Privacy policy

Your email address, used for sign-in (magic link) and for transactional communication tied to your purchase.

Payment metadata returned by Chariow: product ID, purchase status, customer ID. We never see or store your card number — Chariow handles it end-to-end.

Operational logs: IP address, user agent, page accessed and timestamp. Used to debug, fight abuse and detect outages. Rotated automatically after 30 days.

Cookies and local storage strictly necessary for the session (Supabase auth cookies, theme preference). No tracking or advertising cookies.

If you generate a registry token under /account/registry-token, we store a SHA-256 hash of the token (not the token itself), the date it was created, the date it was last used and the date it was revoked. The hash isn't reversible — if you lose the token, we can't recover it.

To deliver the product you paid for: gate Pro blocks behind your account, install Pro source via the shadcn CLI, list and revoke registry tokens.

To comply with legal obligations: invoicing, tax reporting, anti-fraud.

To improve the product: aggregate anonymous analytics (page views, install volume) help us decide what to build next.

Supabase Inc. — hosts the database that stores user accounts and registry tokens. EU-hosted instance.

Chariow — payment processor. Stores the relationship between your email and your purchase.

Resend — outbound email (magic-link sign-in). Receives your email address at send time only.

Vercel Inc. — application hosting and analytics. Receives anonymous traffic metadata.

Dicebear — generates your account avatar from a hash of your email; no identifying data is sent.

ipapi.co — fallback for country detection when the Vercel geo header isn't available. Receives your IP, returns a country name.

Each processor is bound by their own data-processing agreement, available on their website.

Account data is kept for as long as your account is active. If you ask us to delete it, we remove it within 30 days, except for records we are legally required to retain (e.g. invoices — kept for the duration imposed by the local tax authority, typically up to 10 years).

Operational logs rotate every 30 days.

Revoked registry tokens stay in our database with a revoked_at timestamp so we can investigate abuse, but they are no longer accepted on requests.

Under the GDPR and similar laws (CCPA, etc.) you can request to access, rectify, port or delete the personal data we hold about you. You can also object to specific processing or restrict it.

To exercise any of these rights, write to leonelngoya@gmail.com. We respond within 30 days at the latest.

You can lodge a complaint with your local data-protection authority if you believe we are mishandling your data — this is your right and using it doesn't prevent us from talking it through with you first.

Some of our processors (Vercel, Resend, Chariow, Dicebear, ipapi.co) operate from the United States or other countries outside the EU. We rely on Standard Contractual Clauses approved by the European Commission for these transfers.

If you want the list of countries where your data may transit, write to us — we will share it.

blockus is not directed at users under 16. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us and we will remove the account.

We may update this page to reflect changes in our practices or in the law. Material changes will be announced at the top of the page and, when relevant, via email.

Continued use of blockus after a change means you accept the updated policy.

Questions, requests, complaints: leonelngoya@gmail.com.

Data controller: Leonel Ngoya.