Privacy Policy

Effective Date: April 19, 2026

This Privacy Policy describes how NordXM Oy, trading as Bluemode (“we,” “us,” or “our”), collects, uses, stores, and protects your information when you use the Bluemode platform at bluemode.dev (“Service”). By using the Service, you acknowledge the practices described in this policy. This Privacy Policy should be read in conjunction with our Terms of Service.

1. Data Controller

For the purposes of data protection law, the data controller responsible for your personal data is:

NordXM Oy (trading as Bluemode)
Helsinki, Finland
Email: support@bluemode.dev

Given the nature and scale of our data processing, we are not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. For all privacy-related inquiries, please contact us at the email address above. We will respond within 30 days.

2. Information We Collect

2.1 Account Information

When you register, we collect your email address — required for authentication. We send you one-time passcodes (OTP) to sign in and transactional emails about your account. You may optionally provide your name via your profile settings. We do not collect passwords.

2.2 Code and Content You Submit

When you use our tools, you may submit code, error messages, or application ideas. Specifically:

• Explain: The code you submit and the AI-generated analysis are stored in your account so you can review past results.
• Decode: The code snippet, error message, and AI-generated diagnosis are stored in your account.
• Monitor: Repository file contents are processed during scans but are not stored in full. We retain only scan results, issue summaries, and relevant code snippets necessary to display findings.
• Blueprint: Application descriptions and generated architecture plans are stored in your account.
• Guide: Step-by-step build instructions generated from your Blueprint are stored in your account.

2.3 GitHub Data

If you install the Bluemode GitHub App for the Monitor tool, we access:

• Repository metadata (name, branches, file tree structure).
• File contents of selected repositories (processed during scans, not stored in full).
• Push event data (commit SHA, sender login) delivered via webhooks.
• GitHub installation account information (account login, account type).

We store GitHub installation metadata and webhook delivery logs for operational and debugging purposes.

2.4 Payment Information

Payments are processed entirely by Stripe. We never receive, transmit, or store your credit card number, CVV, or full billing details. We store only your Stripe customer ID and transaction records (session ID, payment ID, amount, credit quantity) for accounting and support purposes.

2.5 Usage and Technical Data

We automatically collect:

• Credit usage records: Prompt and completion token counts, credit costs per request, and timestamps.
• Scan history: Scan timestamps, scan modes, and aggregate issue counts.
• Server logs: IP addresses, request paths, HTTP methods, user-agent strings, and response times. These logs are used solely for security monitoring, debugging, and abuse prevention.

2.6 Cookies

We use the following cookies:

• pc_token — An HTTP-only, secure, SameSite session cookie containing an encrypted JSON Web Token (JWT) that authenticates your session. Expires after 30 days.
• pc_csrf — A readable cookie used for Cross-Site Request Forgery (CSRF) protection, cryptographically bound to your session token. Expires after 30 days.

Both cookies are strictly necessary for the operation of the Service and are exempt from cookie consent requirements under ePrivacy regulations. We do not use advertising cookies, third-party tracking cookies, or analytics cookies.

3. What We Do NOT Collect

• We do not use analytics or tracking on published scan results or shared explanations.
• We do not serve ads or share data with advertisers.
• We do not sell, rent, or trade your personal information to third parties.
• We do not use your code to train AI models.
• We do not make automated decisions about you that produce legal or similarly significant effects.

4. How We Use Your Information

• To authenticate you and maintain your session.
• To process your code through AI models and deliver analysis results.
• To process credit purchases and maintain billing records.
• To send transactional emails (OTP codes, purchase confirmations, low credit alerts, referral notifications, welcome messages).
• To monitor for and prevent abuse, fraud, and unauthorized access.
• To improve and develop the Service based on aggregate usage patterns.
• To enforce our Terms of Service.
• To comply with legal obligations (e.g., tax record keeping).

We do not use your code for AI model training. Your submitted code and AI-generated outputs are not used to train, fine-tune, or improve any machine learning models.

5. Lawful Basis for Processing

We process your personal data under the following legal bases (GDPR Article 6):

• Contract performance (Art. 6(1)(b)): Your email and account data are necessary to provide the Service (creating accounts, authenticating sessions, processing code, managing credits). By signing in and using Bluemode, you enter into a contract governed by our Terms of Service.
• Legitimate interest (Art. 6(1)(f)): Server logging, rate limiting, abuse prevention, fraud detection, aggregate usage analytics, and transactional emails about your account (low credit alerts, scan notifications). Our legitimate interest is maintaining a secure, reliable, and functional platform. These interests do not override your fundamental data protection rights.
• Legal obligation (Art. 6(1)(c)): Retaining purchase and transaction records as required by tax, accounting, and financial regulations.
• Consent (Art. 6(1)(a)): Where we process data based on your consent (e.g., optional marketing communications, if introduced in the future), you may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

We do not rely on consent for any processing that is essential to providing the Service.

6. Third-Party Services

We share data with the following processors solely to operate the Service:

• Microsoft Azure AI — AI-powered code analysis and generation. Your code is processed under Microsoft’s enterprise data protection terms and is not used by Microsoft to train models. Privacy Statement →
• Stripe — Payment processing. Receives your email for receipts and handles all payment credentials directly. Privacy Policy →
• Amazon Web Services (SES) — Transactional email delivery. Receives your email address. Privacy Policy →
• GitHub — Repository access and webhook integration for the Monitor tool. Does not receive personal data beyond what GitHub already holds about your account. Privacy Statement →

We do not share your data with third parties beyond those listed above. All processors operate under Data Processing Agreements (DPAs) that require them to protect your data to standards consistent with this policy and applicable data protection laws.

We may also disclose your information if required by law, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7. International Data Transfers

Our third-party processors (Azure, Stripe, AWS) may process data in regions outside your country of residence, including the United States. Where personal data is transferred from the EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with sub-processors.
• Where applicable, reliance on the recipient’s certification under the EU-US Data Privacy Framework (DPF).

You may request more information about the safeguards in place by contacting us at support@bluemode.dev.

8. Data Retention

• Account data: Retained while your account is active. If you request account deletion, we will remove your personal data within 30 days, except where retention is required by law.
• Analysis results (Explain, Decode, Blueprint, Guide): Retained in your account until you delete them or until your account is deleted.
• Monitor scan results: Retained while your project is active. Deleted when the project is deleted or when your account is deleted.
• AI result cache: Temporarily cached in memory for up to 24 hours to reduce duplicate processing costs.
• Job queue data: Completed jobs are retained for up to 24 hours; failed jobs are retained for up to 7 days for debugging purposes.
• Purchase records: Retained for up to 7 years for accounting and tax compliance, then deleted.
• Webhook logs: Retained for up to 90 days for operational monitoring and debugging, then deleted.
• Server logs: Retained for a maximum of 30 days for security and debugging purposes, then permanently deleted.
• Login OTP codes: Single-use, expire within 5 minutes, and are not retained after use.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encrypted session tokens (JWT) with HTTP-only, secure, SameSite cookie attributes.
• CSRF protection with cryptographic binding between tokens.
• Rate limiting on authentication and API endpoints to prevent brute force and abuse.
• Stripe webhook signature verification to ensure payment event integrity.
• GitHub webhook signature verification to ensure event authenticity.
• Enforced HTTPS for all communications in production.

While we take reasonable measures to secure your data, no system is completely secure, and we cannot guarantee absolute security.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (GDPR Article 34), providing details of the breach, its likely consequences, and the measures we are taking to address it.

11. Your Rights

Depending on your location, you may have the following rights under GDPR, CCPA, or similar laws:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Update or correct inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data and account. We will comply except where retention is required by law.
• Restriction: Request that we limit how we process your data in certain circumstances.
• Data Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interest.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time.
• Lodge a Complaint: You have the right to lodge a complaint with a data protection supervisory authority in your country of residence. For EEA residents, a list of authorities is available at edpb.europa.eu. For UK residents, you may contact the Information Commissioner’s Office (ICO).

To exercise any of these rights, contact us at support@bluemode.dev. We will respond within 30 days. We may request verification of your identity before fulfilling your request. If we need additional time, we will inform you of the reason and the extension period.

12. Automated Decision-Making

The Service uses AI models to analyze code and generate outputs (explanations, scan findings, decoded errors, architecture plans, build guides). These outputs are informational tools provided to assist your decision-making — they do not constitute automated decisions that produce legal effects or similarly significant effects concerning you within the meaning of GDPR Article 22. No access restrictions, account actions, or credit decisions are made solely based on automated processing without human involvement.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), provides you with additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions.
• Right to Correct: You may request correction of inaccurate personal information we hold about you.
• Right to Non-Discrimination: We will not treat you differently for exercising your privacy rights.
• No Sale or Sharing: We do not sell or “share” (as defined by CPRA) your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.
• Sensitive Personal Information: We do not collect sensitive personal information as defined by CPRA beyond what is necessary to provide the Service (i.e., your account email for authentication).
• Authorized Agents: You may designate an authorized agent to make requests on your behalf. We may require verification that the agent is authorized to act for you.

To submit a verifiable consumer request, email support@bluemode.dev. We will verify your identity and respond within 45 days as required by law.

14. Children’s Privacy

The Service is not directed to children. We require all users to be at least 16 years of age. We do not knowingly collect personal information from children under 16 (the threshold under GDPR) or under 13 (the threshold under the US Children’s Online Privacy Protection Act, COPPA). If we learn that we have collected data from someone under these ages, we will delete it promptly. If you believe a child has provided us with their data, please contact us immediately at support@bluemode.dev.

15. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to read the privacy policies of any third-party services you interact with.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will indicate the date of the last update at the top of this page. For material changes, we will provide at least 30 days’ notice by email or by prominently posting a notice on the Service before the changes take effect. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.

17. Contact & Complaints

Questions about your privacy? Contact us at: support@bluemode.dev

NordXM Oy (trading as Bluemode)
Helsinki, Finland

We are committed to resolving any complaints about our collection or use of your personal data. We will respond to all inquiries within 30 days. If you are in the EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.