Privacy Policy

BlokBlok (“we”, “us”), operated from the United Kingdom, is the data controller for personal data processed through this site. This policy explains what we collect, how and why we use it, and your rights. For any privacy question or request, contact hey@blokblok.io.

• Account: email, username, and password (stored only as a secure hash — we never see your password).
• Profile & settings (some optional): display name, country, and optionally an avatar, phone number, and postal address (used so Sellers can quote shipping).
• Marketplace: store details and logo, listings, orders, and the messages, feedback, forum posts, and catalogue contributions you create.
• Technical: IP address and request metadata, used for security, rate-limiting, and abuse prevention; and an essential cookie to keep you signed in.

We collect this from you directly as you use the Service. We don't buy personal data about you.

BlokBlok is a community platform, so some information is visible to others by design: your username, public profile, feedback record, store and listings (if you sell), forum posts, catalogue contributions (with attribution), and any avatar or store logo you set. Your email, phone, and address are never shown publicly. Direct messages are private (see section 6).

• To provide the Service — accounts, listings, orders, messaging, feedback. Legal basis: performance of a contract with you.
• To keep BlokBlok safe — security, rate-limiting, fraud and abuse prevention, and content moderation. Legal basis: our legitimate interests in running a safe platform.
• To communicate with you — service, order, message, verification, and password-reset emails. Legal basis: contract and legitimate interests.
• To comply with the law where applicable. Legal basis: legal obligation.

Where we rely on legitimate interests, we've weighed those against your rights. You can object — see section 9.

We use automated tools to screen text and images you submit for policy violations. These tools flag content for review — they don't make final, solely-automated decisions with legal or similarly significant effects about you; a person reviews flagged items where it matters. If you think something was wrongly actioned, contact us.

Member-to-member messages are private. We don't proactively read them. The only time a conversation becomes visible to an administrator is if a participant reports it for abuse — and only that reported thread, so we can act on the report.

We only send transactional emails (about your account, orders, and messages). We don't send marketing emails, and we won't start without your consent, which you could withdraw at any time.

We don't sell your data. We use trusted providers (“processors”) to run the Service:

• Vercel — website hosting (US).
• Neon — database, hosted in the EU.
• Cloudflare R2 — image storage (US).
• Resend — transactional email (US).
• OpenAI and Google — automated moderation of submitted text and images (US).
• Upstash — temporary store for rate-limit counters.

We also check new passwords against the Have I Been Pwned breach database using a method that never transmits your actual password. Some providers are based outside the UK/EEA (notably in the US); where personal data is transferred internationally, we rely on appropriate safeguards such as the UK International Data Transfer Agreement / Addendum or EU Standard Contractual Clauses, or an adequacy decision.

Under UK and EU data-protection law you can ask us to:

• provide access to a copy of your data;
• correct inaccurate data (much of which you can edit yourself in settings);
• delete your data, or restrict or object to certain processing;
• provide your data in a portable format;
• withdraw consent, where we rely on it (without affecting prior processing).

Email hey@blokblok.io to exercise these — we'll respond within the legal time limits. If you're in the UK and unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk; EU residents can complain to their local supervisory authority.

• Account & profile: while your account is active; deleted or anonymised within ~30 days of closure.
• Security / rate-limit data: short-lived (counters expire in minutes; logs kept only as long as needed for security).
• Orders & feedback: retained as a public trust record, and where needed to meet legal or tax obligations (in the UK, typically up to 6 years).
• Catalogue contributions: remain in the shared catalogue as a lasting community resource.

We take reasonable technical and organisational measures: passwords are stored only as salted hashes, traffic is encrypted in transit (HTTPS/TLS), access to data is restricted, staff accounts can use two-factor authentication, and new passwords are checked against known breaches. No system is perfectly secure, but we work to keep your data safe.

We use a small number of essential cookies — to keep you signed in and to protect forms (e.g. against cross-site request forgery). These are strictly necessary for the site to work, so under the Privacy and Electronic Communications Regulations (PECR) they don't require consent. We don't use advertising or third-party tracking cookies. If that ever changes, we'll ask for your consent first.

BlokBlok isn't intended for children under 13, and you must be 13+ to hold an account. Because building toys may interest younger users, we aim to follow the principles of the ICO's Age Appropriate Design Code — for example, we don't profile users or use tracking/advertising cookies, and we minimise the data we collect. If you believe a child under 13 has given us personal data, contact us and we'll remove it.

We may update this policy; we'll change the date above and, for significant changes, give notice. See also our Terms of Service. Contact us any time at hey@blokblok.io.