restrict processing in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — at any time for consent-based processing (e.g. marketing)
To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
8. Cookies and tracking
BLACKGLASS uses only technically necessary cookies (session authentication). We do not use advertising or cross-site tracking cookies. Error monitoring via Sentry may collect anonymised session replay data (on error only) to diagnose faults; this can be disabled on request.
9. Security
All data in transit is protected by TLS 1.3. Data at rest is encrypted with AES-256. Access to production systems is restricted to authorised personnel. We conduct regular dependency vulnerability reviews. For details, see the Security Overview section in the BLACKGLASS console dashboard.
10. International transfers
Some of our sub-processors are based outside the UK. Where personal data is transferred to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the ICO to ensure an equivalent level of protection.
11. Changes to this policy
We may update this Privacy Policy. Material changes will be notified by email or in-app notice. The effective date at the top of this page will always reflect the current version.
12. Contact and complaints
Data protection enquiries: [email protected]
Obsidian Dynamics Limited, registered in England & Wales, Co. No. 16663833
Supervisory authority: Information Commissioner’s Office (ICO), ico.org.uk