Privacy Policy

Last updated: February 26, 2026

The Short Version

We collect the minimum data needed to deliver your purchase and improve our products. We don't sell your data. We don't run ads. We don't track you across the internet.

What We Collect

When you purchase a product:

• Email address, name (from ThriveCart checkout)
• Which product you bought and when
• We store this in our database to deliver your purchase and send updates

When you submit an intake form (Audit/DFY):

• Deployment details you provide (agents, skills, platform, OpenClaw version, etc.)
• This is used exclusively to perform your security review
• We do not share your deployment details with anyone

When you use the free scanner:

• IP address (for rate limiting only — 5 scans/hour)
• Scan results are stored to improve our threat intelligence database
• No personally identifiable information is collected by the scanner

When you visit our website:

• We use Vercel Analytics (privacy-friendly, no cookies, no personal data)
• No third-party tracking pixels, no retargeting, no ad networks

How We Use Your Data

• Deliver your purchased products
• Send transactional emails (purchase confirmations, intake confirmations, delivery)
• Notify you of Blueprint updates (you can opt out by replying to any update email)
• Improve our threat intelligence and product quality

What We Don't Do

• We don't sell or share your personal data with third parties
• We don't use your deployment details for anything other than your engagement
• We don't run advertising or share data with ad networks
• We don't use tracking cookies

Third-Party Services

We use these services to operate BulwarkAI:

Service	Purpose	Their Privacy Policy
ThriveCart	Payment processing	thrivecart.com/privacy
Resend	Transactional email delivery	resend.com/legal/privacy-policy
Vercel	Website hosting	vercel.com/legal/privacy-policy
Supabase	Database	supabase.com/privacy
Upstash	Rate limiting	upstash.com/privacy

Data Retention

• Customer records: retained indefinitely for update notifications and re-download access
• Intake form submissions: retained for the duration of your engagement + 1 year
• Scan history: retained indefinitely (anonymized, no PII)
• You can request deletion of your data at any time by emailing hello@bulwarkai.io

Security

We practice what we preach. Customer data is stored in Supabase with row-level security. API keys and credentials are stored in environment variables, never in code. All connections use HTTPS.

Changes

If we update this policy, we'll note the date at the top. For material changes, we'll email affected customers.

Contact

Privacy questions: hello@bulwarkai.io

BulwarkAI is operated by Peter Kwidzinski.