DemoPricingDocsGitHubGitHub

privacy

Privacy policy

Last updated: April 9, 2026

What blockrate.app actually does

blockrate.app receives small JSON payloads from the blockrate library running on your customers' websites. Each payload reports whether specific third-party tools (Optimizely, PostHog, Google Analytics, etc.) were reachable from the visitor's browser. We aggregate that into per-provider blockrate statistics for your dashboard.

We are an analytics tool's analytics tool. We try very hard to collect the minimum data needed to do that one job and nothing else.

What we collect from your visitors

For every event the library reports, we store:

  • Timestamp — when the check ran
  • URL path — the page path the check ran on (no query strings, no hashes; truncated to 2048 chars)
  • Browser family + major version — e.g. "Chrome 131". The raw User-Agent header your visitor sent us is parsed at ingest, the family + major are stored, and the original string is discarded immediately. We do not log it anywhere.
  • Provider name + status — which third-party tool was checked and whether it was reachable
  • Latency — how long the check took, in milliseconds
  • Service label — your own label (e.g. "marketing-site") that you chose when you created the API key

That's the entire list. We do not store IP addresses, cookies, session IDs, geolocation, screen resolution, browser fingerprints, referrers, or anything else.

What we collect from you (the customer)

When you create a blockrate.app account, we store:

  • Your email address (used only for sign-in via magic link)
  • If you use Google or GitHub OAuth: your name and avatar URL (returned by the provider)
  • Session cookies (HTTP-only, SameSite=Lax)
  • Your API keys, hashed (SHA-256). We never store the plaintext of your keys after creation — they're shown to you exactly once.

How long we keep it

Event data is kept for the duration of your plan's retention window:

  • Free — 7 days
  • Pro — 30 days (when available)
  • Team — 90 days (when available)

Older events are deleted automatically by a nightly job. Account data (your email, API keys) is kept until you delete your account.

Your rights

  • Export — download your full event history as CSV from /app/settings
  • Delete — delete your account, API keys, and all associated events from /app/settings → Danger zone. The deletion is immediate and cascading.
  • Access — everything we know about you is visible in the dashboard. There is no secret second profile.

Subprocessors

  • Railway — hosting and managed Postgres
  • Resend — magic-link email delivery
  • Cloudflare — DNS, CDN, TLS termination

We do not use any analytics or product-tracking subprocessors — including, deliberately, our own. We dogfood the OSS library on this site to measure its own block rate, and the data is stored in the same database with the same retention policy.

Self-hosting

If you'd rather not send any data to us at all, the self-hosted server does everything blockrate.app does on your own infrastructure. Your data, your retention, your call.

Contact

Privacy questions go to [email protected]. We aim to respond within two business days.