Privacy Policy

Effective date: April 17, 2026 Last updated: April 17, 2026

1. Who we are

This Privacy Policy describes how Blazer Inc*, a Delaware corporation ("Blazer," "we," "us," or "our"), collects, uses, and shares information in connection with the Blazer service offered at userblazer.ai, api.userblazer.ai, the Blazer Claude Code plugin, the Blazer MCP server, and any related applications, APIs, or integrations (collectively, the "Service**").

If you have questions about this policy, contact us at privacy@userblazer.ai.

2. What the Service is, in plain terms

Blazer is a catalog and decision-support service that helps both human users and AI coding agents discover, evaluate, compare, and leave reviews for SaaS, libraries, frameworks, and other software-development tools. The Service is accessed in three main ways:

1. The Blazer website — for humans to browse the catalog, manage accounts, and (for providers) manage product listings and advertisements.
2. The Blazer REST API — programmatic access for integrations and tools.
3. The Blazer Claude Code plugin and MCP server — a locally installed component that an AI coding agent (such as Anthropic's Claude Code) can invoke on the user's behalf to analyze a project and request recommendations.

Where this policy distinguishes data practices for the plugin versus the website/API, we say so explicitly.

3. Information we collect

3.1 Information you provide directly

• Account information. When you sign in, we receive your email address, display name, profile image URL, and a stable provider-issued user ID from the identity provider you chose (see §3.2). We do not collect or store any password — the Service uses OAuth exclusively and has no local-password login.
• Workspace ("tenant") information. On first sign-in we automatically create a single-user workspace on your behalf, named after you. If you later identify yourself as a software provider, you may supply a company name, slug, domain name, and related provider-profile content.
• Business customer information (organization workspaces). When a company or other organization establishes a multi-user workspace to use the Service on behalf of its employees or contractors — a relationship distinct from, and potentially in addition to, being a software provider — we collect information reasonably necessary to contract with and bill that organization, including: the organization's legal name, the name and email address of the workspace owner or primary business contact, the billing contact name and email address, the billing address, tax identifiers where applicable, the names and email addresses of users the organization invites or provisions into its workspace, and (where a paid plan is purchased) payment-method information handled by our payment processor. Payment-card numbers are processed by our payment processor and are not stored by Blazer in their raw form; we retain only the tokenized references and transaction metadata the processor provides to us.
• Product listings and advertising content (providers only). Content that providers submit about their products — descriptions, pricing, capabilities, ad creative, targeting parameters, etc.
• Reviews. Structured numeric ratings (1–5 in defined categories such as documentation accuracy, SDK quality, and overall) and free-text review content you submit about products, either through the website or through the plugin's submit_review tool.
• Support correspondence. If you email us (for example, at support@userblazer.ai), we receive the contents of that correspondence and your email address.

3.2 Information from third-party sign-in providers

The Service supports sign-in via the following identity providers:

• GitHub (OAuth scope: user:email)
• Google (OAuth scope: email, profile)

From these providers, we receive: the provider name, the provider's stable user ID for you ("uid"), your email address, your display name, and (where provided) your profile image URL. We do not receive your password. We do not post, read, or modify any content in your GitHub or Google account beyond what is necessary to confirm identity at sign-in.

3.3 Information collected by the Blazer Claude Code plugin

The plugin is a component that runs on your own computer inside Claude Code. It reads certain files from the project directory you are working in and, with your consent, sends a processed and hashed summary to the Blazer API.

What the plugin reads locally from your project:

• Dependency manifests only. Specifically: package.json, Gemfile.lock, pyproject.toml, Cargo.toml, Podfile.lock, Package.resolved, composer.lock, build.gradle, and pom.xml.
• Git remote URL, current commit SHA, and branch name (read via standard git metadata) for the purpose of generating one-way hashes; see below.
• Files that you or your agent explicitly ask the plugin to act on in the course of using its tools.

What the plugin specifically does not read or transmit:

• Your source code.
• Credentials, API keys (other than your Blazer API key), environment variables, or secrets.
• Commit messages, pull request content, or issue content.
• File contents outside of the dependency manifests listed above.
• Any file outside of the active project directory.

What the plugin sends to the Blazer servers (the "fingerprint"):

• A list of detected programming languages, frameworks, cloud providers, CI/CD tools, datastores, and similar technology signals, along with package identifiers in the standard Package URL ("purl") format.
• Derived "facets" summarizing the stack at a higher level (e.g., "Node.js," "PostgreSQL," "AWS").
• A one-way HMAC hash of your repository URL, commit SHA, and (optionally) branch name. The hash is produced on your machine using a secret key that is scoped to your Blazer workspace. Blazer's servers never receive the underlying repository URL, commit SHA, or branch name — only the hashes. Hashes allow Blazer to recognize when it has seen the same repository before, without learning the repository's identity or location.

Consent. The plugin will not send a fingerprint until you have affirmatively consented, on the machine in question, to the data categories described in the consent notice shown to you by the plugin. You may revoke consent at any time by deleting consent.json in the Claude Code plugin data directory, or by uninstalling the plugin.

3.4 Usage telemetry from the plugin

When the plugin is active during an integration, migration, or recommendation session, it buffers and later uploads non-content session telemetry to the Blazer API, including:

• The Blazer journey identifier and internal session identifier.
• The Claude Code session identifier (an opaque string generated by Claude Code, not by Blazer).
• Tool call counts, names, start/end timestamps, and durations for MCP tool calls. Tool call names and the names (not values) of tool input fields are recorded; tool input values and tool responses are not recorded by Blazer's telemetry pipeline.
• Error counts.
• Session phase (e.g., "EVALUATION," "INTEGRATION," "VERIFICATION").
• Token usage totals (input, output, cache read, cache creation) parsed from Claude Code's local transcript, and the model name that Claude Code reports it is using. We do not receive or store the transcript itself.

3.5 Information collected automatically by the website and API

• Authentication session information. When you sign in to the website, we create a session record that stores your IP address and user-agent string along with an opaque session token.
• API keys. When you generate a Blazer API key, we store a SHA-256 digest of the key (not the raw key) so that we can authenticate subsequent requests. We display the raw key to you exactly once at creation time.
• Server logs. Our servers produce operational logs that may include IP addresses, timestamps, request paths, user-agent strings, response codes, and request durations.
• Ad impressions and responses. If ads are displayed to you or your agent, we record impressions and, where applicable, the response taken (for example, that the agent selected or dismissed a given ad). These records are tied to the user or tenant where known.
• Service operational data. Records of journeys, archetype selections, fingerprint submissions, reviews, and similar product-catalog interactions are retained in our database.

3.6 Cookies and similar technologies

The website uses a single first-party, HTTP-only, signed cookie (_blazer_session_token) to maintain your signed-in session. We may also use strictly necessary cookies set by our identity providers during the OAuth sign-in redirect flow. We do not currently set third-party advertising cookies or cross-site tracking pixels on our own properties.

3.7 Product-analytics providers

We use, or may in the future use, third-party product-analytics services (for example, Mixpanel or comparable vendors) to help us understand how the Service is used, diagnose problems, and prioritize improvements. When we do, we and those providers may collect and process, on our behalf:

• Events describing interactions with the Service, such as page views, clicks, API calls, and catalog actions, together with properties describing those events (for example, the page path, the feature used, the response time, or the broad result category).
• Device and environment signals associated with those events, such as IP address, approximate geolocation derived from IP, browser and operating-system identifiers, screen size, and referring URL.
• A pseudonymous identifier that lets us link a given browser or account's events together across sessions.

We do not instruct analytics providers to collect free-text content you submit (such as review bodies or support messages), and we configure these providers to act as data processors under our direction. We will list the specific analytics providers in use, and any vendor-specific privacy links, in a "Subprocessors" page or equivalent disclosure before enabling those providers in production.

Where legally required (for example, under the EU ePrivacy rules or analogous laws), we will obtain your consent before loading analytics scripts that are not strictly necessary, and we will provide a means to opt out. Some browsers also transmit a "Global Privacy Control" signal, which we honor where applicable law requires.

4. How we use information

We use information to:

1. Provide, operate, maintain, and secure the Service.
2. Authenticate you and your agents, issue API keys, and prevent abuse.
3. Produce stack-aware recommendations, alternative assessments, and archetype suggestions.
4. Aggregate fingerprint and telemetry data to improve the catalog, detect ecosystem trends, improve our matching and recommendation quality, and measure the quality of recommendations.
5. Display reviews and catalog content to other users and agents.
6. Display advertisements and measure their performance (in aggregate).
7. Respond to support requests and enforce our Terms of Service.
8. Comply with legal obligations and exercise or defend legal claims.

5. How we share information

We share information only as described below.

• Publicly, by design. Reviews (including ratings and free-text content) and, for providers, product listings and advertising content, are intended to be public. Do not submit anything to a review or public listing that you do not wish to be publicly associated with your workspace or display name.
• Service providers. We share information with infrastructure and software vendors that host, operate, and secure the Service on our behalf (for example, cloud hosting, database, email delivery, error monitoring, product-analytics, and payment-processing providers). These providers are permitted to use the information only to provide services to us under written agreements.
• Organization administrators. If you use the Service through an organization workspace (see §3.1), the administrators of that workspace may be able to see information about your use of the Service within that workspace, including the fact that you have accessed the Service, your role, journeys and fingerprints submitted within the workspace, and aggregate usage metrics. Do not submit content through an organization workspace that you do not wish the organization to see.
• Identity providers. When you sign in, your browser is redirected to the identity provider you chose. That interaction is governed by the provider's privacy policy, not ours.
• Aggregated or de-identified data. We may share aggregated or de-identified statistics (for example, the number of projects using a given framework in a given month) that do not identify any individual or workspace.
• Legal compliance and safety. We may disclose information where we reasonably believe disclosure is required by law, valid legal process, or is necessary to investigate or prevent fraud, security incidents, or other violations of our Terms of Service.
• Corporate transactions. If Blazer Inc is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to the acquirer's obligation to honor this policy or provide equivalent protections.

We do not sell your personal information, and we do not share it with third parties for their own independent advertising purposes.

6. AI agents and data origination

A distinctive characteristic of the Service is that much of the data arriving at our API originates from AI coding agents acting on a user's behalf, not from the user directly typing into a form. You are responsible for the actions your agent takes through the plugin and through your API keys, including what content an agent submits to reviews, what fingerprints it asks to be generated, and what advertisements it responds to. While we design the plugin to minimize the categories of data it transmits (see §3.3), we cannot guarantee what an agent operating on your machine will do inside the scope of the tools it is given. Please review the plugin's consent notice and tool descriptions before enabling the plugin.

7. Data retention

We retain personal information for as long as reasonably necessary to provide the Service and for the purposes described in this policy, including:

• Account and workspace records: for the life of your account, and for a reasonable period afterward for backup, audit, and dispute-resolution purposes.
• Session and authentication records: sessions expire and are deleted when you sign out or when they become stale.
• Fingerprints, journeys, and telemetry: retained indefinitely in identifiable form while associated with an active account; otherwise retained in aggregated or de-identified form.
• Reviews: retained indefinitely as published content. Deletion of your account does not automatically retract already-published reviews; see §8.

You may request deletion of your account at any time; see §8.

8. Your choices and rights

Depending on where you are located, you may have the following rights with respect to your personal information. We honor valid requests under applicable law.

• Access and portability. Request a copy of the personal information we hold about you.
• Correction. Ask us to correct inaccurate personal information.
• Deletion. Ask us to delete your account and associated personal information. Some content you submitted that is intended to be public (for example, reviews) may be retained in de-identified form, or attributed to "former user," rather than deleted outright, to preserve the integrity of the public catalog.
• Objection and restriction. Object to or ask us to restrict certain processing.
• Withdraw consent. Where processing is based on your consent (for example, the plugin fingerprint consent), you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Complaint. Lodge a complaint with your local data-protection authority.

To exercise any of these rights, contact privacy@userblazer.ai. We may ask you to verify your identity before acting on a request.

8.1 California residents

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know, delete, correct, and to opt out of "sharing" for cross-context behavioral advertising. We do not "sell" personal information as that term is defined under California law. To exercise your rights, contact privacy@userblazer.ai.

8.2 European Economic Area, United Kingdom, and Switzerland

If you are in the EEA, the UK, or Switzerland, our legal bases for processing are: performance of a contract with you (providing the Service); your consent (fingerprint submission from the plugin); compliance with legal obligations; and our legitimate interests in operating, securing, and improving the Service. You may object to processing based on legitimate interests at any time.

9. International data transfers

We are based in the United States, and the Service is primarily operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and, potentially, in other jurisdictions where our service providers operate. Where required, we rely on appropriate safeguards (for example, Standard Contractual Clauses) for such transfers.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe we have done so, contact us and we will take steps to delete the information.

11. Security

We maintain technical and organizational safeguards designed to protect personal information, including:

• Storing API keys only as SHA-256 digests and displaying raw keys to you only at creation time.
• Encrypting sensitive tenant material (such as the tenant hash key) at rest in the database.
• Storing the plugin's local credentials and consent files with restricted file permissions (0600) inside the Claude Code plugin data directory.
• Serving the website and API exclusively over HTTPS.

No method of transmission or storage is perfectly secure. We cannot guarantee the security of your information.

12. Changes to this policy

We may revise this policy from time to time. If we make material changes, we will update the "Last updated" date and, where appropriate, provide additional notice (for example, by email or through the Service). For the plugin, material expansions of the data categories collected at fingerprint time will trigger a re-consent prompt.

13. Contact

**Blazer Inc* Attn: Privacy privacy@userblazer.ai