Privacy Policy

Blocnet (“we”, “us”, “our”) is committed to being transparent about the data we collect and how we use it. This Privacy Policy explains what information we gather when you use the Blocnet platform, why we collect it, and what choices you have.

If you have questions, email us at contact@blocnet.cc.

We collect the following categories of data:

• Account data. Email address and hashed password when you register. We store only a bcrypt hash of your password — we cannot recover your plaintext password.
• Site content and CIDs. The static files you deploy and the IPFS content identifiers (CIDs) associated with each deployment.
• Node usage metrics. For approved node operators: bytes served per month, total requests handled, and last heartbeat timestamp.
• Stripe payout data. Your Stripe Connect account identifier and payout history (amounts, dates, status). We do not store raw bank account or card numbers — Stripe handles all payment data.
• IP addresses. IP addresses are recorded in audit logs for security events (login, deployment, account deletion, node approval, etc.).
• Transactional email metadata. We record whether transactional emails (sent via Resend) were delivered, but we do not store email body content beyond what Resend retains.

We use the data we collect to:

• Operate and improve the Blocnet platform (authentication, deployments, gateway routing).
• Process monthly payouts to node operators via Stripe.
• Send transactional emails — email verification, password reset, payout confirmation, node approval/suspension notices — via Resend.
• Detect and investigate abuse, fraud, and security incidents.
• Comply with our legal obligations.

We do not use your data for advertising. We do not build behavioural profiles or sell data to third parties for marketing purposes.

We also do not send unsolicited marketing emails. All emails from Blocnet are transactional — directly related to actions you have taken on the platform.

Blocnet uses a single first-party cookie:

• token — an httpOnly, Secure session cookie containing your authentication JWT. It is set when you log in and cleared when you log out. It is used exclusively for authentication. It does not track you across sites, is not accessible to JavaScript, and is never shared with third parties.

We do not use analytics cookies, advertising cookies, or any third-party tracking scripts.

Blocnet relies on a small number of third-party services to operate. Each is described below, along with the data shared with them:

• Stripe. Payment processing and Stripe Connect for node operator payouts. We share your email and payout amounts with Stripe. Stripe may collect additional identity and financial information directly for KYC purposes. See stripe.com/privacy.
• Resend. Transactional email delivery. We share your email address and the content of transactional emails (verification links, reset links, payout notifications) with Resend. See resend.com/privacy.
• Pinata / IPFS. We pin your deployed files to IPFS via Pinata. Once pinned, your content is publicly accessible on the IPFS network by anyone with the CID — this is inherent to how IPFS works. Do not deploy private or sensitive content. See pinata.cloud/privacy.
• Railway. Our API and gateway are hosted on Railway. Your data is stored in a PostgreSQL database managed by Railway. See railway.app/legal/privacy.

We retain your account data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, subject to legal obligations to retain certain records.

Audit logs. Security audit logs (login events, deployment events, node actions) are retained for 6 months in active storage, then archived. Archived records are retained for a further 18 months for fraud investigation and legal compliance, then permanently deleted.

Site CIDs and deployment records associated with your account are deleted when your account is deleted. As noted in our Terms of Service, the underlying IPFS content cannot be removed from the decentralised network.

Depending on your jurisdiction, you may have the right to:

• Access. Request a copy of the personal data we hold about you.
• Correction. Request that we correct inaccurate or incomplete data.
• Deletion. Request deletion of your personal data. You can delete your account directly from the Dashboard at any time, which triggers data deletion. You may also contact us directly.
• Portability. Request your data in a machine-readable format.
• Objection. Object to processing of your personal data in certain circumstances.

To exercise any of these rights, email contact@blocnet.cc. We will respond within 30 days.

We take reasonable technical and organisational measures to protect your data, including bcrypt password hashing, httpOnly cookies, HTTPS everywhere, and least-privilege database access. No system is completely secure. If you discover a security vulnerability, please report it to contact@blocnet.cc.

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above. For material changes, we will notify registered users by email. Continued use of Blocnet after the effective date constitutes acceptance of the revised policy.

Questions or concerns? Email us at contact@blocnet.cc.