Legal

Privacy Policy

Last updated: December 15, 2025 · Effective: December 15, 2025

This Privacy Policy describes how BLEN, Inc. ("BLEN," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with the Permiso compliance and permitting workflow service (the "Service"). This Policy applies to the Service and to information BLEN receives about visitors to permisoai.com and related marketing properties.

Permiso is a business-to-business service offered to U.S. business and government customers. We do not direct the Service to consumers or to children, and we do not knowingly collect personal information from individuals under the age of 16.

1. Deployment Model and Roles

Permiso is delivered as software that BLEN deploys, operates, and maintains within a cloud environment owned and controlled by the Customer (the "Customer Cloud"). Customer Content, including personal information that Customer or its authorized users submit through the Service, resides in the Customer Cloud and is not transmitted to or stored on BLEN-controlled infrastructure, except for limited operational telemetry, support data, account information, and billing information described below. The Customer Cloud is contracted by Customer with the underlying cloud infrastructure provider; that provider is not a sub-processor of BLEN.

Personal information processed through the Service generally falls into one of two categories.

Service-Related Personal Information. When personal information is included in Customer Content within the Customer Cloud, the Customer determines the purposes and means of processing and acts as the business or controller under U.S. state privacy laws. To the limited extent BLEN processes that personal information in the course of operating the Service (for example, when BLEN personnel access the Customer Cloud for support or maintenance under a Customer-approved process), BLEN acts as a service provider or processor under the Customer’s direction. The Customer’s own privacy notice governs Customer Content; this Policy describes how BLEN handles it on the Customer’s behalf.

BLEN-Controlled Personal Information. BLEN acts as the business or controller for personal information that BLEN collects directly to operate, secure, market, and improve the Service outside the Customer Cloud, including account registration data, billing contacts, support communications, operational telemetry that excludes Customer Content, and information collected through BLEN’s marketing properties.

2. Information We Collect

2.1 Information You Provide

We collect information you provide when you create an account, configure the Service, communicate with us, request a demo, attend an event, or interact with our marketing properties. This may include:

  • Account and contact information: name, work email address, work phone number, employer, job title, and login credentials;
  • Billing information: billing contact, billing address, tax identifiers, and the last four digits and expiration of payment cards (full payment-card numbers are collected and stored by our payment processor, not BLEN);
  • Customer Content: documents, applications, records, files, prompts, and metadata that you or your authorized users submit to the Service in the course of compliance and permitting workflows; and
  • Communications: the content of messages you send to BLEN, including support tickets, sales inquiries, and feedback.

2.2 Information Collected Automatically

When you use the Service or visit our marketing properties, we and our service providers collect information automatically, including:

  • Device and connection information: IP address, device identifiers, browser type and version, operating system, language, time zone, and referring URL;
  • Usage information: pages and features accessed, actions taken, timestamps, search queries within the Service, and configuration choices; and
  • Cookies and similar technologies: as described in Section 9.

2.3 Information from Third Parties

We may receive information from third parties, including:

  • Single sign-on and identity providers that authenticate users on Customer’s behalf;
  • Marketing and enrichment providers that help us identify and contact business prospects;
  • Resellers and channel partners through whom a Customer may purchase the Service; and
  • Public sources, including government registries and public business directories.

2.4 Sensitive Personal Information

Customer Content related to permitting and compliance may, depending on Customer’s configuration, include sensitive personal information such as government-issued identifiers, precise location data, financial account information, or information about an individual’s legal or regulatory status. BLEN processes that information solely as a service provider on behalf of the Customer and only for the purposes the Customer directs and as permitted by these Terms and applicable law. We do not use sensitive personal information to infer characteristics about an individual.

3. How We Use Information

BLEN uses information for the following purposes:

  • Provide the Service – to operate, deliver, maintain, and support the Service for Customer and its authorized users;
  • Authenticate and secure – to verify identity, prevent fraud and abuse, detect and respond to security incidents, and enforce our terms;
  • Billing and account management – to process payments, manage Subscriptions, send service-related communications, and handle support requests;
  • Service improvement – to monitor performance, troubleshoot, evaluate AI Feature quality (without using Customer Content to train foundation models), and develop new functionality;
  • Marketing – to send marketing communications about Permiso to business contacts, subject to opt-out rights described below;
  • Compliance and legal – to meet legal, regulatory, audit, and contractual obligations, respond to lawful requests, and protect the rights, property, and safety of BLEN, its customers, and others; and
  • Aggregated insights – to produce de-identified and aggregated information that does not identify any Customer or individual, which BLEN may use for any lawful purpose.

4. AI Features

The Service includes artificial intelligence features that summarize, classify, extract, or draft content based on Customer Content ("AI Features"). When AI Features are used, the inference call is made from within the Customer Cloud to one or more third-party model providers (or to a model endpoint configured by Customer in the Customer Cloud), under contracts that prohibit the providers from retaining the content beyond what is needed to return a response and that prohibit them from using the content to train their models. BLEN does not use Customer Content to train its own foundation or general-purpose machine learning models, and BLEN does not store the prompt or the Output on BLEN-controlled infrastructure except for limited operational telemetry that excludes Customer Content. BLEN may use de-identified, aggregated Service usage data to evaluate and improve the AI Features.

AI Features generate probabilistic Output that may be incomplete or inaccurate. Output should not be relied on as legal, regulatory, or professional advice and should be reviewed by a qualified human before being used in a regulatory or compliance decision.

5. How We Disclose Information

BLEN does not sell personal information for monetary consideration. We disclose personal information only as described below.

  • Service providers and sub-processors. We share information with vendors that help us operate BLEN’s corporate systems and deliver the Service software, including software development tooling, customer support, billing, error monitoring (excluding Customer Content), analytics on BLEN-controlled marketing properties, and AI model providers used for AI Features as described in Section 4. The cloud infrastructure that hosts the Customer Cloud is contracted directly by Customer and is not a BLEN sub-processor. These vendors are bound by written agreements that limit their use of the information to providing services to BLEN.
  • Affiliates. We may share information with BLEN Affiliates that help operate or support the Service, subject to this Policy.
  • Customers. When you use the Service as an authorized user of a Customer account, your use, account profile, and Customer Content are accessible to that Customer and to other authorized users to whom that Customer has granted access. The Customer’s own privacy notices and policies apply.
  • Legal and protective disclosures. We may disclose information when we believe in good faith that doing so is necessary to comply with law, respond to valid legal process, enforce our agreements, or protect the rights, property, or safety of BLEN, its customers, or others.
  • Business transfers. If BLEN is involved in a merger, acquisition, financing, reorganization, or sale of assets, we may disclose information to the parties involved, subject to the protections of this Policy.
  • With consent. We may disclose information to other parties when you direct us to or otherwise consent. Whether the disclosures above constitute "sharing" for cross-context behavioral advertising under the California Consumer Privacy Act ("CCPA") depends on how the relevant marketing properties are configured. We do not engage in cross-context behavioral advertising on the Service itself. On marketing properties, where we use cookies that may constitute sharing, you can exercise your opt-out rights as described in Section 11.

6. Sub-processors

Because the Service is deployed in the Customer Cloud, the cloud infrastructure provider that hosts the Customer Cloud is contracted by Customer and is not a sub-processor of BLEN. BLEN uses a separate list of sub-processors to support BLEN’s corporate operations and the delivery of the Service software, including software development, customer support, billing, error monitoring (excluding Customer Content), and AI model providers used for AI Features. The current list, including each sub-processor’s function and country of processing, is available on request and through the Documentation. BLEN remains responsible for sub-processor compliance with the obligations BLEN owes Customer under the Terms of Service.

7. Retention

BLEN retains personal information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

  • Customer Content resides in the Customer Cloud and is retained according to Customer’s configuration of the Customer Cloud. BLEN does not retain Customer Content on BLEN-controlled infrastructure, except for limited support attachments and incident records, which are deleted within ninety (90) days unless a longer period is required by law or an active investigation.
  • Account and billing records are retained for the life of the account and for a reasonable period thereafter to satisfy tax, accounting, and audit requirements.
  • Logs and security records held by BLEN are retained for the period needed for security monitoring and incident investigation, typically not more than 13 months unless a longer retention is needed for an active investigation. Logs and security records held within the Customer Cloud are retained according to Customer’s configuration.
  • Marketing data is retained until you opt out or until the data is no longer accurate or useful.

8. Security

Because the Service runs in the Customer Cloud, the security of Customer Content depends primarily on controls Customer maintains in the Customer Cloud, including any FedRAMP authorization, agency Authority to Operate, encryption keys, identity and access management, network segmentation, monitoring, and incident detection. The Service inherits and operates within those controls. BLEN implements administrative, physical, and technical safeguards over (a) the Service software, including secure software development, code-pipeline integrity, dependency management, and vulnerability response, and (b) BLEN’s corporate systems used to support the Service, including identity, endpoint, logging, and vendor risk management. No system is perfectly secure; we cannot guarantee that personal information will never be accessed, disclosed, altered, or destroyed in violation of these measures.

9. Cookies and Similar Technologies

We use cookies and similar technologies (such as pixels, web beacons, and local storage) to operate the Service, remember your preferences, authenticate sessions, measure usage, and support marketing on our public properties. Cookies fall into the following categories.

  • Strictly necessary – required to provide the Service and cannot be turned off.
  • Functional – remember choices you make, such as language and display preferences.
  • Analytics – help us understand how the Service and our marketing properties are used.
  • Marketing – help us measure marketing campaigns and reach business prospects. You can manage cookies through your browser controls and, where available, through our cookie preferences tool on our marketing properties. We honor recognized opt-out preference signals, including the Global Privacy Control, where required by law.

10. Federal Information, CUI, and Compliance Inheritance

Because the Service runs in the Customer Cloud, FCI and CUI processed through the Service inherit the authorization posture of the Customer Cloud, including any FedRAMP authorization, agency Authority to Operate, or DoD Impact Level applicable to that environment. When the Service is configured to support Federal Contract Information ("FCI") or Controlled Unclassified Information ("CUI") under the Terms of Service, BLEN applies the safeguarding requirements of FAR 52.204-21 and any additional obligations set out in a written addendum executed by the parties (including, where applicable, DFARS 252.204-7012 and NIST SP 800-171 flow-downs that govern BLEN’s operational role). Customer is responsible for confirming that the Customer Cloud carries the authorization required for the relevant data category and for not submitting CUI or other regulated data outside the scope of an executed addendum and an authorized environment.

11. Your Rights

Depending on where you live, you may have rights with respect to personal information that BLEN processes about you as a controller or business. These rights generally include:

  • Access – to request confirmation that we process your personal information and to receive a copy of it;
  • Correction – to request correction of inaccurate personal information;
  • Deletion – to request deletion of personal information, subject to exceptions provided by law;
  • Portability – to receive a copy of your personal information in a portable format;
  • Opt out of sale or sharing – to opt out of any sale or sharing of personal information for cross-context behavioral advertising;
  • Limit use of sensitive personal information – where applicable; and
  • Non-discrimination – we will not discriminate against you for exercising your rights. California residents have rights under the CCPA, as amended by the California Privacy Rights Act. Residents of Virginia, Colorado, Connecticut, Utah, and other U.S. states with comprehensive privacy laws have similar rights, subject to that state’s law.

To submit a request, email privacy@permisoai.com or use the request form linked from permisoai.com. We will verify your identity using the information we have about you and respond within the timeframes required by applicable law (generally 45 days, with one extension of up to 45 days where reasonably necessary). You may use an authorized agent to submit a request, and we may require written authorization and verification.

If your personal information is contained in Customer Content, please direct your request to the Customer that controls the relevant account. We will refer the request to the Customer and assist as required by law.

You may appeal a decision on your request by emailing privacy@permisoai.com with the subject line "Appeal." If we deny your appeal and you live in a state that permits a regulator complaint, you may contact your state attorney general or other applicable regulator.

12. CCPA Notices

In the prior twelve (12) months, BLEN has collected the following categories of personal information identified by the CCPA: identifiers; commercial information; internet or other electronic network activity; geolocation (general, not precise) inferred from IP address; professional or employment-related information; sensory data limited to information voluntarily submitted by users; and other information that fits within these categories. We collect this information from the sources, for the purposes, and disclose it to the categories of recipients described in this Policy. We do not knowingly sell personal information for monetary consideration. We may share limited identifiers with marketing partners on our public properties; you may opt out as described above.

California residents may also designate an authorized agent to make a request on their behalf and may request information about our disclosures of personal information for direct marketing purposes under California’s "Shine the Light" law by contacting privacy@permisoai.com.

13. Marketing Communications

You can opt out of marketing emails at any time using the unsubscribe link in any marketing message or by contacting privacy@permisoai.com. Opt-outs do not apply to transactional or service-related communications, which are necessary to provide the Service.

14. Children

The Service is not directed to children, and we do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, contact privacy@permisoai.com so we can delete it.

15. Do Not Track

Some browsers transmit Do Not Track signals. Because there is no industry standard for responding to those signals, BLEN does not respond to them. Where required by law, BLEN honors recognized opt-out preference signals, including the Global Privacy Control, on our marketing properties.

16. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we will provide additional notice through the Service, by email, or on permisoai.com. Your continued use of the Service after a change becomes effective constitutes acceptance of the updated Policy.

17. Contact Us

If you have questions or requests about this Policy or BLEN’s privacy practices, contact us at:

BLEN, Inc. – Privacy

Washington, D.C.

Email: privacy@permisoai.com