Account data (controller).
When an advisor or firm administrator creates an account, we collect: full name, work email, hashed password, optional two-factor secret (encrypted at rest), firm name, and the IP address of authentication events. We collect this to deliver the service and protect the account.
Billing data (controller).
For paid subscriptions, we collect: billing contact name, billing email, company name, subscription tier, and payment status. Card details are handled by Stripe and never seen or stored by blankit.
Client data (processor).
Subscribing firms upload data about their plan-sponsor clients (employer names and contact details), coverage booklets, claims-experience documents, carrier quotes, and renewal analyses. We process this strictly on the firm's documented instructions, under our Data Processing Agreement. The firm — not blankit — is the controller of this data.
Plan-member data (processor).
When a firm enables the plan-member chatbot, plan members may submit messages and (in optional Critical Illness enrolment flows) contact details. The firm is the controller. The chatbot can be used without identifying yourself, and we ask for no personal information to start a conversation. Where a plan member does choose to identify themselves — asking for an advisor to follow up, or starting a Critical Illness enrolment — we record their explicit consent at that point, and it can be withdrawn at any time.
Operational and security telemetry.
We log application events (audit log entries, error traces, access patterns) for security and incident response. These may include IP address, user ID, and the action performed.