Privacy Policy

1. Introduction

Fuentes Digital Ventures LLC ("BlendIn," "we," "us," or "our"), a Wyoming Limited Liability Company, operates the websites blendin.ai and app.blendin.ai (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and handling your data with transparency and care. Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and a securely hashed version of your password. We never store passwords in plain text. If you sign up using a third-party provider (such as Google), we receive your name and email from that provider.

2.2 Profile Information

You may optionally provide additional profile information such as your company name, industry, job title, and role. This information helps us personalize your content generation experience.

2.3 Brand Kit Data

When you configure your Brand Kit, we collect your brand colors, font preferences, logo images, tone of voice settings, and visual style preferences. This data is used exclusively to generate content that matches your brand identity.

2.4 Content Data

We store content generated through the Service, including text posts, captions, images, carousels, and associated metadata such as hashtags, quality scores, and scheduling information. This data is stored in your account and is accessible only to you.

2.5 LinkedIn OAuth Tokens

When you connect your LinkedIn account, we receive and store OAuth access tokens and refresh tokens. These tokens are encrypted at rest using AES-256-GCM encryption and are used solely to publish content to LinkedIn on your behalf and to retrieve basic profile information necessary for the publishing function.

2.6 Usage Data

We automatically collect information about how you interact with the Service, including features used, generation counts, content types created, publishing activity, and general usage patterns. This data helps us improve the Service and monitor usage against plan limits.

2.7 Payment Information

Payment processing is handled entirely by Stripe, our third-party payment processor. We do not directly collect, store, or process credit card numbers or banking information. We receive from Stripe limited information such as the last four digits of your card, card brand, expiration date, and billing address for receipt and account management purposes.

2.8 Log Data

Our servers automatically collect certain information when you access the Service, including your IP address, browser type and version, operating system, referring URLs, pages visited, time and date of visits, and device information. This data is used for security monitoring, performance optimization, and troubleshooting.

3. LinkedIn Data Practices

3.1 Data We Collect from LinkedIn

When you connect your LinkedIn account, we access the following information:

• Your name, profile photo, and email address (via OpenID Connect, scopes: openid, profile, email)
• Your LinkedIn member identifier (person URN) necessary for publishing on your behalf
• Names of organizations/company pages you administer (only if you connect a company profile)
• Performance metrics of posts published through BlendIn (impressions, reactions, comments, shares) when you use the analytics feature
• For Business plan users with LinkedIn Ads: advertising campaign data (impressions, clicks, CTR, spend)

3.2 How We Use LinkedIn Data

• To publish content to your personal profile or company page on your behalf, ONLY when you explicitly authorize it
• To display your name and profile photo within the BlendIn application
• To retrieve performance metrics of your published posts
• We NEVER use your LinkedIn data to create databases of members, enrich third-party profiles, sell data, or share with data brokers

3.3 User Consent

Before accessing any LinkedIn data, we obtain your legally valid consent that includes: (a) how your data will be used and disclosed; (b) when data will be collected (each time you publish, schedule, or request analytics); (c) the type of data to be collected (basic profile, publishing tokens, metrics); (d) how you can withdraw your consent (by disconnecting your LinkedIn account in Settings); and (e) how you can request deletion of your data.

You can revoke access at any time from your LinkedIn account at linkedin.com/mypreferences/d/data-sharing-for-permitted-services.

3.4 Token Storage and Security

• LinkedIn access and refresh tokens are encrypted with AES-256-GCM before storage
• Tokens are NEVER exposed in client-side code, URLs, or logs
• Tokens are stored exclusively in our database with Row-Level Security
• We implement token refresh flows to maintain authorized access

3.5 Data Deletion on Disconnect

When you disconnect your LinkedIn account or close your BlendIn account:

• All OAuth tokens (access token and refresh token) are deleted IMMEDIATELY
• All LinkedIn profile data (name, photo, URN) is deleted within 24 hours
• Content you generated (posts, images, carousels) is retained in your account as it is your content, not LinkedIn data
• If a user requests data deletion, we delete all content collected through LinkedIn APIs, including the Member Token and OAuth Access Token
• If LinkedIn revokes our application's access, we delete all associated LinkedIn data

3.6 LinkedIn Data Usage Restrictions

In compliance with the LinkedIn API Terms of Use, we:

• Do NOT export, transfer, or distribute LinkedIn member data to third parties
• Do NOT create databases of member data collected from multiple accounts
• Do NOT combine LinkedIn member data with other personal information from external sources
• Do NOT commercialize or sell LinkedIn member data
• Do NOT provide data to data brokers or similar services
• Only access the minimum OAuth scopes necessary for functionality

3.7 LinkedIn Ads Data (Business Plan Only)

For users who connect LinkedIn Ads:

• We access advertising campaign data (metrics, configuration, audiences)
• We do NOT associate Ad Services data with data that directly identifies an individual without explicit consent
• We do NOT sell Ad Services data or combine it with data from other advertisers
• We do NOT transfer ads data to advertising networks, ad exchanges, or data brokers
• We do NOT target ads based on sensitive data categories

4. How We Use Information

We use the information we collect for the following purposes:

• Provide and maintain the Service: Including account management, content generation, scheduling, and publishing.
• Generate personalized content: Using your Brand Kit data, profile information, and preferences to create content that matches your identity.
• Process payments: Working with Stripe to manage subscriptions, billing, and payment transactions.
• Publish content to LinkedIn: Using your authorized OAuth tokens to post content to your LinkedIn profile or company pages on your behalf.
• Improve the Service: Using anonymized, aggregated data to improve our AI models, features, and overall service quality. We never use your personal information or identifiable content for model training.
• Communicate with you: Sending service-related emails including account confirmations, billing receipts, usage notifications, security alerts, and product updates. You can opt out of non-essential communications at any time.
• Ensure security: Monitoring for fraudulent activity, unauthorized access, and potential security threats.

5. Information Sharing

We share your information only as described below and only to the extent necessary to provide the Service:

• OpenAI: Text prompts are sent to OpenAI's API for content generation. These prompts contain topic information and stylistic instructions but do not include your personal information (name, email, etc.).
• Google (Gemini): Image generation prompts are sent to Google's Gemini API. These prompts describe visual requirements and brand elements but do not include personal information.
• LinkedIn: When you explicitly authorize publishing, we share your generated content (text, images, PDF documents) with LinkedIn through their official REST API (version 202603) to publish on your behalf. We access your profile information (name, photo, member URN) solely to enable the publishing function. We use LinkedIn's official OAuth 2.0 protocol — we do NOT use cookie-based authentication, browser automation, or any unofficial access method. All API usage complies with LinkedIn's API Terms of Use and Developer Agreement.
• Stripe: Your payment information is processed by Stripe in accordance with their privacy policy and PCI DSS compliance requirements.
• Supabase: Our database infrastructure is hosted on Supabase, which stores your account data, content, and application data with row-level security enforcement.
• Vercel: Our application is hosted on Vercel's infrastructure, which processes your requests and may log basic access information.

We do NOT sell, rent, or trade your personal information to third parties for marketing or advertising purposes. We do not share your data with data brokers or advertisers.

6. Data Security

We implement robust security measures to protect your data:

• Encryption at rest: LinkedIn OAuth tokens and other sensitive credentials are encrypted using AES-256-GCM encryption before storage.
• Encryption in transit: All data transmitted between your browser and our servers is protected by TLS/SSL encryption.
• Row-Level Security (RLS): Our database enforces row-level security policies, ensuring users can only access their own data.
• Key separation: Service role keys are separated from public keys, with different access levels for different operations.
• Secure authentication: Passwords are hashed using bcrypt with appropriate salt rounds. Sessions use secure, HTTP-only cookies.
• Regular security reviews: We conduct periodic security assessments and maintain updated dependencies.

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining industry-standard security practices.

7. Data Retention

• Account data: Retained while your account is active and for 30 days after account deletion, to allow for potential account recovery. After 30 days, all account data is permanently deleted.
• Generated content: Retained until you delete it or until your account is terminated. You can delete individual pieces of content at any time.
• LinkedIn tokens: Encrypted at rest and immediately deleted when you disconnect your LinkedIn account.
• Payment data: Managed by Stripe according to their data retention policy and PCI DSS requirements. We retain transaction records for accounting purposes as required by law.
• Log data: Retained for up to 90 days for security and debugging purposes, then automatically purged.
• Anonymized analytics: Aggregated, anonymized data may be retained indefinitely as it cannot be used to identify individuals.

8. Your Rights

You have the following rights regarding your personal data:

• Access: You can access your personal data at any time through your account settings and dashboard.
• Export: You can request a complete export of your data, including all generated content, brand kit settings, and account information, in a machine-readable format.
• Deletion: You can delete your account and all associated data. Upon request, we will delete all your personal data within 30 days, except as required by law.
• Disconnect LinkedIn: You can disconnect your LinkedIn account at any time, which immediately deletes all stored OAuth tokens.
• Opt out of analytics: You can opt out of non-essential usage analytics through your account settings.
• Correction: You can update or correct your personal information through your account settings at any time.
• Restriction: You can request that we restrict processing of your data in certain circumstances.

To exercise any of these rights, please contact us at admin@fuentesdigitalventures.com. We will respond to all legitimate requests within 30 days.

9. Cookies

We use a minimal set of cookies necessary for the Service to function:

• Session cookies: Essential for authentication and maintaining your logged-in state. These cookies are secure, HTTP-only, and expire when you close your browser or after a defined session period.
• Preference cookies: Used to remember your preferences such as theme settings and language. These are first-party cookies only.

We do not use third-party tracking cookies, advertising cookies, or any form of cross-site tracking. We do not participate in any ad networks or share cookie data with third parties.

10. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to promptly delete such information. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at admin@fuentesdigitalventures.com.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. Our infrastructure providers, Supabase and Vercel, may store and process data in various regions including the United States and the European Union.

When we transfer personal data across borders, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the recipient's participation in recognized data protection frameworks. By using the Service, you consent to the transfer of your information to these locations.

12. GDPR Compliance (European Union Users)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service as described in our Terms of Service.
• Legitimate interests: Processing for security, fraud prevention, service improvement, and analytics, where such interests are not overridden by your rights.
• Consent: Where you have provided explicit consent, such as connecting your LinkedIn account or opting in to communications.
• Legal obligation: Processing necessary to comply with applicable laws and regulations.

Your GDPR Rights

In addition to the rights listed in Section 8, EU/EEA users have the right to:

• Lodge a complaint with your local data protection authority
• Object to processing based on legitimate interests
• Request data portability in a structured, machine-readable format
• Withdraw consent at any time (where processing is based on consent)

Data Protection Contact

For GDPR-related inquiries, please contact our Data Protection Officer at admin@fuentesdigitalventures.com.

13. CCPA Compliance (California Users)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

Categories of Information Collected

• Identifiers (name, email address, IP address)
• Commercial information (subscription plan, billing history)
• Internet or electronic network activity (usage data, log data)
• Professional information (job title, company, industry)
• Inferences drawn from the above categories (content preferences, usage patterns)

Your CCPA Rights

• Right to Know: You can request details about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out: We do not sell personal information. Therefore, we do not offer an opt-out of sale.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, please contact us at admin@fuentesdigitalventures.com. We will verify your identity before processing any request and respond within 45 days.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by email and/or by posting a prominent notice on the Service at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. The "Last updated" date at the top of this page indicates when this Privacy Policy was last revised.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

We aim to respond to all privacy-related inquiries within 30 days. For urgent security matters, please include "URGENT" in your email subject line.