Back

Privacy Policy

Effective Date: December 17, 2025 | Last Updated: December 17, 2025

Summary

  • Cloud version: We store your data securely. You can export or delete anytime.
  • BYOK: Your API keys go directly to providers. We never store them.
  • BYOD: Your data stays in your Convex database. We only store operational data.
  • Self-hosted: You control everything. Nothing leaves your infrastructure.

What Data We Collect

Account Information

  • Email address (for authentication)
  • Name (optional, for personalization)
  • OAuth connections (Google, GitHub if you use them)

Usage Data

  • Conversations and messages (encrypted at rest)
  • Notes, tasks, and projects you create
  • Memory extractions (facts from conversations)
  • Token usage and costs (for billing and transparency)

What We Don't Collect

  • Your API keys (BYOK mode - sent directly to providers)
  • Browsing history or tracking cookies
  • Data from your personal Convex database (BYOD mode)

How We Use Your Data

  • Provide the service: Store and sync your conversations
  • Memory features: Extract and recall facts you've shared
  • Cost tracking: Show you exactly what you're spending
  • Improve the product: Aggregate, anonymous usage metrics

Third-Party Services

We use these services to operate blah.chat:

  • Convex: Database and backend (privacy policy)
  • Clerk: Authentication (privacy policy)
  • Vercel: Hosting and AI Gateway (privacy policy)
  • AI Providers: OpenAI, Anthropic, Google, etc. (each has their own privacy policy)

Your Rights

  • Export: Download all your data anytime
  • Delete: Remove your account and all associated data
  • Access: See exactly what data we have about you
  • Portability: Get your data in machine-readable format

Data Retention

  • Active accounts: Data kept as long as your account is active
  • Deleted accounts: Data permanently deleted within 30 days
  • Memories: Expire after 90 days by default (configurable)

Security

  • All data encrypted in transit (TLS 1.3)
  • All data encrypted at rest (AES-256)
  • SOC 2 compliant infrastructure (Convex, Clerk, Vercel)
  • No plaintext storage of sensitive data

GDPR Compliance

If you're in the EU, you have additional rights under GDPR. We comply with all requirements including data portability, right to erasure, and data processing agreements with our subprocessors.

Contact

Questions about privacy? Email us at blah.chat@bhekani.com

For self-hosted instances, see the full self-hosted privacy policy on GitHub.