Data, subprocessors, retention

The short version; the legal pack has the full DPA and subprocessor list.

Blueprint processes your Brief, runs it through several third-party systems to generate the artifact bundle, and stores the result on Google Cloud. This page is the operator-friendly summary.

Where your data lives

All production data is stored in Google Cloud Platform, region us-east1 (Moncks Corner, SC, USA):

Postgres — runs, projects, users, billing records
Object storage (MinIO on GCP) — Briefs, support documents, artifact bundles
Neo4j — the run's internal graph
Qdrant — embeddings for retrieval

NOTE

If you access Blueprint from outside the United States, your data is
transferred to and processed in the US. For EU/UK customers we rely
on Standard Contractual Clauses (SCCs) per the [DPA](/dpa).

Subprocessors

Subprocessors are third-party services we send data to as part of delivering Blueprint. The full list with addresses, certifications, and data scope is at /subprocessors.

In one-line summaries:

Subprocessor	Role	What we send
Google Cloud Platform	Hosting	All Customer Content
Clerk	Authentication	Account email, sign-in events
Stripe	Billing	Payment metadata (no card numbers)
SendGrid (Twilio)	Transactional email	Email + body of welcome / completion / billing emails
Cloudflare	DNS, edge proxy	Request metadata (IP, user agent)
DeepSeek	Standard-tier LLM	Brief content (transient)
Google (Gemini API)	Embeddings + fallback LLM	Brief content (transient)
OpenAI	Premium / fallback LLM	Brief content (transient)
Sentry	Error tracking	Stack traces with PII scrubbed
BetterStack	Uptime monitoring	Health-check pings only

WARNING

DeepSeek is hosted in China. If you have ITAR/EAR / export-control
concerns about US-origin engineering data flowing to China, do not
upload such content. The [Acceptable Use Policy](/aup) prohibits
ITAR / EAR / CUI content at any sensitivity tier.

We do not use your Briefs or Artifacts to train, fine-tune, or evaluate our or any third-party models. Where supported, we configure providers to retain inputs only transiently. Some providers may retain transient inputs in their service logs for up to 30 days for abuse prevention; we cannot warrant deletion beyond what they document.

Retention

What	Retention
Briefs + artifact bundles	Life of your account + 30 days after closure
Billing records	7 years (US tax retention)
Service logs	90 days, then purged
Error reports	30 days
Backups (Postgres / object store)	Daily, retained 30 days; backup tapes may persist for an additional 90 days under rotation

What's scrubbed from error reports

Anything starting with brief_*, any s3_key, and the standard password/token/authorization/cookie fields are removed before errors are transmitted to Sentry. This prevents leakage of Customer Content into our error-tracking system.

Your rights

Depending on your jurisdiction, you have the right to access, correct, delete, port, restrict, or object to processing of your personal data. The full Privacy Policy at /privacy details the exercise procedure. Email [email protected] to start a request.

Security incidents

If you discover a security issue, email [email protected]. We acknowledge within 24 hours and coordinate disclosure timing.