BMETAL.ai
[ Legal & Trust ]

Privacy Policy

Last updated · 24 June 2026

This Privacy Policy explains how BMETAL, Inc. collects, uses, discloses, and safeguards personal data when you visit our websites, communicate with us, or use our services, and the rights and choices available to you. It includes disclosures required by the EU and UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

1. Scope and roles

This Policy applies to personal data we process as a controller — that is, where we determine the purposes and means of processing. This includes data about website visitors, prospective and current customers and their personnel, partners, applicants, and other business contacts.

When we process personal data on behalf of a customer as part of providing our compute and inference services, we act as a processor (or service provider). That processing is governed by our customer agreements and our Data Processing Addendum rather than by this Policy. The customer is the controller of that data and responsible for its own privacy notices.

2. Who we are

The controller of your personal data is BMETAL, Inc., a Delaware corporation with offices in San Francisco, California, and New York, New York, United States. You can reach our privacy team at privacy@bmetal.ai.

Where required, we will identify an EU and/or UK representative and our Data Protection Officer (or equivalent contact) and publish their contact details. Until then, all privacy enquiries should be directed to privacy@bmetal.ai.

3. Personal data we collect

Information you provide

  • Identity and contact data: name, business email, company, role, and phone number when you contact us, request access, or enter into an agreement.
  • Account and onboarding data: credentials, and verification information collected under our AML / KYC Policy (for example, business registration details and authorized-signatory information).
  • Communications: the content of messages, support requests, and meeting notes.
  • Billing data: billing contact, addresses, and payment-related details processed by our payment providers.

Information we collect automatically

  • Device and usage data: IP address, browser and device characteristics, pages viewed, referring URLs, and timestamps.
  • Cookies and similar technologies: as described in our Cookie Policy.
  • Service operational data: logs, metrics, and telemetry generated when authorized users access the platform (for security, billing, and reliability).

Information from third parties

We may receive data from business partners, referral sources, sanctions- and identity-verification providers, and publicly available sources, used to evaluate and manage our relationship with you and to meet legal obligations.

We do not seek to collect special categories of personal data through our website, and we ask that you not submit such data to us except where strictly necessary and lawful.

4. How and why we use personal data

PurposeLegal basis (GDPR)
Provide, operate, and secure our websites and servicesPerformance of a contract; legitimate interests
Respond to enquiries and manage the customer relationshipPerformance of a contract; legitimate interests
Identity verification, AML/KYC, sanctions screeningLegal obligation; legitimate interests
Billing, accounting, and fraud preventionPerformance of a contract; legal obligation
Product analytics and service improvementLegitimate interests; consent where required
Marketing communications about our servicesConsent; legitimate interests (existing customers)
Comply with law and enforce our agreementsLegal obligation; legitimate interests

Where we rely on legitimate interests, we balance those interests against your rights and freedoms. You may obtain more information about that balancing by contacting privacy@bmetal.ai. Where we rely on consent, you may withdraw it at any time without affecting prior processing.

5. How we share personal data

We do not sell personal data. We share personal data only as described below:

  • Service providers and processors who support our operations (hosting, analytics, communications, billing, identity verification), bound by contractual confidentiality and data-protection obligations.
  • Professional advisors such as auditors, lawyers, and accountants.
  • Authorities and other parties where necessary to comply with law, respond to lawful requests, or protect rights, safety, and property.
  • Counterparties in a corporate transaction such as a merger, financing, acquisition, or asset sale, subject to appropriate confidentiality protections.

6. International data transfers

We are headquartered in the United States and may process personal data in the United States and other countries. Where we transfer personal data from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, together with supplementary measures where needed. You may request a copy of the relevant safeguards by contacting privacy@bmetal.ai.

7. Data retention

We retain personal data for as long as necessary to fulfill the purposes described in this Policy, including to provide the services, comply with our legal, tax, and accounting obligations (for example, AML records are typically retained for at least five years after the end of the relationship), resolve disputes, and enforce our agreements. When personal data is no longer needed, we delete or anonymize it.

8. How we protect personal data

We maintain administrative, technical, and physical safeguards designed to protect personal data, including access controls, encryption in transit, network segmentation, logging and monitoring, and personnel confidentiality obligations. No method of transmission or storage is completely secure; we work to continually improve our controls and to respond promptly to incidents in accordance with applicable law. To report a security concern, see our Responsible Disclosure policy or email security@bmetal.ai.

9. Your rights (GDPR / UK GDPR)

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you and obtain a copy.
  • Rectify inaccurate or incomplete personal data.
  • Erase personal data in certain circumstances (the “right to be forgotten”).
  • Restrict or object to certain processing, including direct marketing.
  • Data portability — receive your data in a structured, commonly used, machine-readable format.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local supervisory authority.

To exercise these rights, contact privacy@bmetal.ai. We will respond within the time required by law (generally one month under the GDPR). We may need to verify your identity before acting on a request.

10. California privacy rights (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, use, and disclose; to request deletion or correction; and to be free from discrimination for exercising your rights. In the preceding twelve months we have collected the categories of personal information described in Section 3 (identifiers, commercial information, internet activity, professional information, and similar) for the business purposes described in Section 4.

  • We do not “sell” personal information and do not “share” it for cross-context behavioral advertising as those terms are defined under the CPRA.
  • We do not knowingly collect or sell the personal information of consumers under 16 years of age.
  • We use and disclose sensitive personal information only for the purposes permitted by the CPRA, and not to infer characteristics about a consumer.

To exercise your California rights, email privacy@bmetal.ai. You may use an authorized agent to submit a request on your behalf, subject to verification. We will not discriminate against you for exercising your rights.

11. Cookies and tracking

We use cookies and similar technologies as described in our Cookie Policy. You can manage non-essential cookies through our consent banner and your browser settings. Where required, we obtain consent before setting non-essential cookies.

12. Children’s privacy

Our websites and services are intended for businesses and are not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@bmetal.ai and we will take appropriate steps to delete it.

13. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, where required, provide additional notice. Your continued use of our websites or services after the effective date constitutes acceptance of the updated Policy.

14. How to contact us

For questions or to exercise your rights, contact our privacy team at privacy@bmetal.ai, or write to BMETAL, Inc., Attn: Privacy, San Francisco, California, United States.

Questions about this document? Contact legal@bmetal.ai.

BMETAL, Inc. · A Delaware corporation · San Francisco, California, USA.