DemoPricingDocsGitHubGitHub

privacy

Privacy policy

Last updated: April 10, 2026

What blockrate.app actually does

blockrate.app receives small JSON payloads from the blockrate library running on your customers' websites. Each payload reports whether specific third-party tools (Optimizely, PostHog, Google Analytics, etc.) were reachable from the visitor's browser. We aggregate that into per-provider blockrate statistics for your dashboard.

We are an analytics tool's analytics tool. We try very hard to collect the minimum data needed to do that one job and nothing else.

What we collect from your visitors

For every event the library reports, we store:

  • Timestamp — when the check ran
  • URL path — the page path the check ran on (no query strings, no hashes; truncated to 2048 chars)
  • Browser family + major version — e.g. "Chrome 131". The raw User-Agent header your visitor sent us is parsed at ingest, the family + major are stored, and the original string is discarded immediately. We do not log it anywhere.
  • Provider name + status — which third-party tool was checked and whether it was reachable
  • Latency — how long the check took, in milliseconds
  • Service label — your own label (e.g. "marketing-site") that you chose when you created the API key

That's the entire list. We do not store IP addresses, cookies, session IDs, geolocation, screen resolution, browser fingerprints, referrers, or anything else.

What we collect from you (the customer)

When you create a blockrate.app account, we store:

  • Your email address (used only for sign-in via magic link)
  • If you use Google or GitHub OAuth: your name and avatar URL (returned by the provider)
  • Session cookies (HTTP-only, SameSite=Lax)
  • Your API keys, hashed (SHA-256). We never store the plaintext of your keys after creation — they're shown to you exactly once.

How long we keep it

Event data is kept for the duration of your plan's retention window:

  • Free — 7 days
  • Pro — 30 days
  • Team — 90 days

Older events are deleted automatically by a nightly job. Account data (your email, API keys) is kept until you delete your account.

Roles: controller and processor

When you install the blockrate library on your website, you are the data controller — you decide which providers to check, on which pages, and for what purpose. blockrate.app acts as your data processor under GDPR Article 28, processing visitor data solely on your behalf and according to your instructions. Our Data Processing Agreement governs this relationship and is automatically accepted when you use the service.

Consent-free by design

blockrate is designed to work without a cookie banner. It does not set cookies, does not write to localStorage or sessionStorage (by default), does not store IP addresses, and does not perform cross-site tracking. This places it in the same category as privacy-first analytics tools (like Plausible and Fathom) that qualify for the CNIL's audience measurement exemption from consent requirements.

Legal basis for processing

Visitor data — as data processor, we process visitor data on your documented instructions. As data controller, you will typically rely on legitimate interest (GDPR Article 6(1)(f)): understanding whether third-party tools your site depends on are being blocked is a legitimate operational concern, and the processing is minimal with negligible impact on data subjects.

Customer account data — processed under contract performance (Article 6(1)(b)): we need your email and API keys to provide the service you signed up for.

Visitor identification and Article 11

blockrate does not collect direct identifiers — no IP addresses, cookies, user IDs, or persistent identifiers of any kind. The data we store (page path, browser family + major version, provider status, latency, timestamp) cannot identify an individual visitor, even when combined.

Under GDPR Article 11, we are not required to process additional information solely to identify data subjects for the purpose of complying with access or erasure requests. If you believe your data is in our system and can provide information that enables identification, contact [email protected].

International data transfers

blockrate.app is hosted on Railway in the United States. Personal data transferred from the EU/EEA to the US is protected by the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), incorporated into our DPA.

Your rights

As a customer (account holder), you can:

  • Export — download your full event history as CSV from /app/settings
  • Delete — delete your account, API keys, and all associated events from /app/settings → Danger zone. The deletion is immediate and cascading.
  • Access — everything we know about you is visible in the dashboard. There is no secret second profile.

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed unlawfully.

Subprocessors

  • Railway — hosting and managed Postgres
  • Resend — magic-link email delivery
  • Cloudflare — DNS, CDN, TLS termination

We do not use any analytics or product-tracking subprocessors — including, deliberately, our own. We dogfood the OSS library on this site to measure its own block rate, and the data is stored in the same database with the same retention policy.

Self-hosting

If you'd rather not send any data to us at all, the self-hosted server does everything blockrate.app does on your own infrastructure. Your data, your retention, your call.

Contact

Privacy questions go to [email protected]. We aim to respond within two business days.