Privacy Policy
Last updated: April 23, 2026
BlockJot (“we”, “us”, “our”) operates the blockjot.com website and application. This Privacy Policy explains what data we collect, how we use it, and your rights under the EU General Data Protection Regulation (GDPR).
What we collect
- Account data: email address, display name, and profile picture — obtained from Google when you sign in via Google OAuth.
- Content data: notes, pages, and all content you create in BlockJot (text blocks, headings, lists, code blocks, quotes, images). Images are stored directly in our database (max 10 MB per image). Content is auto-saved continuously as you type.
- Payment data: subscription plan, billing status, and payment history — processed by Stripe. We never see or store your card number.
- Usage data: pages visited, features used, and interaction patterns — collected via PostHog analytics.
- Technical data: IP address, browser type, device type, and access timestamps — collected automatically via server logs.
How we use it
- To provide the service: authentication, content storage and retrieval, subscription management.
- To process payments: subscription billing via Stripe.
- To send transactional emails: welcome messages, billing notifications, and account alerts via Resend.
- To understand usage patterns: anonymous product analytics via PostHog, helping us improve BlockJot.
- To maintain security and reliability: monitoring errors, preventing abuse.
Legal basis for processing (GDPR)
| Purpose | Legal basis |
|---|---|
| Providing the service | Performance of contract (Art. 6(1)(b)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) |
| Analytics | Legitimate interest (Art. 6(1)(f)) |
| Transactional emails | Legitimate interest (Art. 6(1)(f)) |
| Security and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
Data processors (third parties who handle your data)
| Processor | Purpose | Data shared |
|---|---|---|
| Authentication (OAuth) | Email, name, profile picture | |
| Stripe | Payment processing | Email, subscription data |
| PostHog | Product analytics | Anonymized usage events |
| Resend | Transactional email | Email address |
| Hetzner | Infrastructure hosting (EU) | All data (encrypted at rest) |
Cookies and tracking
BlockJot uses:
- Session cookies: essential for authentication. Cannot be disabled.
- PostHog analytics: uses cookies to track anonymized usage. You can opt out by contacting us.
We do not use advertising cookies or sell data to third parties.
Data storage and security
- All data is stored on Hetzner servers located in the European Union.
- Data is stored in PostgreSQL databases with encrypted connections.
- Access to production systems is restricted to the sole operator.
- No AI or machine learning processing is performed on your content.
Your rights (GDPR)
As an EU resident, you have the right to:
- Access your personal data — request a copy of all data we hold about you.
- Rectification — correct inaccurate data.
- Erasure (“right to be forgotten”) — request deletion of your account and all associated data.
- Data portability — receive your data in a structured, machine-readable format.
- Restrict processing — limit how we use your data.
- Object to processing — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise any of these rights, email privacy@blockjot.com.
We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés), the French data protection authority.
Data retention
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account |
| Content (notes, pages, images) | Until you delete your account |
| Trashed content | 30 days after trashing, then permanently deleted |
| Payment records | 10 years (French accounting law) |
| Analytics data | 12 months |
| Server logs | 90 days |
When you delete your account, all personal data and content is permanently erased within 30 days.
International transfers
Your data is processed and stored exclusively within the European Union. We do not transfer data outside the EU except through our third-party processors (Google, Stripe, PostHog), who maintain adequate safeguards per GDPR Chapter V.
Children
BlockJot is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. Continued use of BlockJot after such notice constitutes acceptance.
Contact
For privacy-related questions or requests:
Email: privacy@blockjot.com
Operator: OMU SAS
Location: France, EU