1. Who we are
Blacknel S.A.P.I. de C.V. ("Blacknel", "we", "us") is a company registered in Mexico City with offices at Av. Insurgentes Sur 1234, Floor 6, Del Valle, 03100. We operate the SaaS platform available at blacknel.com and app.blacknel.com as data controller for our services.
GDPR · We are data controller. As Blacknel is established outside the EU, we are not required to appoint an Art. 27 representative, but we maintain a dedicated channel at privacy@blacknel.com for EU data subjects.
LFPDPPP · Our Data Protection Officer is reachable at privacy@blacknel.com. Maximum response time for ARCO rights: 20 business days.
CCPA · We are a "business" under CCPA. We do not sell personal data and we honor "Right to Know", "Right to Delete", and "Right to Opt-Out of Sale" requests.
2. Data we collect
2.1 Account and authentication data
- Full name for team identification
- Work email for auth and transactional communication
- Password hash (only if you use password auth; default is passwordless magic link)
- Company and role for onboarding personalization
2.2 Usage and telemetry data
- Action logs with timestamp and IP (retention: 90 days)
- User-agent and basic device fingerprint (for session-hijacking detection)
- GeoIP at country/region level — never precise GPS
- Usage metrics via Plausible Analytics (cookieless, anonymized aggregate)
2.3 Uploaded content
- Scheduled posts (text, images, videos)
- Inbox messages (DMs, comments, reviews, replies)
- Assets in media library
- Brand voice docs you upload for AI training
2.4 Connected platform data (OAuth)
When you connect Facebook, Instagram, WhatsApp, Google Business, etc., we access via official OAuth only: messages/DMs to your business account, published posts, reviews, and aggregate ad metrics. We do NOT access private messages or personal contacts outside the business scope.
2.5 Billing data
Processed by Stripe (PCI-DSS Level 1). Blacknel NEVER has access to full card numbers — only last-4 digits, billing address, country, and applicable tax type.
2.6 What we do NOT collect
- NO biometric data (fingerprints, facial recognition)
- NO health data (GDPR Art. 9 — special categories)
- NO minors data (service forbidden to <16 GDPR / <13 COPPA)
- NO precise GPS — only city-level GeoIP
3. How we use your data
We process data under the legal bases of contract performance (GDPR Art. 6.1.b) and consent (GDPR Art. 6.1.a) for opt-in marketing. Specifically: operate the platform, process payments, send transactional communications, improve the service via aggregate analytics, and send the newsletter if you opted in.
We do not use your data to train third-party AI models. Blacknel's AI trains only on your own brand voice docs inside your workspace — we never share data with Anthropic or OpenAI beyond the inference prompt that flows through their APIs with zero data retention enabled.
4. Retention
- Account data: up to 90 days after cancellation
- Detailed usage logs: 90 days
- Uploaded content: deleted 30 days after cancellation
- Audit log: Standard 90d · Growth 1 year · Enterprise up to 7 years configurable
- Billing data: 5 years (Mexican tax obligation)
5. Sub-processors
We operate with the following sub-processors. Each one has a signed DPA and SCCs where applicable:
| Sub-procesador | Purpose | Location | DPA / SCC |
|---|---|---|---|
| Vercel | Hosting + Edge CDN | US (multi-region) | SCC signed |
| Supabase | Database + Auth + Storage | US (us-east-1) | SCC signed |
| Anthropic | AI inference (Claude) | US | SCC signed |
| OpenAI | AI inference (GPT) | US | SCC signed |
| Stripe | Payment processing | US + EU | SCC + PCI-DSS |
| Resend | Transactional email | US | SCC signed |
| Plausible | Analytics | EU (Germany) | GDPR by design |
| Sentry | Error monitoring | US | SCC signed |
| Cloudflare | CDN + DDoS protection | Global | SCC signed |
We notify you via email at least 30 days before adding or changing a sub-processor with material impact.
6. Your rights
Under LFPDPPP, GDPR, and CCPA you have the right to: access your data, rectify it, delete it, restrict processing, port it, and object to processing. To exercise any right, write to privacy@blacknel.com with proof of identity.
If you believe we process your data in violation of law, you may file a complaint with your local data protection authority: INAI (Mexico), CNIL/AEPD/etc. (EU), California AG (CCPA).
7. DPO contact
For privacy matters: privacy@blacknel.com. Maximum response time: 30 calendar days under GDPR; 20 business days under LFPDPPP; 45 days under CCPA.
8. Data Deletion Request
For full details on how to request deletion of your data, visit our dedicated page: https://blacknel.com/en/data-deletion. The summary below is kept for reference.
Your deletion rights
Under LFPDPPP (Mexico), GDPR (EU), and CCPA (California), you have the right to request complete deletion of your personal data stored by Blacknel.
How to request deletion
Three ways:
1. From your Blacknel account (fastest)
If you have an active account:
- Sign in at https://app.blacknel.com
- Go to Settings → Privacy → Delete my data
- Confirm with your password or magic link
- Your data is deleted within 30 days
2. By email
Send an email to privacy@blacknel.com with:
- Subject: "Data deletion request"
- Your registered email
- Your full name
- Reason (optional)
We respond within 5 business days and complete deletion within 30 days.
3. From third-party apps (Facebook, Instagram, WhatsApp)
If you connected your Facebook, Instagram, or WhatsApp account to Blacknel and want to delete the data we received from those platforms:
- Go to Facebook → Settings → Apps and Websites → Blacknel
- Click "Remove"
- Facebook automatically sends us a data deletion request
- We process within 30 days
- You can check status at:
https://app.blacknel.com/api/meta/data-deletion/{your-confirmation-code}
You receive the confirmation code from Facebook when clicking "Remove".
What gets deleted
When you request deletion, we permanently remove:
- Your user account and credentials
- All posts, messages, and content you created
- Activity history and logs
- Uploaded brand voice docs
- OAuth tokens for connected platforms
- Derived data (aggregated analytics, sentiment analysis, etc.)
What we cannot delete
Due to Mexican tax law (SAT) obligations, we must retain:
- Invoices and tax receipts: 5 years
- Security logs for forensic investigation: up to 1 year
These remain in encrypted archive with no operational access until the legal period expires.
Response time
- LFPDPPP (Mexico): 20 business days to confirm + 15 days to complete
- GDPR (EU): 30 days maximum
- CCPA (California): 45 days maximum
If you don't receive a response in these timeframes, you can complain to:
- INAI (Mexico): https://home.inai.org.mx
- Local DPA (EU): per your country
- California AG: https://oag.ca.gov
Contact
privacy@blacknel.com
DPO of Blacknel SAPI de CV