Privacy
Blincr records browsing trails — that only works if you can trust where they live. Our governing rule:
What blincr doesn’t have to know, centrally it won’t know.
Your browser is the primary store of your trails. Blincr’s servers hold only what a feature genuinely needs — and this page is generated from the same catalog our code enforces, so it cannot drift from reality.
You can also create and run page watchers (“blincrs”) with no account at all — they run entirely in your browser. blincr.com only steps in to check a trail for malicious sites before you share it with someone else, or to run a watcher around the clock. See the Autonomy Ladder for the full picture.
Where a trail can live
Every trail is in exactly one tier. You move it between tiers explicitly — nothing is uploaded or published on your behalf.
t0Private (default)
Server cannot readYour browser only (extension storage)
Trails you capture stay in your browser. Nothing about their content exists on blincr's servers — blincr cannot see, index, or recover them.
t1Backed up
Server cannot readEncrypted blob on blincr storage + your browser
You can back a trail up for restore/device-sync. It is encrypted in your browser before upload; blincr stores ciphertext it cannot read. If you lose your key, blincr cannot recover the content — there is no key escrow.
t2Shared privately
Server cannot readEncrypted blob on blincr storage + recipients' browsers
Private shares travel as ciphertext; the decryption key rides in the share link's #fragment, which browsers never send to servers. Recipients decrypt in their own browser. Blincr can revoke distribution (kill the link) but can never read the trail.
t3Published
Server can readPlaintext on blincr storage
Publishing is an explicit act that makes the trail world-readable. Only published trails power the social features: feed, search, previews, embeds, analytics. Server-side features are the price of publishing — never a backdoor into the private tiers.
What our servers hold, and why
The complete list — one entry per kind of data, with why it exists and how long it is kept. If it is not on this list, blincr does not hold it.
| Data | Why | Kept | Applies to |
|---|---|---|---|
Account & sign-in Email, display name, AccountRevenue (ARC) account id, session tokens | Signing you in and linking your subscription/billing (handled by ARC) | Life of the account; sessions expire and are deleted within 30 days | All tiers |
Backed-up & privately shared trails Encrypted blobs, share tokens, blob sizes and timestamps | Storing and distributing what you chose to back up or share — as ciphertext blincr cannot read | Until you delete them; unshared orphan blobs are garbage-collected 12 months after last access | T1 · T2 |
Published trails Full trail content in plaintext (pages, events, notes, extracted content) | Publishing means asking blincr to show the trail to the world — feed, search, previews, embeds | Until you unpublish or delete | T3 |
Blincrs (page watchers) Watched page URL, what to extract (the recipe), last observed value, check history | The watcher fetches the page on your behalf on a schedule — it must know what to watch | Until you delete the blincr; raw check history kept 30 days | All tiers |
Live co-browse sessions Browse events relayed in-memory through the session room while the session runs | Real-time sync between participants requires relaying events; they are not written to server storage unless the owner saves the trail | Wiped when the session room closes | All tiers |
Social graph & engagement Follows, reactions, comments, collections referencing published trails | The social product: who follows whom, and discussion on published content | Life of the account; removed with the referenced trail or account | T3 |
Creator analytics Privacy-safe view records on published trails (no visitor identity) | Creator dashboards: views, completion, referrers, coarse geography | Raw records aggregated after 90 days | T3 |
Audit log Account-level activity entries (sign-ins, session starts) | Letting you see and verify activity on your own account | Until you delete entries or the account | All tiers |
Honesty about metadata
Even for encrypted tiers, blincr's servers necessarily observe operational metadata: that your account uploaded a blob of a certain size at a certain time, and when a share link is fetched (including the fetcher's IP, as with any web request). Blincr minimizes what it can know; it does not claim magic.
No key escrow
Encryption keys for backed-up and privately shared trails live only with you. Blincr cannot read those trails and therefore cannot recover them if you lose your key — export a recovery phrase and keep it safe. We consider this a feature, not a limitation.
Your controls
- Trails are private by default; publishing is always an explicit, previewed act.
- Unpublish or delete any trail at any time — social references to it are removed.
- Export everything from the extension at any time (your data is portable).
- Delete your account to remove every server-side record listed above.
Questions or data requests: info@blincr.com. This page reflects the deployed code’s data catalog and updates with it.