Introduction
Blueprint.gg ("Blueprint," "we," "us," or "our") is operated by Blueprint. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (blueprint.gg) and our SaaS platform (the "Service").
By accessing or using Blueprint, you agree to this Privacy Policy. If you do not agree, do not use the Service.
Definitions
- Personal Data — Information that identifies you (name, email, IP address)
- Customer Data — Data you create or store within Blueprint (workspace settings, team configurations, saved reports)
- Ad Platform Data — Campaign data synced from Google Ads, Microsoft Ads, and Meta Ads via OAuth 2.0 (campaign names, budgets, keywords, quality scores, spend, impressions, conversions, search terms, ad sets, placement data)
- Authorized Users — Individuals you invite to your Blueprint workspace
- Sub-processor — A third-party service provider we use to process data on our behalf
Information We Collect
a. Account Information
Email address, first and last name, password (stored as bcrypt hash, never in plaintext), workspace name, role assignments (Owner, Manager, Analyst, Viewer).
b. Ad Platform Data
When you connect an ad account via OAuth 2.0, we sync:
- Campaign names, statuses, and budgets
- Keyword-level data including quality scores and their components (expected CTR, ad relevance, landing page experience)
- Daily spend, impressions, clicks, conversions, and CTR
- Search terms and negative keyword lists
- Ad set and placement data (Meta Ads)
We do NOT collect:
- Ad platform passwords (OAuth only)
- End-user or consumer personal information from your ad campaigns
- Credit card or billing information from ad platforms
c. Automatically Collected Information
IP address, browser type and version, device information, pages visited and features used, timestamps of actions (audit log), session identifiers, referring URLs.
We collect this through server logs and essential cookies. We do NOT use third-party advertising trackers or sell browsing data.
How We Use Your Data
- Service Delivery — To provide, maintain, and improve Blueprint, including syncing ad platform data, generating reports, and running AI-powered anomaly detection
- Security & Fraud Prevention — To detect and prevent unauthorized access, monitor for suspicious activity, enforce rate limits, and maintain audit logs
- Billing & Account Management — To process payments (via Stripe), manage subscriptions, and communicate about your account
- Product Improvement — To analyze aggregate, anonymized usage patterns to improve the Service. We never use individually identifiable customer data for this purpose.
- Communications — To send transactional emails (account verification, password resets, billing receipts) and, with your consent, product updates and tips. You can opt out of non-transactional emails at any time.
- Legal Compliance — To comply with applicable laws, regulations, and legal processes
Ad Platform Data — Special Provisions
Data Processor Role — Blueprint acts as a data processor on your behalf. You remain the data controller for all Ad Platform Data. We process this data solely to provide the Service as directed by you.
Limited Use — Ad Platform Data obtained through the Google Ads API is used only to provide and improve the Service for you. It is NOT used to: serve advertisements, build user profiles for advertising purposes, sell to third parties, combine with data from other customers, or any purpose other than providing the Service. This applies equally to data from Microsoft Ads and Meta Ads APIs.
Google API Services Disclosure — Blueprint's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
OAuth 2.0 Access — We access your ad platform accounts exclusively through OAuth 2.0 authorization. We never request, receive, or store your ad platform passwords. You can revoke Blueprint's access to any connected ad platform at any time through the platform's security settings or through Blueprint's account settings.
No Consumer PII — Blueprint does not access, collect, or process personal information about the individuals who see or interact with your advertisements.
Data Sharing & Sub-processors
We do NOT sell your Personal Data or Ad Platform Data. We share data only in these limited circumstances:
Sub-processors
| Sub-processor | Purpose | Data Processed |
|---|---|---|
| Railway | Application hosting and data storage | All service data |
| Stripe | Payment processing | Billing email, payment method details |
| Google Fonts | Typography delivery | IP address (standard CDN request) |
| Postmark | Transactional and marketing emails | Email address, name |
| Better Stack | Error monitoring, logging, and debugging | Anonymized error data, session IDs |
Other Disclosures
- Legal Requirements — When required by law, subpoena, court order, or governmental authority
- Business Transfers — In connection with a merger, acquisition, or sale of assets. You will be notified before your data is transferred to a new entity.
- With Your Consent — When you explicitly authorize a disclosure
- Aggregated/Anonymized Data — We may share aggregate statistics (e.g., "Blueprint users manage X ad accounts on average") that cannot identify any individual user or company
Cookies & Tracking
We use a minimal set of cookies:
- Essential Cookies — Session authentication, CSRF protection, and user preferences. These are required for the Service to function and cannot be disabled.
- Analytics — We do not currently use any third-party analytics tools. We rely on server-side logging to understand feature usage in aggregate. No personally identifiable data is sent to third-party analytics providers.
We do NOT use:
- Third-party advertising cookies
- Social media tracking pixels
- Cross-site tracking technologies
We do not maintain a separate cookie policy. All cookies used by Blueprint are essential for the Service to function (authentication, workspace selection, and theme preference). We do not use any optional or tracking cookies.
Data Security
We implement technical and organizational measures to protect your data:
- Encryption in Transit — All data transmitted between your browser and Blueprint is encrypted via TLS (HTTPS)
- Encryption at Rest — Ad platform OAuth tokens are encrypted using AES-256-GCM. Passwords are hashed using bcrypt with a salt factor of 10.
- Access Control — Role-based access control (RBAC) with four permission levels: Owner, Manager, Analyst, and Viewer. All data is workspace-scoped — users can only access workspaces they belong to.
- Audit Logging — Every significant user action is logged with timestamp, IP address, and user agent for security monitoring
- Rate Limiting — Authentication endpoints are rate-limited to prevent brute-force attacks. Failed login attempts trigger account lockout after 10 consecutive failures (1-hour cooldown).
- Infrastructure — Hosted on Railway's cloud platform with data stored in US-based data centers
While we implement industry-standard security practices following OWASP guidelines, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
Data Retention & Deletion
- Active Accounts — We retain your data for as long as your account is active and as needed to provide the Service
- After Termination — When you cancel your account or it is terminated, you have a 30-day window to export your data. After 30 days, we begin permanent deletion of your Personal Data, Customer Data, and Ad Platform Data from our production systems.
- Backup Retention — Encrypted backup copies may be retained for up to 90 days after deletion from production systems, after which they are purged
- Aggregated Data — Anonymized, aggregated data that cannot identify you may be retained indefinitely for product improvement and benchmarking
- Legal Holds — We may retain data beyond these periods when required by law or to resolve disputes
- OAuth Tokens — When you disconnect an ad platform account, the associated OAuth tokens are immediately revoked and deleted
International Data Transfers
Blueprint's servers are located in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland:
- We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to provide adequate protection for data transfers
- We are not currently certified under the EU-US Data Privacy Framework
- You may request a copy of the applicable SCCs by contacting [email protected]
Your Rights
For EEA/UK Residents (GDPR)
- Access — Request a copy of the personal data we hold about you
- Rectification — Correct inaccurate or incomplete personal data
- Erasure — Request deletion of your personal data ("right to be forgotten")
- Portability — Receive your data in a structured, machine-readable format
- Restriction — Limit how we process your data in certain circumstances
- Objection — Object to processing based on legitimate interests
- Withdraw Consent — Where processing is based on consent, withdraw it at any time
- Lodge a Complaint — File a complaint with your local data protection authority
For California Residents (CCPA/CPRA)
- Right to Know — Request details about the personal information we collect, use, and disclose
- Right to Delete — Request deletion of your personal information
- Right to Opt-Out of Sale — We do not sell personal information. There is nothing to opt out of.
- Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights
- Right to Correct — Request correction of inaccurate personal information
How to Exercise Your Rights
Email [email protected] with your request. We will verify your identity and respond within 30 days. For complex requests, we may extend this by an additional 60 days with notice.
AI & Machine Learning
Blueprint's AI Insights feature uses machine learning to analyze your ad platform data for anomaly detection and optimization suggestions.
- Your Data Only — AI analysis is performed exclusively on your own ad account data within your workspace. Your data is never used to train models that serve other customers.
- No Cross-Customer Training — We do not train general-purpose AI models on individual customer data
- Aggregated Benchmarks — We may use aggregate, anonymized data across all customers to establish industry benchmarks (e.g., average quality score distributions). This data cannot identify any individual customer or their campaigns.
- Opt-Out — You may disable AI Insights for your workspace at any time through your account settings without affecting other features
- Third-Party AI — Blueprint uses the Google Gemini API (Gemini 2.5 Flash) to generate performance summaries, insight explanations, and executive reports. Data sent to the Gemini API includes aggregated campaign performance metrics (spend, impressions, clicks, conversions), campaign and ad group names, change history, and detected anomalies. No personally identifiable information (names, emails, IP addresses) is sent to the AI provider. All AI features are optional and available only on the Pro plan.
Children's Privacy
Blueprint is a business-to-business service not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].
Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you at least 30 days in advance via email to the address associated with your account and/or by posting a prominent notice within the Service.
Non-material changes (e.g., formatting, clarifications that don't alter meaning) may take effect immediately. We encourage you to review this policy periodically.
Your continued use of Blueprint after any changes take effect constitutes your acceptance of the revised policy.
Contact Us
If you have questions about this Privacy Policy or our data practices, contact us:
- Privacy inquiries: [email protected]
- General support: [email protected]
- Mailing address: 415 Gartrell Street SE Unit 2, Atlanta, GA 30312
- Data Protection Officer: [email protected]
For EEA residents, our EU representative is: Gregg Hawkins, [email protected]