This policy explains what personal data AI Design Blueprint processes across public discovery pages, member activation, validation runs, waitlist and pilot intake, and admin operations, why that processing happens, and which controls are available to you.
Last updated: April 10, 2026
Depending on how you use the platform, we may process account identifiers, sign-in provider data, profile information, communication preferences, activation answers, recommended route summaries, learning progress, validation runs, waitlist entries, pilot applications, beta access invite records, MCP OAuth access tokens, and operational security logs.
We use this information to authenticate members, create and maintain workspaces, preserve course access, track progress, support validation and pilot workflows, generate activation recommendations, assess lead and platform health, operate waitlists and pilot intake, and improve reliability, support, and product quality.
Activation answers, selected tools, artefact state, route recommendations, learning activity, waitlist status, pilot status, and related operational signals may be combined into internal lead-intelligence summaries for admin review and weekly operational reporting. These summaries are used to prioritize support, understand product demand, and identify friction in the platform. They are not sold to third parties.
Necessary cookies are used to run the service and maintain basic functionality. Optional consent controls currently cover analytics storage and research contact preferences. You can grant or withdraw those optional consents through the cookie banner and, when signed in, from the Privacy & data management section inside the app.
Authentication currently relies on Firebase Authentication, including Google sign-in when selected by the user. Analytics measurement relies on Google Analytics 4 (GA4), which is loaded only when you grant analytics consent via the cookie banner; GA4 operates under Google's data-processing terms and consent mode v2. Email delivery and preference synchronization may rely on Resend. Platform and infrastructure providers may process operational data needed to host, secure, and monitor the service. AI and model providers may process prompts and outputs needed to run localized content, activation routing, evaluation, or reporting workflows.
We keep personal data only for as long as it is needed for the service, security, legal obligations, or legitimate operational continuity. If you request account erasure, the live account and linked in-product records are removed, and a time-boxed backup snapshot may be retained for the number of days you selected in the Privacy & data management section before it is purged.
When signed in, you can use the Privacy & data management section to review optional consents, inspect a data inventory, generate a portable export of account-linked data, and request account deletion. You can also update communication preferences and stop using a sign-in method at any time, subject to any account-recovery constraints.
Static instruction files (AGENTS.md, .mdc rules, copilot-instructions.md) are local files only, they send nothing. Retrieval MCP tools (principles.list, examples.search, etc.) fetch doctrine and examples from our servers. signals.feedback is open to all callers but must only be called when the user explicitly requests it; only the structured fields you pass are stored (ratings, opt-in text, contact email with permission). signals.report requires an active Pro or Teams Bearer token and is linked to your authenticated user ID and plan tier, only the structured event fields are stored (event type, surface, perceived value, brief context note); no prompts or code. Raw prompts, proprietary code, file contents, and repository details are never stored by either signal tool, do not include sensitive content in the brief_context field. contact_email is stored only when you explicitly set permission_to_follow_up to true. When architect.validate or architect.certify processes code you provide, that code is sent to an external LLM provider (OpenAI, on a no-training-on-API-data contract) during processing, is processed transiently for the duration of that call, and is not retained by AI Design Blueprint as raw implementation context. We do NOT use your proprietary code, validation scores, or architectural diagrams to train, fine-tune, or improve foundational AI models. Only the structured result is stored: per-principle verdicts, severity scores, recommendations, certification outcome, reproducibility envelope (model, seed, doctrine fingerprint, code fingerprint), and a public review URL plus badge URL. The 16-character SHA-256 code_fingerprint we persist is a binding primitive between architect.validate and architect.certify (so cert cannot be minted against different code than was reviewed) and is not reversible to the original code. Set private_session=true on architect.validate to skip all server-side logging for that specific call (no run_id, no result_json, no badge — and consequently no architect.certify path for that run). On non-private calls, the validation run record (score, verdicts, recommendations, reproducibility envelope) is stored in your private workspace history and you may delete it at any time from the dashboard. This design supports the Blueprint's commitment: agents run the workflow, humans govern it. Your code stays your own unless you explicitly choose to share it. MCP OAuth 2.1 authentication (used by clients such as Claude Code) creates a short-lived authorization code and a long-lived opaque access token record linked to your user ID; these records are used only to authenticate subsequent MCP calls and can be revoked by deleting your account. You can request deletion of all signal and token records tied to your account via the data deletion process described above.
If you are a beta tester, you can invite a colleague (a "counterpart") you have named to join the beta. We use that person’s email address only to generate a personal invite link, which you send to them yourself; we do not email them. We rely on our legitimate interest in facilitating the referral you asked for. We keep an un-actioned counterpart’s email for 28 days (the beta window) and then delete it, along with the pending invite and any pre-provisioned sign-in identity. The counterpart can opt out in one click at any time and can ask us to erase their data.
We use managed authentication, server-side session controls, admin access restrictions, internal service keys, and secret management to reduce exposure of personal data. We also retain limited operational logs to detect abuse, protect platform availability, and investigate incidents. No system is perfect, so safeguards evolve with the platform.
