BleuiBack to home

Legal

Security

Last updated June 14, 2026

Bleui is an AI agent for your money, so security is not a feature we bolt on later. It shapes how the whole product works. This page explains the safeguards built into Bleui in plain language: you hold your own keys, your card numbers are never stored with us, and every purchase needs your explicit tap to go through.

Our approach to security

We design Bleui so that the most sensitive parts of your money stay under your control, not ours. The guiding idea is simple: the agent should be powerful enough to do the work of finding and preparing a purchase, but never able to move your money on its own. We combine that with non-custodial key ownership, tokenized payments, encryption, and tight access controls so that a single failure cannot quietly drain your wallet.

Bleui is still pre-launch and available through our waitlist and early access. The safeguards described here are core to the product, and we will keep this page current as we move toward general availability.

Non-custodial by design

Bleui is a non-custodial wallet. That means you hold your own keys, and you alone can authorize what happens with the funds in your wallet. Bleui is not a bank, is not a money transmitter, and does not hold or pool your funds. We cannot reach into your wallet, move balances, or spend on your behalf.

Holding your own keys is what makes Bleui safe, and it also carries responsibility. If you lose access to your keys or recovery method, no one (including us) can restore them for you, because we never had them in the first place. Treat your recovery information the way you would treat the only key to a safe: back it up, keep it private, and never share it with anyone, including people claiming to be Bleui support.

Your card details are never stored

When you add a card, the card number goes straight to our payment processor's vault and is tokenized there. Bleui never sees or stores your raw card number. What Bleui works with is a token, a stand-in reference that lets a charge be prepared without exposing the underlying card details to us.

This keeps the most sensitive payment data out of our systems entirely. Even in the unlikely event of a breach on our side, there are no raw card numbers for an attacker to find, because they live in the processor's vault, not ours.

Per-transaction approval as a security control

Every purchase requires your explicit, per-transaction approval. The agent can search, compare, and prepare an order, but the final step is always yours: nothing is bought until you approve it with one tap. This is not just a convenience. It is a deliberate security control.

Because approval is required for each individual purchase, a confused instruction, a misheard request, or a bad actor trying to push something through cannot result in spending without you seeing exactly what is about to happen and choosing to allow it. If you do not approve, no money moves.

How the AI agent is constrained

The agent only acts on the instructions you give and approve. It is built to prepare purchases, not to execute them on its own and not to invent spending you did not ask for.

  • The agent cannot complete a purchase autonomously. The approval tap is a hard gate, not a setting you can switch off into automatic spending.
  • It works from what you say or type, then shows you what it found and what it intends to do before anything is charged.
  • Saved items, receipts, and answers live as objects in your Collections. Saving something is a record-keeping action, not permission to spend.

Encryption in transit and at rest

Data moving between your device and Bleui is protected with strong transport encryption (TLS), so it cannot be read or tampered with as it travels across the network. Data we store is encrypted at rest using industry-standard encryption.

Sensitive payment data is handled by our payment processor under their vault, as described above, so it is protected by their controls in addition to ours.

Infrastructure and access controls

Bleui runs on reputable cloud infrastructure with security controls such as network isolation, logging, and monitoring. Internally, we follow the principle of least privilege: access to production systems is limited to the people who need it, gated behind authentication, and recorded.

To do its job, Bleui may use third-party AI model providers and payment processors. We use them solely to fulfill your requests (for example, to understand your voice or text in English or Arabic, or to prepare a payment) and we choose providers with their own security commitments. For how we handle the underlying data, see our Privacy Policy.

Keeping your own account safe

Because you hold your keys, the steps you take matter. A few habits go a long way:

  • Back up your keys and recovery method, and store the backup somewhere only you can reach.
  • Never share your recovery phrase, keys, or approval prompts with anyone. Bleui will never ask you for them.
  • Lock your device with a passcode or biometrics, and keep your operating system and the Bleui app up to date.
  • Read each approval prompt before you tap. The amount, merchant, and item are shown so you can confirm they match what you asked for.
  • If something feels off, do not approve it, and let us know.

Responsible disclosure

If you believe you have found a security vulnerability in Bleui, we want to hear from you. Please email hello@bleui.app with enough detail for us to reproduce the issue, and give us a reasonable window to investigate and fix it before any public disclosure.

We ask that researchers act in good faith: do not access, modify, or delete data that is not yours, do not degrade the service for others, and do not exploit a finding beyond what is needed to demonstrate it. We will not pursue good-faith research conducted under these guidelines.

Incident response

If a security incident occurs that affects you, our priority is to contain it, understand what happened, and tell you what you need to know. We will notify affected users without undue delay and, where the law requires it, the relevant authorities, with clear guidance on any steps you should take.

Because Bleui is non-custodial and never stores raw card numbers, the most sensitive parts of your money sit outside our systems by design, which limits the blast radius of any single incident.

Changes to this page

As Bleui grows and our practices evolve, we may update this page. When we make a meaningful change, we will revise the date at the top. We encourage you to check back from time to time so you stay informed about how we protect your money and data.

Contact

Questions about security, or want to report something? Email us at hello@bleui.app. You can also review our Privacy Policy and Terms for more on how Bleui works.