Last updated: 22 June 2026
Draft pending final legal review — bracketed items to be completed before publication.
This Privacy Policy explains how [LEGAL ENTITY] ("BLAM8", "we", "us", "our"), which operates the BLAM8 platform ("Business Logistics Automated") at blam8.haail.dev, collects, uses, stores and shares personal data. It applies to the businesses that subscribe to BLAM8 ("Customers") and to the individuals whose data is processed through the service.
For your account and billing data we act as a controller. For the email, calendar and operational content we process on your behalf when you connect a mailbox, we act as a processor and you are the controller — you are responsible for having a lawful basis to process the data of the people who email you, and for telling them about it where required.
We use the data solely to provide and operate the service: reading incoming mail, drafting replies, sending only the replies a human approves (or, where you switch on full-auto, the messages your configuration authorises), running the scheduling/fleet features you enable, metering usage, and supporting and securing the platform. Under UK GDPR our lawful bases are performance of our contract with you and our legitimate interests in operating, securing and improving the service. We do not sell personal data, and we do not use your content to train third-party AI models.
BLAM8's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
We request the minimum Google scopes needed: read-only inbox access (gmail.readonly), send (gmail.send) for approved replies, and calendar events (calendar.events) for Scheduling.
For Microsoft 365 mailboxes we request only least-privilege Microsoft Graph permissions — read mail, send mail, calendar read/write, and your basic identity — used solely to provide the same features. We never receive your Microsoft password, and access can be revoked at any time.
Replies are drafted by a large language model (Anthropic's Claude). By default a human reviews and approves every reply before it is sent; full-auto sending is an explicit per-mailbox opt-in. The agent uses only the knowledge you provide as its source of facts and defers when it is unsure. Anthropic does not use API inputs or outputs to train its models.
Each Customer's data is isolated at the database level using row-level security. Sign-in and mailbox/calendar access use Microsoft or Google OAuth — never your password. Data is encrypted in transit (TLS), and OAuth tokens are encrypted at rest. Access to production systems is restricted and audited.
We share only what each provider needs to deliver its part of the service:
Some sub-processors (Anthropic, Voyage) are located in the United States. Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Addendum or EU Standard Contractual Clauses.
The content of handled emails (the incoming message and the drafted reply) is automatically redacted after 90 days; we keep only the audit record — sender, subject, status and timestamps. OAuth tokens are deleted when you disconnect a mailbox. Knowledge sources are kept until you delete them or close your account. Account and billing records are kept for as long as your account is active and for a reasonable period afterwards to meet legal and accounting obligations.
You can disconnect any mailbox at any time, which deletes its OAuth tokens and stops all processing for that mailbox. You can request closure of your account and deletion of your data, which removes your mailboxes' tokens, knowledge sources, configuration and operational records, and redacts retained email logs. Contact us at hello@blam8.com to make a deletion request; we will action verified requests without undue delay.
Under UK GDPR you have the right to access, rectify, erase, restrict or object to the processing of your personal data, and to data portability. To exercise these rights, contact hello@blam8.com. Where we act as a processor for a Customer's email data, requests from that Customer's contacts should be directed to the Customer (the controller); we will assist the Customer in responding. You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk).
We use only strictly-necessary cookies to keep you signed in and to protect against cross-site request forgery. We do not use advertising or third-party tracking cookies.
BLAM8 is a business service not directed at children and is not intended for anyone under 18.
We will update this page and notify account contacts before adding a new sub-processor or materially changing how we process personal data.
Data controller: [LEGAL ENTITY], [REGISTERED ADDRESS] (company no. [COMPANY NO.], ICO reg. [ICO REG NO.]). For any privacy question or to exercise your rights, contact hello@blam8.com.
BLAM8 assistant
Ask about plans, modules or setup