Privacy Policy

1. Who We Are

EAS Technology Consulting Limited trading as Blankitt ("we", "us", "our") operates the following services:

• blankitt.com — marketing website
• draw.blankitt.com — IT infrastructure diagram editor
• portal.blankitt.com — account, billing, and endpoint management
• dmarc.blankitt.com — DMARC email-authentication monitoring
• finance.blankitt.com — personal finance app with Open Banking integration

We are also rolling out additional business applications (Finance for business, HR, and GRC). This policy is updated as each becomes generally available, and explains how we collect, use, and protect your data across our services.

2. What Data We Collect

Analytics Data

When you consent, we use Google Analytics 4 (GA4) to collect anonymised usage data including page views, device type, browser, and approximate geographic region. We also use Cloudflare Web Analytics, which is entirely cookie-free and does not collect personal data.

We additionally send a small set of high-level account events — account creation, first bank connected, subscription start/cancel, account deletion, and data export — from our servers to GA4 so we can understand the customer journey end-to-end. Server-side events use your account ID as the GA4 client identifier and contain no transaction data, bank balances, or personal information beyond what's named here.

Account Data

When you create an account on any Blankitt app (Draw, Portal, DMARC, or Finance), we collect your email address, name, and password (stored as a salted hash). We never store passwords in plain text.

Financial Data

If you connect a bank account on finance.blankitt.com, we receive account identifiers (sort code, account number, IBAN where applicable, masked card numbers), bank and account metadata (bank name, account type, currency, nickname), real-time balances, and transaction history (typically the most recent 90 days, refreshed daily). Access tokens issued by your bank are encrypted at rest using AES-256-GCM. We never receive your bank login credentials, password, or PIN. See section 9 for the full Open Banking disclosure.

DMARC Monitoring Data

If you use Blankitt DMARC, we process DMARC reports about email sent using your domains. Aggregate (RUA) reports contain sending IP addresses, the domains and mail servers involved, SPF/DKIM authentication and alignment results, message volumes, and the policy applied. Forensic (failure) reports, where you enable them, can additionally contain message-level metadata such as the From/To headers and subject of individual failing messages. Because these reports describe mail sent (or spoofed) as your domains, they can include the IP addresses and domains of third parties. See section 10 for the full DMARC disclosure, including mailbox connections.

Payment Data

If you upgrade to a paid plan, we use Stripe to process payments. We do not store full card numbers — Stripe handles card data directly. We retain a Stripe customer ID, the last four digits of your card, the card brand, and your billing country in order to display your subscription, manage renewals, and meet UK tax record-keeping requirements.

Diagrams & Projects

Diagrams created in Blankitt Draw are stored locally in your browser by default. If you choose to save to the cloud, diagram data is stored on our servers (Cloudflare D1). Diagrams may contain device names, IP addresses, and network topology that you enter.

Free Tools & Enquiries

When you use a free tool such as our DMARC checker, or submit an enquiry or assessment form, we collect the information you provide — for example the domain you ask us to check and, if you choose to share it, your email address — so we can return your result and, with your consent, follow up about it. These forms are handled by our own marketing systems and protected with Cloudflare Turnstile, a privacy-preserving, cookie-free bot check.

Attribution Data

When you consent to analytics, we capture UTM campaign parameters and referrer information to understand how you found us.

3. Cookies & Similar Technologies

Cloudflare Web Analytics does not use cookies or collect personal data. It is loaded on all pages regardless of your cookie preferences. Cloudflare Turnstile (used on free tools and contact forms) is a cookie-free bot check and is not used for tracking or advertising.

4. How We Use Your Data

• Improve our products and user experience
• Understand aggregate usage patterns
• Provide and secure your account
• Communicate about your account or service changes

We do not sell your personal data to third parties.

5. Legal Basis for Processing (GDPR)

• Consent — Analytics cookies are only set after you actively consent; marketing follow-up to a free-tool enquiry is sent only with your consent
• Contract — Account data, and the monitoring/processing you sign up for (e.g. DMARC), are processed to provide the service
• Legitimate interest — Essential cookies and bot protection for security and functionality

6. Your Rights (GDPR)

If you are in the EU, EEA, or UK, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Request erasure of your data
• Data portability (receive your data in a structured format)
• Restrict processing
• Object to processing
• Withdraw consent at any time via the "Cookie Settings" link in the footer

Where Blankitt processes data on behalf of a business customer (for example, DMARC report data), that customer is the data controller; please direct such requests to them and we will assist as their processor.

7. Your Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the "sale" or "sharing" of personal information (we do not sell data)
• Non-discrimination for exercising your rights

8. Global Privacy Control

We honour the Global Privacy Control (GPC) browser signal. If your browser sends a GPC signal, analytics cookies will be automatically disabled without requiring further action from you.

9. Open Banking Data

If you connect a bank account to Blankitt's personal finance product, we use the UK's Open Banking framework to fetch your account data. The Open Banking framework is regulated by the Financial Conduct Authority (FCA) and underpinned by the Payment Services Regulations 2017 (PSR 2017).

Who acts as your Account Information Service Provider (AISP)?

Yapily Ltd ("Yapily") is the FCA-authorised AISP. Yapily is registered with the FCA under firm reference number (to be confirmed once Yapily's agent agreement is signed). Blankitt operates as Yapily's appointed representative under PSR 36(1), which means Blankitt arranges the connection on your behalf and Yapily is the regulated party performing the account-information service.

You can verify Yapily's authorisation on the FCA Financial Services Register.

What data we receive from your bank

When you authorise the connection at your bank, your bank shares the following with Yapily, who then makes it available to Blankitt:

• Account identifiers (account number, sort code, IBAN where applicable, masked card numbers).
• Account metadata: bank name, account type, currency, nickname.
• Real-time account balances.
• Transaction history (typically the most recent 90 days, refreshed daily).

We do not receive your bank login credentials or PIN. Authentication happens directly between you and your bank during the consent flow.

Lawful basis: consent

We process this data on the basis of your explicit consent under UK GDPR Article 6(1)(a). You consent during your bank's authorisation flow before any data is shared. Open Banking consents last for 90 days under PSR rules; after that, data sync stops automatically until you reconnect.

Withdrawing consent

You can revoke a connection at any time from the Bank Feeds page in your Blankitt account. We will:

1. Tell Yapily to revoke the consent at your bank (so your bank stops sharing data).
2. Mark the connection as disconnected within Blankitt.
3. On request, permanently delete the imported transactions and account metadata. (Permanent delete is a separate action — by default we retain history so you can browse it post-disconnect.)

You can also withdraw consent directly with your bank.

Where the data is stored

Imported account data is stored in encrypted form in the United Kingdom and Republic of Ireland regions of Cloudflare, Inc.'s D1 SQLite-compatible database. Sensitive fields (access tokens issued by your bank, sort codes, account numbers) are encrypted at the application level using AES-256-GCM, keyed separately from the rest of our infrastructure secrets.

Third-party data processors

The chain of processors for your bank data is:

Each processor in this chain has its own privacy policy. Yapily's is at yapily.com/legal/privacy. Cloudflare's is at cloudflare.com/privacypolicy.

How long we keep the data

For as long as you keep the connection active or the imported transactions in your account. If you disconnect a bank, the consent is revoked but transaction history is retained until you choose "Delete" (a separate, irreversible action) or close your Blankitt account.

Your rights

UK GDPR gives you the right to access, correct, and delete the data we hold on you. Email privacy@blankitt.com and we'll respond within 30 days. You can also complain to the Information Commissioner's Office (ICO) at ico.org.uk.

10. DMARC Email Authentication Data

Blankitt DMARC helps you monitor and improve the email authentication (DMARC, SPF, and DKIM) of domains you own. This section explains the data involved and how mailbox connections work.

Controller and processor

For business customers, you are the data controller of the DMARC report data relating to your domains, and Blankitt acts as your processor, processing it only to provide the monitoring service and on your instructions. A Data Processing Agreement is available to business customers on request (privacy@blankitt.com); our sub-processors are listed at blankitt.com/subprocessors.

How we receive reports

There are two ways DMARC reports reach Blankitt, and you choose which to use:

• Blankitt report address. We give you a unique address of the form <id>@rua.blankitt.com to publish in your domain's DMARC DNS record. Mailbox providers (Google, Microsoft, Yahoo and others) then email aggregate reports to that address, where we ingest them. The address is specific to your account.
• Connected mailbox. Alternatively, you can connect a Microsoft 365 or Google Workspace mailbox so we collect reports that already arrive there.

Mailbox connections (Microsoft 365 / Google Workspace)

If you connect a mailbox, you authorise Blankitt — through Microsoft's or Google's standard OAuth consent — to access that mailbox to read and extract DMARC report attachments. We:

• request the narrowest access the provider offers for this purpose;
• process only DMARC report messages and their attachments — we do not read, store, or use your other email for any purpose;
• store the resulting access credentials encrypted at rest (AES-256-GCM); and
• let you disconnect at any time from the DMARC app's settings, which stops collection and deletes the stored credentials.

DNS lookups and the free checker

To assess a domain, we perform DNS lookups of its public email-authentication records (DMARC, SPF, DKIM, BIMI, MTA-STS, TLSRPT). Our free DMARC checker does a live lookup of the domain you enter and returns an assessment; if you provide an email address to receive your result, we handle it as described in section 2. You may only check domains you own or are authorised to assess — see our Acceptable Use Policy.

Storage, sub-processors, and retention

DMARC data is stored in Cloudflare's D1 database, scoped to your account, in Cloudflare's UK/EU regions (see section 12). The sub-processors used for DMARC are Cloudflare (hosting, storage, report-email routing, and Turnstile bot protection), Microsoft and/or Google (only if you connect their mailbox), Resend (notification emails), and Stripe (billing) — the full list is at blankitt.com/subprocessors. Reports are retained for your plan's retention window (from 30 days up to 2 years) and older data is then deleted automatically; you can also request deletion at any time. Lawful basis: contract (to provide the monitoring you signed up for) and, for a mailbox connection, your authorisation.

11. Data Retention

• GA4 data: retained for 14 months (Google default)
• Account data: retained while your account is active. Deleted upon request.
• Cloud projects: retained while your account is active. Deleted upon request.
• Bank connections & transactions: retained while your connection is active. After disconnect, transaction history is retained until you delete it or close your account. Encrypted bank tokens are deleted immediately on disconnect.
• DMARC reports & monitoring data: retained for your plan's retention window (30 days to 2 years); older reports are deleted automatically by a scheduled cleanup. Deleted on request, and on account closure.
• Free-tool enquiry data (e.g. DMARC checker leads): retained in our marketing system while relevant to your enquiry, and deleted on request.
• Payment records: retained for 7 years to meet UK tax and accounting record-keeping requirements (Companies Act 2006).
• Transactional email logs: retained for 30 days by Resend (our email provider) for delivery diagnostics, then deleted.
• Server-side analytics: IP addresses are hashed with SHA-256. Raw events retained for 90 days.

12. International Transfers

Your data may be processed by:

• Google LLC (United States) — for analytics, and — only if you connect a Google Workspace mailbox to Blankitt DMARC — for accessing that mailbox to collect DMARC reports
• Microsoft Corporation / Microsoft Ireland Operations Ltd — only if you connect a Microsoft 365 mailbox to Blankitt DMARC, for accessing that mailbox to collect DMARC reports
• Cloudflare Inc. (United Kingdom + Republic of Ireland regions) — for hosting, storage, CDN, DMARC report-email routing, and Turnstile bot protection
• Yapily Ltd (United Kingdom) — FCA-authorised AISP for Open Banking connections
• Stripe Payments Europe Ltd (Republic of Ireland) and Stripe, Inc. (United States) — for processing subscription payments
• Resend Inc. (United States) — for sending transactional emails (account verification, password resets, notifications, support replies)

Providers outside the UK and EEA maintain appropriate safeguards for international data transfers, including UK International Data Transfer Agreements (IDTA) or EU Standard Contractual Clauses (SCCs). The current sub-processor list is published at blankitt.com/subprocessors.

13. Children's Privacy

Our services are not directed at individuals under 16. We do not knowingly collect data from children.

14. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the website. The "last updated" date at the top reflects the most recent revision.

15. Contact Us

For privacy-related questions or to exercise your rights:

• Email: privacy@blankitt.com
• General enquiries: support@blankitt.com