Privacy Policy
Last updated: June 29, 2026
This is a template legal document provided for setup. It must be reviewed and adapted by qualified legal counsel — and every [bracketed] field completed — before you publish or rely on it. It is not legal advice.
This Privacy Policy explains how [Legal entity name] (“Blank Theory,” “we,” “us,” or “our”) collects, uses, shares, and protects information. Blank Theory builds, hosts, and maintains websites for local trade businesses for a flat $199 per month.
1. Scope — who and what this covers
This policy applies to all of the following surfaces (together, the “Services”):
- Our marketing site at blanktheory.xyz — where you learn about us and request a free preview.
- Demo / preview sites we build at blanktheory.xyz subdomains (for example, demo.blanktheory.xyz) before a business signs up.
- Claimed client sites — the live website we host for a paying client, whether on our subdomain or on the client's own custom domain.
- The client portal — the authenticated area where clients manage their site, view analytics and leads, and handle billing.
It covers our handling of information about prospective and current clients, people who submit our forms, and visitors to the sites we host. It does not change the privacy practices of any third-party site you reach by following a link.
2. Information we collect
(a) Cookieless, first-party site analytics
On the sites we host, we measure performance with our own first-party analytics. For each visit we record a small, non-identifying event:
- the page viewed and the type of interaction (page view, tap-to-call, contact-form submit, directions click);
- the traffic source, inferred from the referring website host and any campaign tags in the URL — bucketed only into broad categories such as Direct, Google / Search, Social, AI assistants, or Campaign;
- a coarse device type (mobile, tablet, or desktop);
- a timestamp; and
- which business the site belongs to, so each client sees only their own numbers.
This analytics is deliberately privacy-preserving. We do not set tracking cookies, we do not read or write to your browser's localStorage for analytics, and we do not use device fingerprinting. We do not build cross-site profiles, and we do not sell or share this data for advertising. We do not store your full IP address against these events; an IP is used only momentarily in transit (see spam protection below).
(b) AI-crawler visibility
Separately from human visits, our servers read the User-Agent of incoming requests to identify automated crawlers. When an AI search crawler (for example, OpenAI's GPTBot, Anthropic's ClaudeBot, or PerplexityBot) fetches a hosted site, we log that as an “AI visibility” signal so clients can see when AI assistants index their site. These bot fetches are kept out of human visit and traffic-source counts, and other generic bots are discarded entirely.
(c) Lead-form data
When you submit our “Get started” form on the marketing site, or a lead-capture form on a demo preview, we collect the information you choose to provide:
- your name;
- your phone number;
- your email address (required on the marketing form; optional on demo forms);
- the service you need;
- an optional short description of what you're looking for; and
- your preferred call date and time.
We use this to respond to your request, build or discuss your site, and follow up. New requests also create an internal notification to our team and may enroll you in a short follow-up sequence about your request.
(d) Account & business-profile data (client portal)
Access to the client portal is authenticated through our identity provider, Clerk. When you have an account, we and Clerk process your sign-in credentials, email address, name, and a role assignment that links you to your business. Inside the portal, clients may enter and upload business-profile information used to build and run their site — including contact details, business hours, a tagline, a logo, and work photos. Files you upload are stored with our database/storage provider (Convex).
(e) Payment data
Subscriptions are processed by Stripe. Card details are entered with and handled by Stripe; we do not collect or store full card numbers on our systems. We receive limited billing metadata from Stripe (such as subscription status, the last four digits or card brand, and payment success or failure) to manage your account.
(f) Spam protection
Our public forms are protected by Cloudflare Turnstile. To verify a submission is human, a Turnstile token and your IP address are sent to Cloudflare for validation. This is used for security and abuse prevention, not for advertising or profiling.
(g) Communications you send us
If you email us, reply to our texts, or otherwise contact us, we keep the contents of those communications and our responses so we can support you and maintain our records.
3. Cookies & similar technologies
We use only strictly necessary / functional cookies and equivalent storage — the items required for the Services to work. These are limited to:
- authentication and session management for the client portal (Clerk);
- secure payment and fraud-prevention functions during checkout and billing (Stripe); and
- the spam-protection challenge on our forms (Cloudflare Turnstile).
We do not use advertising, marketing, or non-essential analytics cookies. Because we set no non-essential cookies or trackers, we do not display a cookie-consent banner. If we ever introduce non-essential cookies or similar tracking technologies, we will add an appropriate consent mechanism (such as a banner) and update this policy first.
4. How we use information & our lawful bases
We use the information above to:
- respond to your requests, build and present your free preview, and schedule and make your call;
- provide, host, maintain, and improve the Services and the sites we build;
- show each client first-party analytics about their own site, including AI-crawler visibility;
- process subscription payments and manage billing, renewals, and cancellations;
- send transactional and service messages, and (with consent) marketing communications;
- protect the Services against spam, fraud, and abuse; and
- comply with our legal obligations and enforce our terms.
Where data-protection law (such as the EU/UK GDPR) requires a lawful basis, we rely on: our legitimate interests in operating, securing, and measuring the Services (including privacy-preserving analytics and abuse prevention); your consent, obtained when you submit a form, for marketing calls, emails, and texts; the performance of a contract for clients we host and bill; and compliance with legal obligations. You may withdraw consent at any time (see Your rights).
5. Communications & consent
When you submit one of our forms, you consent to be contacted by Blank Theory by phone, email, and text message (SMS) about your request and our services, including a confirmation and reasonable follow-ups. Message and data rates may apply, and message frequency is kept reasonable. You can opt out of texts at any time by replying STOP, and opt out of marketing email using the unsubscribe link in any message. Our commercial emails comply with the U.S. CAN-SPAM Act — they identify us, include our postal address, and offer a working one-click unsubscribe. Consent to marketing messages is not a condition of purchase, and we still send necessary transactional messages (for example, billing notices) to active clients.
See our Terms of Service for the full messaging-consent terms, and our Get started page if you'd like to submit a request.
6. How we share information — service providers
We do not sell your personal information. We share information only with vendors (“subprocessors”) that help us run the Services, each only to the extent needed to perform their function, and with contractual confidentiality and security obligations:
- Vercel — website hosting and custom-domain configuration;
- Convex — application database and file storage;
- Clerk — account authentication and identity for the client portal;
- Stripe — subscription payment processing and billing;
- Cloudflare — transactional and marketing email delivery, Turnstile spam protection, and DNS;
- LoopMessage — SMS delivery for lead confirmations and follow-ups;
- Google — public business-listing data (Google Places / Business Profile) used to build previews;
- Lob — printing and mailing of outreach postcards.
We may also disclose information to comply with law, enforce our agreements, protect rights and safety, or in connection with a merger, acquisition, or sale of assets (in which case we will continue to protect it under this policy or notify you of any material change).
7. Public business information & demo previews
Before a business signs up, we may build an unofficial demo preview using publicly available business-listing information (such as a Google Business Profile). These previews are clearly labeled as unofficial and not affiliated with the business, are set to not be indexed by search engines, and never use the business's own logo or copyrighted photos — only licensed or generic stock imagery. A business may request removal of its preview at any time and we will take it down. See the demo-preview terms in our Terms of Service.
8. Data retention
We keep personal information only as long as needed for the purposes above: lead and contact records for as long as we are in contact or as needed to follow up and for our records; client account, profile, and billing records for the life of the account and a reasonable period afterward; and analytics events for a limited rolling window sufficient to produce trends and reports. We retain or delete information as required by law, and will delete or de-identify it when it is no longer needed. You can ask us to delete your information sooner (see Your rights).
9. Security
We use reputable infrastructure providers and reasonable administrative, technical, and organizational measures — including encryption in transit, authenticated and role-scoped access to the portal, and payment handling delegated to Stripe — to protect information. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
10. Your rights & choices
Depending on where you live, you may have rights to access, correct, update, port, or delete your personal information, to object to or restrict certain processing, and to withdraw consent. You can:
- reply STOP to any text to stop SMS, or use the unsubscribe link in any marketing email;
- edit much of your business-profile information directly in the client portal; and
- contact us at [contact email] to exercise any of these rights.
We will respond as required by applicable law and will not discriminate against you for exercising your rights. If you are in the EU/UK, you also have the right to lodge a complaint with your local data-protection authority.
11. Children's privacy
The Services are intended for businesses and are not directed to children. We do not knowingly collect personal information from children under 13 (or the minimum age in your jurisdiction). If you believe a child has provided us information, contact us at [contact email] and we will delete it.
12. International users
We operate in the United States, and our service providers may process information in the United States and other countries. If you access the Services from outside the United States, you understand your information may be transferred to and processed in the United States, where data-protection laws may differ from those of your country. Where required, we use appropriate safeguards for international transfers.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes, take additional steps as required by law. Your continued use of the Services after an update means you accept the revised policy.
14. Contact us
Questions about this policy or your information? Contact:
[Legal entity name]
[business address]
[contact email]
See also our Terms of Service.