Trust Center / BKS-DPP-001

Data Protection & Privacy Policy

How Blankstate processes personal data, both for its own corporate purposes and on behalf of its customers — and how it discharges its obligations as a data controller and processor under the UK GDPR, the Data Protection Act 2018, the EU GDPR, and equivalent applicable regimes.

Document
BKS-DPP-001
v1.0
Classification
Public
Trust Center
Last updated
April 2026
Review · Annual
Owner
Ime Akpan — CDAO (DPO)
Blankstate · Traceflow Ltd

1. Purpose

This policy sets out how Blankstate processes personal data — both for its own corporate purposes and on behalf of its customers — and how it discharges its obligations as a data controller and processor under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR), and equivalent applicable foreign data-protection regimes (LGPD, India DPDP, US state-level laws). It is the single, company-wide statement of Blankstate’s privacy posture.

2. Scope

This policy applies to:

  • All personal data processed by Blankstate, regardless of medium or location.
  • All Blankstate personnel (employees, contractors, third parties acting on behalf of Blankstate).
  • All Blankstate systems, services, and sub-processors involved in personal-data processing.
  • All controller and processor activities undertaken by Blankstate.

3. Guiding principles

  1. Zero personal-data retention by design. The Blankstate platform is architected so that raw interaction content is never persistently stored. Sensing produces deterministic, projection-based outputs (internally referred to as “energy”); the originating content is held only for the duration of a single request, and the projected measurements that are persisted carry no PII. The only personal data persisted by the platform is what is structurally necessary to operate it — sign-in identifiers and user-profile records for authenticated platform users. Cloud and on-premise deployments are both available under the same architectural commitments, with PII handling scoped to the customer’s chosen deployment. Data minimisation is therefore a primary technical control, not an aspiration.
  2. Lawful, fair, and transparent processing. Every processing activity has a documented lawful basis and is described to data subjects through the Privacy Notice and customer contracts.
  3. Purpose limitation. Personal data processed on behalf of a customer is used only for the contracted services and the customer’s documented instructions. Blankstate does not repurpose customer personal data for its own commercial benefit, marketing, model training, or unrelated purposes.
  4. Proportionate retention. Personal data is retained only as long as necessary for the purpose for which it was collected, in line with BKS-RR-001 (Records Retention).
  5. Security by design. Personal data is protected through the controls in BKS-ISP-001 (Information Security Policy), including least-privilege RBAC, AES-256-GCM encryption of sensitive fields, TLS 1.2+ in transit, and centralised audit logging.
  6. Accountability. Roles, responsibilities, and records of processing are documented; controls are evidenced through audit logs and periodic review.

4. Roles and responsibilities

RoleResponsibilities
Data Protection Officer — Ime Akpan (CDAO)Designated DPO. Owns the privacy programme; primary contact for data subjects, customers, and supervisory authorities; coordinates DPIAs, TRAs, and DSR responses; maintains the Record of Processing Activities (ROPA); approves sub-processor changes
Executive Sponsor — Mehdi Cheraitia (Co-Founder)Final accountability; signs off on annual policy review and on material changes
Primary Owner (InfoSec) — Ruchi Agrawal (Head of GDS)Joint custodian for security controls protecting personal data; coordinates with the DPO on incidents
EngineeringImplements data-protection controls in code; enforces zero-retention defaults; surfaces privacy issues via code review
All personnelComply with this policy; report suspected personal-data incidents immediately

5. Lawful basis and roles

Blankstate operates in two capacities:

  • Controller. For its own corporate processing — employee data, contractor data, prospect / customer business-contact data, website analytics, billing data. Lawful bases relied upon include contract (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), and legitimate interests (Art. 6(1)(f)).
  • Processor. For personal data processed on behalf of customers under a Data Processing Agreement (DPA). Blankstate acts strictly on the customer’s documented instructions.

6. Categories of personal data

Categories typically processed:

  • Business contact information (name, business email, job title, business telephone number).
  • User account and authentication information for the Atlas platform (name, email, organisation, role, hashed credentials).
  • Technical / usage data (IP address, device identifier, user ID, audit log records, security event records).
  • Support and service-management communications.
  • Employee / contractor administration data (held as controller).

Blankstate does not intentionally collect or require: special category personal data (Art. 9), criminal-offence data (Art. 10), payment card data, or consumer financial-account data — unless specifically agreed in writing for a particular engagement.

7. International transfers

Production personal data is hosted in Blankstate’s chosen UK region (Google Cloud Platform europe-west2, London, United Kingdom). Customer-deployed (on-premise) options are available under contract. Any international transfer (e.g. India-based support personnel accessing UK-hosted data) is governed by a UK International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses, or an equivalent recognised transfer mechanism, supplemented by a Transfer Risk Assessment (TRA) where required.

8. Sub-processors

Sub-processors that may process customer personal data are listed in BKS-SUB-001 (Sub-Processor List). Sub-processors are engaged only after assessment under BKS-TPR-001 and are bound by contractual obligations no less protective than Blankstate’s own. Material additions and changes are notified to customers with a minimum 30 calendar days’ notice, unless a shorter period is required for security reasons.

9. Data subject rights

Blankstate facilitates the exercise of data subject rights (access, rectification, erasure, restriction, portability, objection, automated-decision rights). As a processor, Blankstate forwards customer-controlled DSRs to the relevant customer and assists with technical fulfilment. As a controller, Blankstate responds directly within the statutory window (one calendar month, extendable to three in limited circumstances).

DSR coordination: the DPO via dpo@blankstate.ai.

10. Personal data breach handling

Personal data breaches are managed under BKS-ICP-001 (Incident Communication Protocol) and this policy. As a processor, Blankstate notifies the affected customer without undue delay (and in any event within 24 hours of confirmation of a customer-impacting personal data breach), with the content required by Art. 33(3) of the UK GDPR. As a controller, Blankstate notifies the UK Information Commissioner’s Office (ICO) within 72 hours where a breach is likely to result in a risk to natural persons’ rights and freedoms.

11. Privacy by design and by default

New features, integrations, and architectural changes that involve personal data are subject to a privacy review by the DPO before release. The default position is data minimisation, pseudonymisation where feasible, and avoiding persistence of raw personal data. Material changes trigger a Data Protection Impact Assessment (DPIA) where the criteria in Art. 35 UK GDPR are met.

12. Records of processing

The DPO maintains a Record of Processing Activities (ROPA) covering all controller and processor activities, including purposes, categories of data subjects and data, recipients, retention periods, transfer mechanisms, and security measures. The ROPA is reviewed at least annually.

13. Training and awareness

All personnel complete annual data-protection awareness training. Personnel handling personal data on behalf of customers receive additional role-specific training. Training completion is recorded and audited.

14. Compliance approach

This policy aligns with UK GDPR, EU GDPR, the Data Protection Act 2018, the UK Privacy and Electronic Communications Regulations (PECR), ISO/IEC 27701 control families, and customer DPA commitments. The control baseline is operative today; ISO 27701 certification preparation is on the company roadmap alongside ISO 27001.

15. Policy management

Reviewed at least annually. Documented exceptions require sign-off by the Executive Sponsor and a defined remediation date. Distributed publicly via the Trust Center.

Back to Trust Center

Questions · security@blankstate.ai