This policy explains what personal data AI Design Blueprint processes across public discovery pages, member activation, validation runs, waitlist and pilot intake, and admin operations, why that processing happens, and which controls are available to you.
Last updated: April 10, 2026
Depending on how you use the platform, we may process account identifiers, sign-in provider data, profile information, communication preferences, activation answers, recommended route summaries, learning progress, validation runs, waitlist entries, pilot applications, and operational security logs.
We use this information to authenticate members, create and maintain workspaces, preserve course access, track progress, support validation and pilot workflows, generate activation recommendations, assess lead and platform health, operate waitlists and pilot intake, and improve reliability, support, and product quality.
Activation answers, selected tools, artefact state, route recommendations, learning activity, waitlist status, pilot status, and related operational signals may be combined into internal lead-intelligence summaries for admin review and weekly operational reporting. These summaries are used to prioritize support, understand product demand, and identify friction in the platform. They are not sold to third parties.
Necessary cookies are used to run the service and maintain basic functionality. Optional consent controls currently cover analytics storage and research contact preferences. You can grant or withdraw those optional consents through the cookie banner and, when signed in, from the Privacy & data management section inside the app.
Authentication currently relies on Firebase Authentication, including Google sign-in when selected by the user. Analytics measurement relies on Google Analytics 4 (GA4), which is loaded only when you grant analytics consent via the cookie banner; GA4 operates under Google's data-processing terms and consent mode v2. Email delivery and preference synchronization may rely on Resend. Platform and infrastructure providers may process operational data needed to host, secure, and monitor the service. AI and model providers may process prompts and outputs needed to run localized content, activation routing, evaluation, or reporting workflows.
We keep personal data only for as long as it is needed for the service, security, legal obligations, or legitimate operational continuity. If you request account erasure, the live account and linked in-product records are removed, and a time-boxed backup snapshot may be retained for the number of days you selected in the Privacy & data management section before it is purged.
When signed in, you can use the Privacy & data management section to review optional consents, inspect a data inventory, generate a portable export of account-linked data, and request account deletion. You can also update communication preferences and stop using a sign-in method at any time, subject to any account-recovery constraints.
Static instruction files (AGENTS.md, .mdc rules, copilot-instructions.md) are local files only — they send nothing. Retrieval MCP tools (list_principles, search_examples, etc.) fetch doctrine and examples from our servers. When you or your agent client call report_value_event or submit_feedback, only the structured fields you explicitly pass are stored — event type, rating, brief context note, and optional contact email. Raw prompts, proprietary code, file contents, and repository details are never stored — do not include sensitive content in the brief_context field. contact_email is only stored when you explicitly set permission_to_follow_up to true; this is confirmed in the tool response. When validate_agent_architecture processes code you provide, that code is sent to an external LLM provider (Anthropic) during processing, is processed transiently for the duration of that call, and is not retained by AI Design Blueprint as raw implementation context. Only the structured result (principle slugs, coverage scores, assessment status) is stored. Set private_session=true on validate_agent_architecture to skip all server-side logging for that specific call — this parameter is specific to that tool. You can request deletion of signal records tied to your account via the data deletion process described above.
We use managed authentication, server-side session controls, admin access restrictions, internal service keys, and secret management to reduce exposure of personal data. We also retain limited operational logs to detect abuse, protect platform availability, and investigate incidents. No system is perfect, so safeguards evolve with the platform.
