LEGAL

Privacy Policy

Last updated: 2026-05-19 · Effective: 2026-05-19

This Privacy Policy explains how Blackperp ("Blackperp", "we", "us") collects, uses, stores, and protects personal data when you visit blackperp.com or use our services. We comply with the EU General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (UAVG).

This document is published in English. If you require this information in another language, contact us at the address below.

1. Data Controller

The controller responsible for your personal data under the GDPR is:

Entity	Blackperp
Registered office	Mt. Lincolnweg 38-40, The One, 1033 SN Amsterdam, Netherlands
Email	[email protected]

We have not appointed a Data Protection Officer (DPO) as we are not legally required to do so. For all privacy questions, contact the email above.

2. Data We Collect

Account data (when you sign up)

Email address
Hashed password (we never store passwords in clear text)
Signup timestamp and verification status
Browser fingerprint and IP address (for fraud prevention, see §3.4)

Subscription & payment data

Payments are processed exclusively by Stripe, Inc. We do not store full card numbers or bank details on our servers. We retain: subscription tier, status, Stripe customer ID, billing cycle, and a record of credit purchases (date, package, amount in cents).

Service usage data

Login history (timestamp, IP address, user agent)
Chat history with the AI analyst (Blackperp chat sessions)
Credit consumption and feedback submissions
Anonymous page-view analytics via self-hosted Umami (no cookies, no cross-site tracking)

Technical / log data

Server logs (IP, request path, user-agent, timestamp) are retained for security and debugging purposes for up to 90 days. CDN-level logs are processed by Cloudflare per its own privacy notice.

3. Purposes & Legal Basis (GDPR Art. 6)

Purpose	Legal basis
Account creation & authentication	Contract (Art. 6(1)(b))
Delivering the dashboard, signals, AI chat	Contract (Art. 6(1)(b))
Payment processing & invoicing	Contract + Legal obligation (Art. 6(1)(b)/(c))
Fraud, abuse, and bot prevention	Legitimate interest (Art. 6(1)(f))
Service improvement, debugging, analytics	Legitimate interest (Art. 6(1)(f))
Transactional emails (verification, receipts)	Contract (Art. 6(1)(b))
Tax and bookkeeping records	Legal obligation (Art. 6(1)(c))

4. Sub-processors & Recipients

We share personal data only with the following sub-processors, each bound by a Data Processing Agreement (DPA) where applicable:

Processor	Purpose	Location
Stripe Payments Europe Ltd.	Payment processing	Ireland (EU)
DigitalOcean LLC	Server hosting	EU region
Cloudflare Inc.	CDN, DDoS protection, CAPTCHA (Turnstile)	Global (SCCs in place)
OpenRouter / Anthropic	LLM inference for AI analyst & news rewriting	USA (SCCs in place)
Resend / Resend	Transactional email delivery	EU/USA (SCCs)

We do not sell or rent personal data. We will only disclose data to law enforcement when compelled by a valid Dutch or EU legal order.

5. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA) — primarily to LLM providers and Cloudflare in the United States — we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures (encryption in transit, access controls) to ensure an adequate level of protection under Chapter V GDPR.

6. Data Retention

Account data	Until account deletion + 30 days
Server & access logs	90 days
Chat history & feedback	Until account deletion (you can delete sessions individually)
Payment / invoice records	7 years (Dutch tax law)
Fraud signals (fingerprints, IP)	12 months

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

Access — request a copy of the data we hold about you (Art. 15)
Rectification — correct inaccurate data (Art. 16)
Erasure — "right to be forgotten" (Art. 17)
Restriction — limit how we process your data (Art. 18)
Portability — receive your data in a machine-readable format (Art. 20)
Objection — object to processing based on legitimate interest (Art. 21)
Withdraw consent — where processing is based on consent

To exercise any of these rights, email [email protected]. We will respond within one month (Art. 12(3)).

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

8. Cookies & Tracking

Blackperp uses minimal cookies, all functional and necessary:

Session cookie — authentication, required to stay logged in
Stripe cookies — payment fraud detection, set only during checkout
Cloudflare cookies — security and bot mitigation

We use self-hosted Umami for page-view analytics. Umami does not set cookies, does not track users across sites, and does not collect personally identifiable information. We do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers.

9. Security Measures

We employ industry-standard security controls:

HTTPS/TLS for all traffic, HSTS preload enabled
Passwords stored using bcrypt hashing
Database access restricted to localhost; no public database exposure
Content Security Policy (CSP) blocking unauthorized scripts
Cloudflare Turnstile bot protection on signup
Rate limiting and IP-based fraud detection
Regular dependency updates and security audits

In the event of a personal data breach affecting your rights, we will notify the Dutch DPA within 72 hours and inform you without undue delay where required by Art. 34 GDPR.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated via email to active subscribers. The "Last updated" date at the top of this page reflects the latest revision.

→ Terms of Service → Risk Disclosure → Editorial Standards → Contact