App Privacy Policy

1. Data Controller

The data controller for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

2. What is BLOCQ?

BLOCQ is an AppBuilder - an application for creating your own native iOS and Android apps without coding skills.

• Free download from the App Store
• No registration or user account with BLOCQ required
• App configurations are initially stored locally

3. Data Storage

Your app configuration is initially stored locally on your device in an ISAR database.

When you activate modules that require Firebase (e.g., Feed, Chat, Profiles), you must connect YOUR OWN Firebase instance. The corresponding data is then stored in your own Firebase project at your request - not with BLOCQ.

During regular use, no data is transmitted to BLOCQ servers.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

4. App Publishing

When you want to publish your app, the following data is transmitted to our server:

• App configuration (ISAR export)
• Media files (logos, images, icons)
• Firebase service files (GoogleService-Info.plist, google-services.json)
• Store certificates and signing files (API keys, provisioning profiles, service accounts)

Server location: Germany (WebGo).

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Processing

Your data is processed on a Mac in Germany. Your app is compiled and then submitted to the stores.

Only the compiled app binary is transmitted to Apple/Google - no raw data or configurations separately.

Retention Period

• Server logs: 14 days
• Server files: Until deletion upon request
• Signing files: Stored for future updates (deletion upon request)

Signing Files Storage (Data Processing)

You provide us with your certificates and signing files (API keys, provisioning profiles, service accounts). These are used for publishing in your name and stored for future updates. Deletion is available upon request at any time.

BLOCQ acts as a data processor pursuant to Art. 28 GDPR.

5. App Updates

When you request a framework update for your app:

• Authentication is done with API key and Admin PIN
• No new file upload required
• Stored data from the initial release is reused

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

6. Version Check

Your published app can automatically check if BLOCQ updates are available. Your API key is transmitted for this purpose.

Purpose: Information about available security and feature updates.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security updates).

6b. Web Companion (web.blocq.io)

BLOCQ offers an optional web companion at web.blocq.io that lets you edit your app's content from a browser. The connection is only established when you actively tap the QR-code icon in the app and scan the code in the browser — there is no automatic activation.

Purpose

More convenient editing of your own app's content via a computer keyboard. The browser is used purely as an input surface; all data is still written from the phone to your Firebase instance.

What is stored on the bridge server?

• Sessions table: a random session token, a device label (e.g. "Chrome on MacBook"), the IP address, the user-agent string, and timestamps for creation and last activity.
• Pairing tokens (valid 90 seconds): a random token plus, after a successful scan, the IP and user-agent of the browser.
• Audit log (pseudonymised): for each action a timestamp, the action name (e.g. "wiki.create"), the session token, the device ID, success/error, duration in milliseconds, and the size of the request in bytes.

What is explicitly NOT stored

• Contents of API requests — only the size in bytes is recorded.
• IP addresses or user-agent strings inside the audit log.
• Real names, email addresses, or other personally identifiable content of the data you edit.
• Browser fingerprints, tracking cookies, or any third-party analytics.

Retention

• Sessions: 7 days, rolling (extended on each access). Disconnected sessions are deleted at the latest 30 days after disconnect.
• Pairing tokens: 90 seconds, then deleted automatically.
• Audit log: 30 days, then deleted automatically.

Storage location

Server in Germany (Hetzner, Frankfurt). No transfer to third countries via the bridge.

Processing purpose

Session data is used solely to authenticate the browser. The audit log is used for error analysis and to detect abusive usage (e.g. a compromised browser tab repeatedly triggering write operations).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a stable, secure service). Processing is limited to what is technically necessary.

Your rights

You can review your active web connections at any time in the app under the QR-code icon and end them individually or all at once. Ending a session invalidates it immediately and removes it completely after 30 days.

Manage your data yourself

Directly in the browser, you can visit web.blocq.io/datenschutz/meine-daten at any time to review which audit entries are stored for your current session, download them as a JSON file (right of access, Art. 15 GDPR), or erase them irreversibly (right to erasure, Art. 17 GDPR). The connection is ended immediately when you erase.

6c. blocq Server (License Management and Block Check)

As soon as you purchase a Business License, publish your app, or obtain an update, the app communicates with the blocq server. This server manages license, update and block information exclusively — it does not contain any app content or end-user data of your published app.

Storage location

All data is stored on a server in Germany (WebGo, Frankfurt am Main data center). No data is transferred to third countries.

What data is stored?

• License registration: API key, Bundle-ID (e.g. com.example.app), license type (Private/Business), founders status, Apple/Google transaction ID, purchase timestamp.
• Maintenance subscription: subscription status (active/cancelled/expired), next billing date, subscription tier (Solo €49 / Pro €99).
• Update history: quarterly update consumption per license (e.g. "Q2/2026 used"), list of single-update purchases including transaction ID and date.
• Daily Ping (once a day, if the app is online): API key, Bundle-ID, app version, platform (iOS/Android), locale (de/en), list of active commercial modules. No end-user IDs, no content, no IPs from your app.
• Block log: if an app is blocked by us (e.g. for unlawful content pursuant to §5a ToS), we store the date, stage (silent/banner/hard), reason category and, where applicable, reference to an official order.

Purpose of processing

• License validation: verification that the installed app holds a valid Business License and is entitled to the commercial modules used.
• Update entitlement: verification of whether the current quarter has already consumed a free update or whether a paid single update applies.
• Refund protection: on an Apple/Google refund the license is automatically withdrawn to prevent abuse.
• Block enforcement: on a legitimate block pursuant to §5a ToS we ensure that the app receives the block status and reacts accordingly.

What is explicitly NOT stored

• End-user data of your app (profiles, posts, messages, etc.) — these remain in your own Firebase instance.
• IP addresses from regular license or block-check requests (only for security logs in case of suspicious behavior, temporarily for 14 days).
• Real names, addresses or contact data of your app's end users.

Retention

• License records and purchase receipts: 10 years pursuant to §257 HGB (statutory retention obligation for accounting receipts).
• Daily Ping data: aggregated after 30 days (individual pings are anonymised and converted into monthly statistics), raw data deleted thereafter.
• Block log: for the duration of the block plus 3 years thereafter (for documentation toward authorities and internal compliance).
• Security logs (suspicious calls): 14 days, rolling.

Legal basis

• Art. 6(1)(b) GDPR (performance of contract) — for license validation, update entitlement and maintenance subscription.
• Art. 6(1)(c) GDPR (legal obligation) — for the 10-year retention of purchase receipts pursuant to §257 HGB.
• Art. 6(1)(f) GDPR (legitimate interest) — for refund protection, block enforcement and security logs.

Your rights

You can request information about the data stored under your API key at any time, request rectification, or request deletion of your license data. The latter is possible after expiry of the 10-year HGB retention period for purchase receipts; non-accounting data (daily pings, block logs after the end of the 3-year period) can be deleted on request before then. Send requests to datenschutz@blocq.io.

7. In-App Purchases and License Management

For our own in-app purchases (Business License, Maintenance, Single Update) BLOCQ does not use a third party such as RevenueCat. Processing is carried out exclusively via the Apple App Store and Google Play Store. Receipt validation takes place directly between our server in Germany and Apple or Google.

• Payment processing: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA / Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
• Processed: transaction ID, product ID (e.g. blocq_business_founders_v2), Apple/Google account ID hash, purchase timestamp, expiry date (for subscriptions), platform (iOS/Android), refund status where applicable.
• Data transfer to USA: Apple and Google are subject to the EU-US Data Privacy Framework or use Standard Contractual Clauses (Art. 46 GDPR).
• Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest in preventing refund abuse).

Privacy policies: revenuecat.com/privacy

8. Firebase (Google Cloud)

In AppBuilder mode, BLOCQ uses its own Firebase project for demo data and test functions. This is separate from your own Firebase project.

• Firestore database: Region eur3 (Belgium/Netherlands) - EU storage
• Cloud Functions: us-central1 (Iowa, USA)
• Cloud Storage: us-central1 (Iowa, USA)
• Data transfer to USA: EU Standard Contractual Clauses (SCCs)
• Legal basis: Art. 6(1)(b) GDPR (performance of contract)

Privacy policy: firebase.google.com/support/privacy

9. No User Accounts

BLOCQ does not create user accounts. No registration or login is required. The app uses simulated authentication only for development purposes. We do not collect personal data for account management.

10. Apps You Create

Publishing Model

• You need your own Apple Developer and Google Play Developer accounts
• You provide us with your certificates and signing files for app publishing
• We publish the app in your name under your account
• BLOCQ is a data processor (service provider) within the meaning of GDPR

Your Responsibility

• If you activate Firebase modules, they use your own Firebase project
• When using Firebase, ALL user data resides on your own Firebase instance - not with BLOCQ
• You are the data controller within the meaning of GDPR for your own app
• You are obligated to create your own privacy policy for your app
• BLOCQ has no access to data in your app after publishing

11. Minimum Age

BLOCQ is intended for users aged 16 and older. We do not knowingly collect data from children under 16. If we learn that we are processing data from a child, it will be deleted immediately.

12. No Advertising/Tracking

• No advertising SDKs integrated
• No analytics or tracking tools
• No marketing emails or push notifications
• No sharing of data with advertisers

13. Your Rights

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to lodge a complaint with the supervisory authority

Contact: datenschutz@blocq.io

14. Changes

We reserve the right to adapt this privacy policy. Changes will be communicated in the app.