Privacy Policy

This policy describes how Your Company ("Blinkwell", "we", "us") handles personal information when you use the Blinkwell desktop app, our website, or any of our supporting services (together, the "Services").

If you have questions, write to [email protected] and a person will read it.

The desktop app is the part of Blinkwell that watches you. It uses your Mac's camera to estimate two things in real time:

• Eye activity — blink rate and Eye Aspect Ratio (EAR), used to nudge you toward healthier blinking and take screen breaks before your eyes ache.
• Body posture— shoulder tilt, head-forward distance, and chin lift, used to nudge you when you're slouching or craning toward the screen.

All of this runs locally with Apple's Vision framework. Concretely, the desktop app:

• Never uploads camera frames, video, audio, facial landmarks, body landmarks, EAR values, posture scores, or any derivative of the above.
• Holds individual camera frames in memory only long enough to extract landmarks, then discards them. Frames are not written to disk.
• Stores aggregated, non-identifying counters (e.g. blinks-per-hour, posture-score-per-hour) in a local SQLite-style cache on your Mac so you can see your own history. You can clear this from the app at any time.
• Saves your preferences (break cadence, sensitivity, sound, etc.) in the standard macOS user defaults database.

The app ships with a built-in Network Auditor that registers a custom URL protocol handler at startup and rejects any outbound request originating from inside the Blinkwell process. If a future change ever tried to send your camera data anywhere, the auditor would block it before the packet left your machine. The auditor's decisions are logged so you can verify the behaviour yourself.

You can use most of Blinkwell.com without an account. When you do create one (to manage a license, subscribe to updates, or contact support), we collect:

• Email address — required, used to identify your account, send verification and password-reset emails, and reach you about important account or service changes.
• Name — optional, used so we can address you properly in email.
• Password — never stored in plaintext. We store a salted bcrypt hash; even we cannot recover the original.
• Acquisition signals — the referrer and any UTM parameters from the visit when you signed up, used to understand which channels work for us. This is stored as campaign metadata against your account, not sold or shared.

When you simply browse the marketing site, our servers see standard HTTP request data: IP address, user agent, the page you requested, and the referrer. We use this to operate the site, defend against abuse (rate limits, bot detection), and troubleshoot errors. Server logs are retained for up to 30 days and then deleted.

We send three categories of email:

• Transactional — verification, password reset, security alerts, and receipts. You cannot opt out of these while you have an active account, because they are necessary to operate it.
• Service — important changes to the app, this policy, or your account. We send these only when there is something genuinely worth telling you.
• Newsletter / marketing — opt-in only. Every message has a one-click unsubscribe; we honour it immediately.

The desktop app uses no cookies and no third-party SDKs. The marketing site uses a small set of cookies; full details live in the Cookie Policy.

Optional analytics (Google Analytics, Microsoft Clarity) are off by default and only run when the operator of this deployment configures them. When enabled, they help us understand which pages people read and where things break; they never receive content you type into the app or any camera-derived data, because that data is on your Mac, not ours.

We rely on a small set of third parties to deliver the Services. Each one only sees the minimum data it needs to do its job, and is contractually required to handle that data confidentially.

• Hosting — for the marketing site and API.
• Email delivery — for transactional and newsletter emails (sees your email address and the message we send to you).
• Database — managed MongoDB-compatible storage for accounts and preferences.
• reCAPTCHA— invoked on sign-up, sign-in, and password reset to deter automated abuse. Subject to Google's privacy policy and terms.
• Payments (if applicable) — handled by a PCI- compliant processor. We never see your full card number.

We do not sell, rent, or trade personal information. We only share it where strictly necessary to operate the service or where the law requires it (e.g. a valid subpoena).

• Account data — for as long as your account is active. Closed accounts are deleted within 30 days of the close request, except where law requires us to retain specific fields longer (e.g. invoicing).
• Server logs — up to 30 days.
• Email logs — up to 90 days for delivery diagnostics, then deleted.
• On-device app data — stays on your Mac until you clear it from the app or uninstall.

Depending on where you live, you have some or all of the following rights over the data we hold about your account (the on-device data is yours alone — we never had a copy in the first place):

• Access a copy of your data.
• Correct inaccurate data.
• Delete your account and associated data.
• Export your data in a portable format.
• Withdraw consent for any opt-in processing.
• Object to or restrict processing in some circumstances.
• Lodge a complaint with your local data-protection authority.

To exercise any of these, write to [email protected]. We will respond within 30 days.

Blinkwell is not directed at children under 13 (or under 16 in the EU/UK), and we do not knowingly collect their personal information. If you believe a child has created an account, let us know and we will delete it.

Our servers may be located in the United States or the European Union depending on the deployment. Where we transfer personal data across borders, we rely on appropriate safeguards (standard contractual clauses or equivalents) to protect it.

We take reasonable steps to protect your data: TLS in transit, encryption at rest for sensitive fields, hashed passwords, short-lived authentication tokens, scoped access for staff, and routine updates. No system is perfectly secure; if we ever believe a breach has affected you, we will tell you and the relevant authorities promptly.

When we update this policy, we'll change the "Last updated" date at the top, and for material changes we'll email account holders at least 14 days before the change takes effect. Continued use of the Services after a change means you accept the updated policy.

Email [email protected]. Postal mail goes to Your Company, address available on request.