Back to home

Privacy Policy

Last updated: April 7, 2026

1. Overview

BlockPhi ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. Data Controller

BlockPhi is the data controller for personal data collected through this website and service. For enquiries, contact us at the email address listed on our website.

3. Data We Collect

We collect the following categories of personal data:

  • Email address — provided when you sign up for terminal access. This is the only directly identifying personal data we collect.
  • Newsletter consent preference — a boolean value indicating whether you opted in to receive our newsletter. This is recorded as an explicit, affirmative action (the checkbox is unchecked by default).
  • Hashed IP address — your IP address is irreversibly hashed using SHA-256 before storage. We do not store your raw IP address. The hash is retained solely for abuse prevention and compliance record-keeping.
  • Source attribution — which part of the site you signed up from (e.g. modal, footer). This is non-identifying and used for analytics.
  • Authentication tokens — if you use premium features, session tokens are stored in secure, httpOnly cookies. These are temporary and expire automatically.

4. Legal Basis for Processing (GDPR Article 6)

  • Consent (Art. 6(1)(a)) — for newsletter communications. You provide explicit consent by checking the newsletter opt-in checkbox. You may withdraw this consent at any time.
  • Contract (Art. 6(1)(b)) — for processing your email to create and manage your terminal access account.
  • Legitimate interest (Art. 6(1)(f)) — for abuse prevention (hashed IP storage) and service improvement (source attribution analytics).

5. How We Use Your Data

  • To provide and maintain your access to the BlockPhi terminal.
  • To send newsletter emails containing market insights and product updates, only if you have explicitly opted in.
  • To detect and prevent abuse or fraudulent signups.
  • To improve the Service based on aggregate, non-identifying usage patterns.

6. Newsletter and Substack

If you opt in to our newsletter, your email address may be shared with Substack for the purpose of delivering newsletter content. This is done via periodic manual CSV export from our database — there is no automated API connection. Substack's privacy policy governs their handling of your data. You may unsubscribe from the newsletter at any time by contacting us or using the unsubscribe link in any newsletter email.

7. Third-Party Processors

We use the following third-party services to operate the platform:

  • Supabase — database hosting (stores your email, consent preference, and hashed IP).
  • Vercel — website hosting and serverless functions.
  • Whop — membership management and payment processing for premium features.
  • Substack — newsletter delivery (only for users who opted in).

Each processor handles data in accordance with their own privacy policy and applicable data protection agreements.

8. Data Retention

Your email and consent data are retained for as long as your account is active. If you request deletion, we will remove your data within 30 days. Hashed IP data is retained for up to 12 months for abuse prevention, after which it is purged.

9. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Restriction — request restriction of processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interest.
  • Withdraw consent — withdraw newsletter consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at the email address listed on our website. We will respond within 30 days.

10. Cookies

We use only essential cookies required for the Service to function:

  • Authentication cookies — httpOnly, secure session tokens for logged-in users. These are strictly necessary and do not require consent under GDPR.
  • OAuth state cookies — short-lived tokens used during the login process for security (CSRF protection). These expire within minutes.

We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

11. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), hashed IP storage, httpOnly cookie flags, server-side secret management, and row-level security on our database. No system is completely secure, and we cannot guarantee absolute security.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes become effective when posted. We encourage you to review this page periodically. If we make material changes to how we handle personal data, we will notify affected users by email where possible.

13. Contact

For privacy-related enquiries, data access requests, or to exercise your GDPR rights, contact us at the email address listed on our website.

BlockPhi. All rights reserved.