BLOCQ App Privacy Policy
Please note: This English translation is provided for convenience only. Only the German version is legally binding. This privacy policy provides information about the processing of personal data when using the BLOCQ App, the BLOCQ Publishing Service, the Web Companion, the help documentation as well as the license, update and security functions of BLOCQ. It does not serve as a privacy policy for apps that you create and publish yourself using BLOCQ; for these apps, you are responsible as the operator. The presentation is deliberately structured according to roles: BLOCQ processes data partly as its own controller and partly as a processor acting on the instructions of the respective app operator. Which role applies depends on the specific processing operation.
1. Controller and Contact
The controller within the meaning of the General Data Protection Regulation (GDPR) for the own processing operations described in this policy is:
Florian Zandberg, Am Bahnhof 8A, 21739 Dollern, Germany
E-mail for data protection inquiries: datenschutz@blocq.io
Insofar as BLOCQ processes personal data exclusively on behalf of an app operator, the respective app operator is the controller. BLOCQ then acts as a processor within the meaning of Art. 28 GDPR; details are governed by the applicable data processing agreement (DPA).
You also have the right to lodge a complaint with a data protection supervisory authority. The authority regularly responsible for BLOCQ is: Der Landesbeauftragte für den Datenschutz Niedersachsen, Prinzenstraße 5, 30159 Hannover, e-mail: poststelle@lfd.niedersachsen.de.
2. What is BLOCQ?
BLOCQ is an app builder for iOS and Android apps. Users can configure their own app without programming knowledge, select modules, test content and optionally have the app published in the app stores via BLOCQ.
The BLOCQ App can generally be used without registering with BLOCQ.
The app configuration is initially stored locally on the device.
For certain functions, publishing, updates, license verification, support, the Web Companion, AI functions or external modules, data may be transmitted to BLOCQ or third-party providers.
The data of the end users of an app you have published generally resides in your own Firebase instance or with the third-party providers you have integrated; BLOCQ has no ongoing access to this, unless support, an update, publishing or another processing operation is commissioned in an individual case.
3. Delineation of Roles: Own Controller and Processor
BLOCQ processes personal data in two legally distinct roles. This distinction is decisive for transparency, data subject rights, legal bases and liability.
| Role | When does this role apply? | Consequence |
| BLOCQ as its own controller | Conclusion of contracts, license management, billing, verification of payment and purchase status, abuse and fraud prevention, IT security, logging, support, communication, Web Companion session management, help documentation and enforcement of its own rights. | For these processing operations, BLOCQ provides information itself pursuant to Art. 13 GDPR and determines the purposes, means, legal bases and retention period. |
| BLOCQ as a processor | AppBuilder mode, development database, Publishing Service, safekeeping and use of signing keys for publications and updates, optional concierge/custom service as well as AI/Magic Setup functions, insofar as personal data is processed in this context that you, as the app operator, provide or have retrieved. | You remain the controller for the data of your app and your end users. You must determine your own legal basis, data subject information, consents, deletion periods and module configuration yourself. BLOCQ processes only on documented instructions and in accordance with the DPA. |
| App operator as controller | Operation of the app you have published, end user accounts, posts, chats, profiles, bookings, payments, location data, push notifications, RSS feeds, maps, smart lock, coupon or other modules. | You need your own privacy policy tailored to your app as well as the required contracts, legal bases and consents vis-à-vis your end users. |
4. Local Use of the BLOCQ App
The basic configuration of your app, in particular appearance, module selection, navigation and drafts, is initially stored locally on your device in an embedded database. This data generally does not leave your device until you use a function that requires a transmission, such as publishing, the Web Companion, AI functions, license verification, support or certain external services.
Insofar as BLOCQ does not receive any data during purely local use, no processing by BLOCQ takes place in that respect. Insofar as technical status data is transmitted to BLOCQ for license, update or security purposes, the following sections apply.
5. App Publishing, Builder System and Signing Keys
When you have your app published or have an update created, the files required for this are transmitted to BLOCQ. In this context, BLOCQ generally acts as a processor, insofar as the data is processed for the creation, signing, submission or updating of your app on your instructions.
App configuration, in particular design, modules, navigation and the export of your local configuration;
Media files, in particular logos, images, icons and other provided media;
Firebase configuration files, in particular GoogleService-Info.plist and google-services.json;
Apple and Google publishing and signing files, in particular API keys, provisioning profiles, service accounts, .p8, .p12 and comparable files;
where applicable, administrator e-mail address, admin PIN or hash values, insofar as required for publishing or administration.
The transmission is encrypted. The files are temporarily stored on a server in Germany (Hetzner, Nuremberg). The actual build, signing and technical submission are carried out via a builder system on a Mac in Germany. The builder system retrieves the required files, uses them exclusively for build, signing, upload and update operations and processes signing files only insofar as this is technically necessary.
Uploaded build files are removed from the server after the build process is completed. Incomplete or orphaned jobs are automatically cleaned up after 14 days at the latest. Signing and build artifacts that are technically necessary for future updates are securely kept on the builder system for as long as you wish to commission BLOCQ with future updates or as long as their retention is not revoked or terminated. You can request the deletion of these keys; thereafter, further updates via BLOCQ are only possible if you provide the required keys again. The keys are treated as trade secrets and protected by appropriate technical and organizational measures.
In the course of publishing, the compiled app binary or the publishing information necessary for store submission is generally transmitted to Apple and Google. Apple, Google and the developer accounts are subject to their own contractual and data protection terms; BLOCQ has no controlling influence over the data processing of these platforms.
6. App Updates, Version Check, License and Block Check
When you request a framework update, or when a published app regularly checks whether updates, license status or block status exist, BLOCQ processes technical license and status data as its own controller, insofar as this processing serves the performance of the contract, license management, abuse prevention, IT security or the enforcement of its own rights.
API key, bundle ID, app version, platform, language/locale and active commercial modules;
License type, Founders status, purchase or transaction ID, time of purchase, subscription status, next billing date and maintenance plan;
Update history, in particular quarterly update consumption and individual update purchases;
Block log in the event of a block or restriction, in particular date, level, reason category and, where applicable, reference to an official or other legal order;
Security logs in the event of suspicious behavior, in particular technical access data, insofar as required for abuse detection.
The purposes are license validation, update entitlement, maintenance and support handling, refund protection, abuse and manipulation prevention, security analysis as well as the technical implementation of legitimate block or restriction decisions in accordance with the Terms and Conditions.
The legal bases are Art. 6(1)(b) GDPR for the performance of the contract, license validation, updates and maintenance, Art. 6(1)(c) GDPR for statutory retention obligations, in particular commercial and tax law documentation obligations, as well as Art. 6(1)(f) GDPR for abuse prevention, refund protection, IT security, block list management and enforcement of legitimate rights. The legitimate interest lies in a secure, license-compliant and abuse-resistant operation of the BLOCQ platform.
License records and purchase-relevant documents are generally retained for the legally required period, regularly up to ten years. Daily ping raw data is aggregated or anonymized after 30 days at the latest. Block logs are stored for the duration of the block and up to three years thereafter for legal defense, compliance documentation and abuse prevention. Security logs of suspicious calls are regularly stored on a rolling basis for 14 days, insofar as no security incident justifies a longer retention.
7. Web Companion at web.blocq.io
The Web Companion makes it possible to edit app content more conveniently in the browser. The connection is only established if you actively use the QR code symbol in the BLOCQ App and scan the code in the browser. No automatic activation takes place.
The browser serves as an input interface; the content itself continues to be written from the smartphone to your Firebase instance or your app infrastructure. In the Web Companion, BLOCQ does not store any content of the API requests, but only technically necessary session and security data.
Session data: random session token, device label, IP address, user agent, timestamp of creation and last activity;
Pairing token: random token valid for 90 seconds as well as, after a successful scan, the IP address and user agent of the browser;
Audit log: timestamp, action name, session token, device ID, success/error, duration in milliseconds and size of the request in bytes; no request content, no IP addresses and no user agent strings in the audit log;
Device entry: random device identifier, associated secret for authenticating the smartphone vis-à-vis the bridge, device label, app identifier and timestamp;
Browser cookie bridge_session: technically necessary httpOnly, secure and sameSite=strict cookie that contains only the session token;
Local browser setting blocq-theme: light/dark mode in the browser's localStorage; this information does not leave the browser and serves only the display setting;
technical server logs for operational security and error analysis.
The purposes are authentication of the browser, session management, protection against abuse, error analysis, secure transmission and provision of browser-based editing. The legal bases are Art. 6(1)(b) GDPR for the provision of the requested function and Art. 6(1)(f) GDPR for security, abuse detection and error analysis. The setting of the technically necessary cookie and the local storage of the display setting take place, where applicable, pursuant to Section 25(2) no. 2 TDDDG, because they are necessary for the function or display expressly requested by the user and do not serve tracking purposes.
Sessions are stored on a rolling basis for 7 days and are extended upon access. Terminated sessions are deleted 30 days after disconnection at the latest. Pairing tokens are deleted after 90 seconds. Audit logs are deleted after 30 days. The server location is Germany (Hetzner, Nuremberg); no intended third country transfer takes place within the scope of the bridge.
You can view web connections at any time in the app under the QR code symbol and terminate them individually or collectively. Directly in the browser, you can view the audit entries of your current session at web.blocq.io/datenschutz/meine-daten, export them as a JSON file or delete them; in doing so, the connection is terminated immediately.
8. AI-Assisted Suggestions and Magic Setup
BLOCQ can provide optional AI functions, in particular for suggestions on app names, store description texts, design, structure, categories and comparable supporting content. AI processing only takes place if you actively trigger the respective function. No automatic or permanent AI analysis of your app takes place.
With the normal suggestion function, you transmit a description of your project, such as target group, category, desired functions, language and style. With Magic Setup, you can additionally specify a website address or an industry or ordering portal. BLOCQ then retrieves publicly visible content of the source you have specified on the server side, such as texts, colors, logo, categories, prices, menus, services or comparable business information, and uses this as a basis for suggestions.
The inputs and retrieved content are first transmitted to a BLOCQ server in Germany and forwarded from there to the AI service provider OpenAI, L.L.C., USA. OpenAI generally receives only the transmitted text and content data; your IP address, device identifier or other technical device data is not specifically transmitted to OpenAI as user data, insofar as this is technically avoidable.
In this context, BLOCQ acts as a processor, insofar as the inputs or retrieved content contain personal data that you, as the controller, provide or have retrieved. You may only specify websites, domains, portals and content that are your own or that you are entitled to use. You may not enter or have retrieved any personal data of third parties, any special categories of personal data pursuant to Art. 9 GDPR, any trade secrets of third parties and any unlawful content, unless there is a sound legal basis and authorization for this. Such data is not required for the generation of app names, store texts and design suggestions.
OpenAI processes data in the USA. For third country transfers, the respective applicable safeguards pursuant to Art. 44 et seq. GDPR are used, in particular a valid certification under the EU-U.S. Data Privacy Framework, where applicable, and/or EU standard contractual clauses pursuant to Art. 46 GDPR. According to OpenAI's current information, inputs and outputs transmitted via the API are not used to train the models, unless an explicit opt-in release is given; a temporary storage for abuse and security purposes may take place depending on the service and the selected settings.
The generated suggestions are stored locally in your BLOCQ App so that you can adopt or discard them. Permanent server-side storage of the suggestions by BLOCQ does not take place, insofar as this is not required and separately justified for error analysis, abuse prevention or support in an individual case.
AI-generated suggestions are non-binding drafts. Before use, publication or submission to app stores, you must independently check them for accuracy, lawfulness, third-party rights, trademark and competition law, data protection, store guidelines and technical suitability.
Notice pursuant to Art. 50 of Regulation (EU) 2024/1689 (AI Act): The suggestions generated via these functions are content artificially generated by an AI system or AI-assisted drafts. BLOCQ marks this content as AI-generated or AI-assisted within the function. Whether and how you use this content is your decision alone. Insofar as you use AI-generated texts in a published app or in the app store, you must check whether additional transparency or labeling obligations apply to you.
BLOCQ does not use these AI functions for automated decisions within the meaning of Art. 22 GDPR concerning you. No assessment of your person, no scoring and no legally significant decision takes place.
9. Help Documentation at docs.blocq.io
Within the app, you can access the help documentation. This is loaded from docs.blocq.io in an embedded browser window. When accessing it, technically necessary connection data is processed, in particular the IP address, date and time of access, the page accessed, the browser or user agent used and server log data.
The purpose is the secure and stable operation of the documentation as well as error analysis. The documentation page does not use any analysis or tracking tools, does not integrate any external services or fonts and does not use any cookies for advertising or analysis purposes. Server log data is deleted after 14 days at the latest. The documentation is hosted at Hetzner in Germany; no intended third country transfer takes place. The legal basis is Art. 6(1)(f) GDPR.
10. In-App Purchases, App Stores and Payment Processing
BLOCQ licenses, maintenance subscriptions and individual updates can be purchased, depending on the distribution channel, via the Apple App Store, Google Play Store or directly from BLOCQ. For purchases via Apple or Google, payment processing is carried out in accordance with the terms of the respective app store. In this respect, Apple and Google generally act as independent controllers.
Transaction ID, product ID, time of purchase, platform, subscription status, expiry date and refund status;
Apple/Google account ID hash or comparable pseudonymous purchase and receipt data;
License type, bundle ID, API key and entitlement status.
BLOCQ processes this data for the performance of the contract, license validation, subscription and update management, payment and refund verification, abuse prevention and statutory documentation. The legal bases are Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR. Purchase receipts and accounting-relevant data are stored in accordance with the statutory commercial and tax law retention periods, regularly up to ten years. Non-accounting-relevant license and status data is deleted or anonymized as soon as it is no longer required for licensing, support, legal defense or abuse prevention.
Insofar as personal data is transmitted to Apple or Google in the USA, this takes place in accordance with the respective applicable transfer mechanisms, in particular an adequacy decision for certified recipients, EU standard contractual clauses or other appropriate safeguards.
11. Development Database and Firebase
During app creation, BLOCQ may use its own development database in Google Firebase / Google Cloud. This development database is separate from your own Firebase project and serves demo, test and preview functions in AppBuilder mode. In this context, BLOCQ acts as a processor, insofar as content or end user data of your configured app is processed.
During the creation phase, you may only enter demo and test data. Real personal data of third parties should not be processed until after publication in your own Firebase instance. Special categories of personal data within the meaning of Art. 9 GDPR, such as health data, religious data, trade union data or biometric data, may not be processed in the development database without prior separate written agreement with BLOCQ.
The content and end user data stored in the development database is deleted automatically once you have confirmed the go-live of your app and 14 days have subsequently elapsed. You can request early deletion. The deletion covers the app's data holdings in Firestore and Storage, insofar as they are assigned to the development database.
Firestore, Cloud Functions and Cloud Storage are used in an EU region, in particular Belgium/europe-west1 or the EU. Insofar as Google or affiliated companies carry out third country access or third country processing in the context of support, security, billing, telemetry or service provision, the applicable safeguards pursuant to Art. 44 et seq. GDPR are used, in particular adequacy decisions, EU standard contractual clauses and additional protective measures, insofar as required.
During the build, in particular Firestore, Cloud Storage, Authentication, Cloud Functions and - in published apps - Cloud Messaging may be used. Which Firebase functions are used in your subsequently published app depends on your own module choice and Firebase configuration; you are responsible for this as the app operator.
12. Further Optional External Services
Depending on the function used, further external services may be addressed. These services are only addressed upon actual use of the respective function or the respective module. Insofar as services are used in your published app vis-à-vis end users, you, as the app operator, are responsible for informing the end users and for the legal bases.
The legal bases for BLOCQ's own processing operations are, depending on the function, Art. 6(1)(b) GDPR for the provision of the requested function and Art. 6(1)(f) GDPR for security, error analysis, abuse prevention and technical provision. Insofar as BLOCQ processes on behalf of a controller, your legal bases and the DPA apply.
| Service/Function | Possible data | Notes |
| OpenStreetMap / Nominatim and map tiles | Search terms, address entries, and for technical reasons the IP address and browser/device data. | Use only for map or location searches. Do not enter confidential or unnecessary personal data. |
| GIPHY / GIF selection | Search terms, and for technical reasons the IP address and device data upon retrieval. | Use only if you search for or insert GIFs. The provider and transfer mechanisms are governed by the respective current terms of service. |
| Lorem Picsum / sample images | When retrieving placeholder images, for technical reasons the IP address, user agent, time and retrieved image resource. | Use for preview and demo content. The statement that no personal data is transmitted does not apply to technically necessary access data such as the IP address. |
| Apple App Store Connect / Google Play Console / Google OAuth | Developer-account-related publishing and authentication data, signing and service account files, store status information. | Use within the scope of your developer accounts and in accordance with the terms of the respective platform. In this respect, Apple and Google generally act under their own contractual and data protection terms. |
13. Apps Created and Published by You
When you create and publish an app with BLOCQ, you are the controller for this app and its end user processing within the meaning of Art. 4 no. 7 GDPR. You decide on the purpose, content, modules, target groups, legal bases, retention period, data subject information, consents, legal notice, privacy policy, contracts with third-party providers and technical configuration.
Firebase modules generally use your own Firebase project or the infrastructure you have configured.
End user data of your published app, such as profiles, posts, messages, bookings, payments, location data or push tokens, generally resides in your own Firebase instance or with the third-party providers you have integrated.
After publication, BLOCQ has no ongoing access to this data, unless support, an update, error analysis, concierge, custom service or another processing operation is commissioned by you.
You are responsible for end user requests, deletion, information, consents, legal bases and data protection impact assessments of your app. BLOCQ supports you within the scope of the DPA, insofar as BLOCQ is involved as a processor.
If you activate modules for payments, in-app purchases, push notifications, maps, RSS feeds, location services, smart lock, coupons, abuse prevention or comparable functions, you must map the respective providers used, data categories, purposes, legal bases, retention periods and third country transfers in your own app privacy policy.
14. Minors
BLOCQ is aimed at persons aged 16 and over. BLOCQ does not knowingly collect data from children under the age of 16 as its own users of the BLOCQ App. Should we determine that we are processing personal data of a child without the required basis, we will delete this data, insofar as there is no legal obligation to retain it. If you create an app for children or young people with BLOCQ, you are responsible for the special requirements of your published app, in particular for age-appropriate information, consents of legal guardians, youth protection and privacy-friendly default settings.
15. No Advertising, No Tracking and No Automated Individual Decisions
BLOCQ does not use any advertising SDKs, any third-party analytics, any marketing tracking cookies and any profiling tools for advertising purposes in the BLOCQ App. BLOCQ does not pass on personal data to advertisers.
BLOCQ does not make any solely automated decisions within the meaning of Art. 22 GDPR that produce legal effects concerning you or similarly significantly affect you. License, refund, security and block checks may prepare or implement technical status decisions; legitimate objections can be asserted via the contact channels provided for in the Terms and Conditions and via datenschutz@blocq.io.
16. Recipients, Sub-Processors and Third Country Transfers
Depending on the function, recipients of personal data may be: hosting providers, platform operators, app stores, Google Cloud/Firebase, OpenAI, support and IT service providers, payment and app store providers, legal and tax advisors as well as authorities, insofar as legally required. Insofar as BLOCQ acts as a processor, sub-processors are engaged in accordance with the DPA.
BLOCQ prefers processing in Germany or the EU. Third country transfers, in particular to the USA, only take place insofar as this is required for the respective function and a permissible transfer mechanism pursuant to Art. 44 et seq. GDPR exists. Primarily, an adequacy decision pursuant to Art. 45 GDPR is used, for example for recipients validly certified under the EU-U.S. Data Privacy Framework. Insofar as such an adequacy decision is not applicable, BLOCQ uses appropriate safeguards pursuant to Art. 46 GDPR, in particular EU standard contractual clauses, and reviews any necessary additional technical, organizational or contractual measures.
You can request a copy or summary of the respective applicable safeguards, in particular the EU standard contractual clauses, at datenschutz@blocq.io, insofar as no trade secrets, third-party rights or legal restrictions preclude this.
17. Retention Period
BLOCQ stores personal data only for as long as this is required for the respective purposes or statutory retention obligations exist. The periods mentioned in the preceding sections are decisive in particular: 14 days for many server and security logs, 90 seconds for pairing tokens, 30 days for Web Companion audit logs and daily ping raw data, 14 days after confirmed go-live for development data, up to ten years for purchase and accounting-relevant documents as well as purpose-bound retention of signing and build artifacts for future updates.
Insofar as data is required for the assertion, exercise or defense of legal claims, for the investigation of abuse, for the fulfillment of legal obligations or for the handling of security incidents, a longer storage may take place. Data is deleted or anonymized as soon as the purpose ceases to apply and no retention obligation precludes this.
18. Your Rights
Insofar as BLOCQ is its own controller, you have the following rights in accordance with the statutory requirements:
Access pursuant to Art. 15 GDPR;
Rectification pursuant to Art. 16 GDPR;
Erasure pursuant to Art. 17 GDPR;
Restriction of processing pursuant to Art. 18 GDPR;
Data portability pursuant to Art. 20 GDPR;
Objection to processing based on Art. 6(1)(f) GDPR pursuant to Art. 21 GDPR;
Withdrawal of a given consent with effect for the future;
Complaint to a data protection supervisory authority.
To exercise your rights, please contact datenschutz@blocq.io. Insofar as BLOCQ acts as a processor for you or for the operator of a published app, the respective controller is generally your point of contact; BLOCQ supports the controller in accordance with the DPA.
19. Changes to This Privacy Policy
BLOCQ may adapt this privacy policy if the BLOCQ App, functions, providers, technical processes, legal requirements or the assessment of the processing change. Material changes will be communicated in an appropriate manner in the app or on the BLOCQ websites.
As of: July 2026
As of: July 2026