Privacy Policy

This Privacy Policy explains how Blockly ("Blockly," "we," "us," and "our") collects, uses, discloses, stores, and protects personal information when you access our website, products, and related services (collectively, the "Service"). By using the Service, you acknowledge this Policy and the terms described below.

Blockly is an invitation-only early access platform. Access may be granted, limited, suspended, or revoked at our discretion to preserve platform integrity, user safety, and product quality during beta operation.

If you have privacy or legal questions, contact legal@blockly.website. For invite status or account access matters, contact invites@blockly.website.

1. Scope and Roles

This Policy applies to information processed through the Blockly website and Service. Depending on context, Blockly may act as:

Controller: deciding why and how account and operational data is processed
Processor: processing submitted data under organization or institutional instructions

Where we act as a processor, the relevant customer or institution determines lawful use and handling instructions for their workspace data.

2. Data Minimization

We collect only data that is reasonably necessary to operate, secure, troubleshoot, and improve the Service. We do not sell personal information, and we do not intentionally collect unnecessary sensitive categories of data.

3. Categories of Information We Collect

Depending on your activity, we may collect and process:

Account data: name, email, invite status, organization affiliation, role
Authentication metadata: login timestamps, session identifiers, MFA/verification events, security logs
User content: material you submit, upload, or generate in the Service
Technical and device data: IP address, browser type, operating system, request diagnostics, and reliability metrics
Support and communications: correspondence with support, incident reports, and feedback

We may infer aggregate usage trends, but we do not use those trends to identify individual users when de-identified analysis is sufficient.

4. Lawful Bases for Processing

Where required by applicable law, we process personal data under one or more of these bases:

Performance of a contract and delivery of requested services
Legitimate interests, including fraud prevention, platform security, and service reliability
Compliance with legal obligations
Consent, where specific processing requires it

5. How We Use Information

Provisioning accounts and controlling invitation-only access
Authenticating users and managing sessions
Operating core product features and workspace functions
Detecting abuse, enforcing acceptable use, and investigating incidents
Monitoring performance, diagnosing faults, and improving user experience
Complying with legal obligations and responding to lawful requests
Communicating material updates, security notices, and service incidents

6. Service Providers and Subprocessors

We use carefully selected providers to host and operate the Service. Providers process data under contractual obligations and only for authorized business purposes.

Cloudflare: DNS, CDN, DDoS mitigation, edge security, and traffic delivery
Supabase: Managed PostgreSQL and data platform infrastructure
Clerk: Authentication, identity lifecycle, session management, and account security
Instatus: Service status communication and incident publishing
Short.io: Managed short-link routing and campaign links
Sentry: Error reporting, crash diagnostics, and debugging telemetry
PostHog: Product analytics and usage measurement

Third-party services operate under their own policies and terms, and may process data in jurisdictions outside your place of residence.

8. Data Retention

We retain personal information only for the period necessary to fulfill the purpose for which it was collected, including support, legal, accounting, dispute resolution, and security requirements.

Retention periods are determined using factors such as:

Nature and sensitivity of the information
Operational need and account status
Applicable legal obligations and limitation periods

9. International Transfers

Your data may be processed in countries other than your own. Where legally required, we implement appropriate safeguards for cross-border transfers, such as contractual protections and vendor security commitments.

10. Security Measures

We maintain reasonable administrative, technical, and organizational controls, including:

Encryption in transit using TLS
Access controls and least-privilege administration
Continuous monitoring, logging, and incident response practices
Secure vendor architecture and managed infrastructure controls

No method of storage or transmission is completely secure. We therefore cannot guarantee absolute security.

11. Your Privacy Rights

Subject to applicable law, you may request access, correction, deletion, portability, or restriction of certain processing. You may also object to certain uses of personal data.

To submit a rights request, contact legal@blockly.website. We may request verification information before fulfilling requests.

12. Children and Minors

The Service is not directed to children under 13 (or higher minimum ages where required by local law). If we learn personal information was submitted in violation of this section, we will take steps to delete or de-identify that information.

13. Policy Updates

We may revise this Policy from time to time to reflect product, operational, or legal changes. If changes are material, we may provide additional notice through the Service or by email where practical.

14. Contact

Privacy and Legal: legal@blockly.website
Invitations and Access: invites@blockly.website