Privacy Policy
Owner and Data Controller
Blacksmith Software Inc. 95 Third Street, 2nd Floor, San Francisco CA, 94103, United States
Owner contact email: [email protected]
Types of Data Collected
Blacksmith Software Inc. (“Blacksmith”) collects the following types of Personal Data when you sign in with your GitHub account and install the Blacksmith GitHub app into your organization: GitHub webhook metadata used for billing purposes and to provide analytics on your GitHub Actions performance and trends, as well as payment information, including credit card details securely processed through Stripe for monthly billing based on your usage. This data is collected automatically through your interactions with the service and is essential for Blacksmith to deliver and improve its offerings. Users are responsible for ensuring they have consent to provide any third-party Personal Data and understand that withholding mandatory data may affect the functionality of the Service.
Mode and place of processing the Data
Methods of processing
Blacksmith Software Inc. (“Blacksmith”) implements robust industry-standard security measures to protect your data from unauthorized access, disclosure, modification, or destruction. Data processing is performed following strict organizational procedures aligned with the purposes outlined in this Privacy Policy. In addition to Blacksmith’s internal teams responsible for administration, sales, marketing, legal, and system administration, your data may be accessed by trusted third-party service providers, including payment processors like Stripe, hosting providers, and communication tools appointed as Data Processors. These external parties are bound by confidentiality agreements and are only granted access as necessary to provide the Service. An updated list of these Data Processors is available upon request from Blacksmith by contacting [email protected].
Legal basis of processing
Blacksmith Software Inc. (“Blacksmith”) processes Personal Data of Users based on the following legal grounds: (1) Consent: Users have provided explicit consent for specific purposes, such as billing and analytics related to GitHub Actions performance; (2) Contractual Necessity: Processing is necessary to fulfill our service agreement with Users, including running GitHub Actions runners and managing billing through Stripe; (3) Legal Obligations: We process data to comply with applicable legal requirements and regulations; (4) Legitimate Interests: Processing is essential for our legitimate business interests, such as improving service performance and ensuring secure operations. Importantly, Blacksmith does not use Personal Data for any Artificial Intelligence (AI) or Machine Learning (ML) purposes. In jurisdictions where consent is not required for certain processing activities, Blacksmith relies on these alternative legal bases. Users may contact Blacksmith to clarify the specific legal basis applicable to their data processing, including whether providing Personal Data is a statutory or contractual requirement or necessary to enter into a contract.
Place
Blacksmith Software Inc. (“Blacksmith”) processes Personal Data on our servers located in the United States and the European Union. Depending on your location, your data may be transferred between these regions. If you have concerns about where your data is processed, you may request to have your workload moved to a specific region by contacting us at [email protected]. While we will consider such requests, relocation of data processing is not guaranteed until an agreement is reached. For more information about data processing locations, data transfers, and the legal basis for transferring data, please contact us directly.
Retention
Blacksmith Software Inc. (“Blacksmith”) retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected. Personal Data related to the performance of a contract between Blacksmith and the User is retained until the contract is fully performed. Data processed under Blacksmith’s legitimate interests is kept as long as needed to achieve those purposes. Additionally, Personal Data may be retained longer if required by law or with the User’s explicit consent, which can be withdrawn at any time. While you are a customer, your data will not be deleted. Upon termination of the agreement or upon your request, Blacksmith will delete all relevant user data within 30 days using industry-standard methods, ensuring compliance with backup and security protocols. To request data deletion, please contact us at [email protected]. Once the retention period has expired, your rights to access, erase, rectify, and port data cannot be enforced.
Detailed information on the processing of Personal Data
Personal Data is collected for the following purposes and using the following services:
Handling payments
Unless otherwise specified, this Application processes any payments by credit card, bank transfer or other means via external payment service providers. In general and unless where otherwise stated, Users are requested to provide their payment details and personal information directly to such payment service providers. This Application isn’t involved in the collection and processing of such information: instead, it will only receive a notification by the relevant payment service provider as to whether payment has been successfully completed.
Stripe (Stripe Inc.)
Stripe is a payment service provided Stripe Inc. Personal Data processed: email address; payment info; purchase history; Tracker; Usage Data.
Place of processing: United States – Privacy Policy.
Registration and authentication
By registering or authenticating, Users allow this Application to identify them and give them access to dedicated services. Depending on what is described below, third parties may provide registration and authentication services. In this case, this Application will be able to access some Data, stored by these third-party services, for registration or identification purposes. Some of the services listed below may also collect Personal Data for targeting and profiling purposes; to find out more, please refer to the description of each service.
GitHub OAuth (GitHub Inc.)
GitHub OAuth is a registration and authentication service provided by GitHub Inc. and is connected to the GitHub network.
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Traffic optimization and distribution
This type of service allows this Application to distribute their content using servers located across different countries and to optimize their performance. Which Personal Data are processed depends on the characteristics and the way these services are implemented. Their function is to filter communications between this Application and the User’s browser. Considering the widespread distribution of this system, it is difficult to determine the locations to which the contents that may contain Personal Information of the User are transferred.
Cloudflare (Cloudflare Inc.)
Cloudflare is a traffic optimization and distribution service provided by Cloudflare Inc. The way Cloudflare is integrated means that it filters all the traffic through this Application, i.e., communication between this Application and the User’s browser, while also allowing analytical data from this Application to be collected.
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
User database management
This type of service allows the Owner to build user profiles by starting from an email address, a personal name, or other information that the User provides to this Application, as well as to track User activities through analytics features. This Personal Data may also be matched with publicly available information about the User (such as social networks’ profiles) and used to build private profiles that the Owner can display and use for improving this Application. Some of these services may also enable the sending of timed messages to the User, such as emails based on specific actions performed on this Application.
Supabase
Supabase is an open-source backend-as-a-service platform built on PostgreSQL. It provides a full Postgres database for every project, along with features like real-time functionality, authentication, and auto-generated APIs, making it easy to build and manage web and mobile applications.
Personal Data processed: email address, usage data, and various types of data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Information on opting out of interest-based advertising
In addition to any opt-out feature provided by any of the services listed in this document, Users may follow the instructions provided by YourOnlineChoices (EU), the Network Advertising Initiative (US) and the Digital Advertising Alliance (US), DAAC (Canada), DDAI (Japan) or other similar initiatives. Such initiatives allow Users to select their tracking preferences for most of the advertising tools. The Owner thus recommends that Users make use of these resources in addition to the information provided in this document.
The Digital Advertising Alliance offers an application called AppChoices that helps Users to control interest-based advertising on mobile apps.
Users may also opt-out of certain advertising features through applicable device settings, such as the device advertising settings for mobile phones or ads settings in general.
Further information about the processing of Personal Data
The rights of Users
Blacksmith Software Inc. (“Blacksmith”) empowers Users with the following rights regarding their Personal Data:
- Withdraw Consent: Users can withdraw their consent to data processing at any time.
- Object to Processing: Users may object to data processing based on legitimate interests or other legal grounds beyond consent.
- Access Data: Users can request information on whether their data is being processed and obtain a copy of their Personal Data.
- Rectify Data: Users have the right to correct inaccurate or incomplete Personal Data.
- Restrict Processing: Users can limit the processing of their data, allowing Blacksmith to store it without further use.
- Erase Data: Users may request the deletion of their Personal Data under specific circumstances.
- Data Portability: Users can receive their data in a structured, commonly used, machine-readable format and transfer it to another controller.
- Lodge a Complaint: Users have the right to file a complaint with their competent data protection authority.
- Restrict Data Flow from GitHub: Users can restrict data flow by uninstalling or suspending the Blacksmith GitHub app. Please note that doing so may affect the functionality and performance of the Service.
To exercise any of these rights, Users can contact Blacksmith at [email protected]. Users should be aware that some jurisdictions may impose specific limitations on these rights.
Details about the right to object to processing
Blacksmith Software Inc. (“Blacksmith”) processes Personal Data based on legitimate interests, such as improving service performance and providing billing and analytics for GitHub Actions. Users have the right to object to this processing by providing a reason related to their specific situation. To exercise this right, please contact us at [email protected]. Blacksmith does not process Personal Data for direct marketing purposes. If you object to the processing based on legitimate interests, we will assess your request and determine whether to continue processing your data. For more information on how we process Personal Data, please refer to the relevant sections of this Privacy Policy.
Additional information about Data collection and processing
Legal action
The User’s Personal Data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of this Application or the related Services. The User declares to be aware that the Owner may be required to reveal personal data upon request of public authorities.
System logs and maintenance
For operation and maintenance purposes, this Application and any third-party services may collect files that record interaction with this Application (System logs) use other Personal Data (such as the IP Address) for this purpose.
How “Do Not Track” requests are handled
This Application does not support “Do Not Track” requests. To determine whether any of the third-party services it uses honor the “Do Not Track” requests, please read their privacy policies.
Changes to this privacy policy
Blacksmith Software Inc. (“Blacksmith”) reserves the right to modify this Privacy Policy at any time. We may update this policy by posting changes on this page without prior notice. However, for significant changes that materially affect how we process your Personal Data, we will notify you via the email address associated with your account. We encourage Users to regularly review this Privacy Policy to stay informed about our data practices.
Definitions and Legal References
Personal Data (or Data)
Any information that can directly or indirectly identify a natural person, including personal identification numbers, email addresses, and other identifiers.
Usage Data
Information automatically collected through Blacksmith’s service or third-party integrations, which may include IP addresses, domain names, Uniform Resource Identifiers (URIs), request times, methods used to submit requests, file sizes received, server response codes, country of origin, browser features, operating systems, time spent on each page, navigation paths within the service, and device or IT environment details.
User
An individual who uses Blacksmith’s service and, unless otherwise specified, is synonymous with the Data Subject.
Data Subject
The natural person to whom the Personal Data pertains.
Data Processor (or Data Supervisor)
Any natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of Blacksmith, as outlined in this Privacy Policy. This includes third-party service providers like Stripe, hosting providers, and IT firms.
Data Controller (or Owner)
Blacksmith Software Inc., the entity that determines the purposes and means of processing Personal Data, including implementing security measures related to the operation and use of the service.
This Application
The platform provided by Blacksmith through which Users sign in with their GitHub accounts, install the Blacksmith GitHub app into their organizations, and utilize GitHub Actions runners.
Service
The GitHub Actions runners offered by Blacksmith, enabling Users to run their GitHub Actions faster and cheaper.
European Union (or EU)
All current member states of the European Union and the European Economic Area, unless otherwise specified within this document.
Legal Information
This Privacy Policy is crafted in accordance with various legislations, including Articles 13 and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation). This policy exclusively pertains to Blacksmith’s service unless stated otherwise within this document.