Privacy Policy
Effective Date: December 17, 2025 · Last Updated: June 12, 2026
1. Introduction
Low Orbit, LLC, doing business as Blacklight ("Blacklight," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.
Blacklight is headquartered in Brooklyn, NY (USA). We comply with applicable data protection laws including the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), the UK General Data Protection Regulation (UK GDPR) for users in the United Kingdom, the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), and applicable US state privacy laws including the California Consumer Privacy Act (CCPA, as amended by the CPRA).
For the purposes of the GDPR and UK GDPR, the data controller is Low Orbit, LLC d/b/a Blacklight, Brooklyn, NY, USA, reachable at privacy@blklight.net. A German-language version of this policy is available at /datenschutz; in case of any conflict between the two versions, this English version governs.
2. Information We Collect
Account Information
When you create an account, we collect:
- Phone number (required for verification)
- Email address
- Name
- Artist type and professional information
Phone Authentication & Our No-Spam Commitment
Blacklight uses phone-based authentication exclusively. When you sign up or log in, we send a one-time passcode (OTP) via SMS. This is the only time we will ever text you.
We will never:
- Send marketing or promotional SMS messages
- Sell or share your phone number with third parties for marketing
- Text you without your explicit action (login or signup)
- Use your phone number for any purpose other than account security
Your phone number is used solely for account verification and security. We respect your privacy and your inbox.
Profile Content
Content you choose to upload to your EPK, including:
- Photos and videos
- Music and audio files
- Biographical information
- Professional history and credentials
- Social media links
Usage Data
We automatically collect:
- Page views and interactions with your EPK
- B2B (industry view) unlock events
- Device information and browser type
- Referring URLs
3. IP Address Handling
We collect IP addresses for security and analytics purposes. How we use IP data depends on your cookie consent:
- If you accept analytics cookies: We use IP addresses for city-level geolocation to provide you with geographic analytics about your EPK visitors.
- If you decline analytics cookies: We only use IP addresses for country-level geolocation. Your analytics will show country-level data only.
IP addresses are retained for 24 hours for rate limiting and security purposes, after which they are deleted or anonymized.
4. Analytics and Tracking
We collect analytics to help you understand how visitors interact with your EPK:
- Page views: How many people view your public EPK
- B2B unlock events: When someone accesses your industry view (timestamp and approximate location)
- Referral sources: How visitors find your EPK
If you enable Google Analytics integration on your EPK (optional), Google's privacy policy applies to that data collection.
5. Cookies
Essential Cookies
These cookies are necessary for the Service to function and cannot be disabled:
- B2B session cookie: Remembers when a visitor has unlocked your industry view (30-day duration)
- Authentication cookies: Keeps you logged into your account
Analytics Cookies
These cookies help us understand how visitors use the Service. They are only set if you accept them:
- Blacklight analytics cookies
- Google Analytics (if enabled by artist)
Your cookie preference is remembered for 12 months. You can change your preference at any time through the cookie banner.
6. Consent Records
When you provide consent (for example, agreeing to our Terms or accepting cookies), we store a record of that consent including:
- The text you agreed to
- Timestamp of your consent
- Your IP address at the time of consent
Consent records are retained for the duration of your relationship with Blacklight plus 3 years, as required by GDPR.
7. Third-Party Services
We use the following third-party services to operate Blacklight:
- Stripe: Payment processing. We do not store your credit card information; Stripe handles all payment data.
- Supabase: Database and authentication infrastructure.
- Twilio: SMS delivery for one-time passcode (OTP) authentication. Twilio processes your phone number solely to deliver login codes and does not use it for marketing.
- Vercel: Website hosting and content delivery.
- Cloudflare: Media storage and content delivery (Cloudflare R2), and spam protection for forms (Cloudflare Turnstile, a privacy-preserving alternative to traditional CAPTCHAs).
- Firebase Cloud Messaging: Push notifications for mobile apps.
- Mailersend: Transactional email delivery (account verification, notifications).
Each of these services has their own privacy policy governing how they handle your data.
8. Legal Basis for Processing (GDPR)
Under GDPR and UK GDPR, we process your personal data based on the following legal grounds:
- Contract performance: Processing necessary to provide the Service you requested (creating your EPK, managing your account, processing payments).
- Consent: Where you have given explicit consent (analytics cookies, newsletter subscriptions, optional data sharing).
- Legitimate interests: Processing necessary for our legitimate business interests (security, fraud prevention, service improvement), balanced against your rights and freedoms.
- Legal obligations: Processing required to comply with applicable laws (tax records, responding to lawful requests from authorities).
You may withdraw consent at any time for processing based on consent. This will not affect the lawfulness of processing before withdrawal.
9. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the Service
- Process transactions and send related information
- Send you technical notices and support messages
- Respond to your comments, questions, and requests
- Provide analytics about your EPK performance
- Detect, prevent, and address fraud and security issues
- Comply with legal obligations
10. Data Sharing
We do not sell your personal information. We may share your information in the following circumstances:
- Service providers: With third-party vendors who assist us in operating the Service
- Legal requirements: When required by law or to protect our rights
- Business transfers: In connection with a merger, acquisition, or sale of assets
- With your consent: When you explicitly agree to sharing
11. Your Rights (GDPR and UK GDPR)
If you are in the European Economic Area (EEA) or the United Kingdom, you have the following rights under GDPR and UK GDPR:
- Right to access: Request a copy of your personal data
- Right to rectification: Request correction of inaccurate data
- Right to erasure: Request deletion of your data
- Right to restriction of processing: Request that we limit how we process your data
- Right to data portability: Request your data in a portable format
- Right to object: Object to certain processing of your data
- Right to withdraw consent: Withdraw consent at any time
Right to lodge a complaint:You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement (GDPR Art. 77). In the UK, the supervisory authority is the Information Commissioner's Office (ICO).
To exercise any of these rights, contact us at privacy@blklight.net. We may need to verify your identity before fulfilling your request, and we will respond within one month.
Data Export
You can export all your data at any time through your account settings. Your export will include:
- Profile data (JSON format)
- All uploaded media files
- Analytics data (CSV format)
- Inquiry history (CSV format)
- Invoice records (CSV format)
Account Deletion
You can delete your account at any time. Account deletion will permanently remove all your data, including your profile, uploaded content, and analytics. This action cannot be undone.
We process deletion and data export requests within 30 days.
12. US State Privacy Rights
If you are a resident of California or another US state with a comprehensive privacy law, you have the following rights with respect to your personal information:
- Right to know and access: Request disclosure of the personal information we have collected about you
- Right to correct: Request correction of inaccurate personal information
- Right to delete: Request deletion of your personal information
- Right to opt out of sale or sharing: We do not sell your personal information or share it for cross-context behavioral advertising, so there is nothing to opt out of
- Right to non-discrimination: We will not discriminate against you for exercising any of these rights
You may exercise these rights by emailing privacy@blklight.net. You may also designate an authorized agent to make a request on your behalf.
13. Automated Decision-Making
We do not use your personal data for automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.
14. Data Retention
We retain your data for as long as your account is active. Specific retention periods:
- Inquiry history and analytics data: Retained according to the retention window of your plan, as shown on our pricing page and in your account settings.
- Audit logs: 2 years minimum (for security purposes)
- Consent records: Duration of relationship plus 3 years
When you delete your account, all associated data is permanently deleted.
15. Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption of data in transit and at rest
- Row-level security at the database level
- Regular security audits
- Access controls and authentication
While we strive to protect your data, no method of transmission over the Internet is 100% secure.
16. International Transfers
Your data may be processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place for international data transfers in compliance with GDPR, including the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, adequacy decisions.
17. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.
18. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or through the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
19. Contact Information
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at: