Data processing
Last updated June 2026
This is a plain-language overview of how we handle data you process through Bluefield. A signed Data Processing Agreement (DPA) incorporating these terms is available on request for customers who need one.
Roles
For account data (your email and OAuth identifier, billing, and usage records), Bluefield is the controller. For the content we fetch on your instruction — the pages behind the URLs you submit — you are the controller and Bluefield acts as your processor, fetching and returning that content under your direction.
What we process
- Account identifiers: your email address and OAuth provider id.
- Request data: the URLs you submit, request parameters, response metadata, credit consumption, and error codes needed to operate the service.
- Fetched content: the page content returned for your scrape, crawl, map, extract, or watch requests, plus stored captures for watch mode.
- Billing data: subscription state; card details are handled by Stripe, not by us.
Where data is hosted
The managed API runs in the United States (Fly.io, us-east). We do not offer EU data residency on the default hosted tier. A list of the third-party services we use is on our sub-processors page; enterprise customers can request advance notice of material changes.
Retention and deletion
We keep account and usage data for as long as your account is active and as needed to operate the service and meet legal obligations. You can delete your account and personal data yourself from your dashboard (it takes effect immediately and revokes your keys), or request access or correction by emailing privacy@bluefields-data.com. We erase personal data on deletion; some non-identifying billing and audit records are retained where legally required.
International transfers and your responsibilities
Where personal data of EU or UK individuals is processed, transfers rely on appropriate safeguards such as the Standard Contractual Clauses, available as part of a signed DPA. Because you choose which URLs we fetch, you remain responsible for having a lawful basis and purpose for that processing.
Security
We apply technical and organizational measures appropriate to the risk — summarized on our security page — and require our sub-processors to maintain comparable safeguards.
Request a signed DPA
Email privacy@bluefields-data.com or contact our enterprise team.
This overview is provided for transparency and is not legal advice. The signed DPA, where executed, governs.