Legal

Privacy Policy

BloxPlan is based in Quebec, Canada and is subject to Canadian federal privacy law (PIPEDA) and Quebec's privacy legislation (Law 25 / Bill 64). This policy explains what personal information we collect, why we collect it, and how you can exercise your rights. It is written in plain language — not legal jargon.

Last updated: May 15, 2026 Quebec, Canada Not legal advice
Section 1

What personal information we collect

We collect personal information only when it is reasonably necessary to provide our services. Here is what we may collect:

Account information

  • Email address — required to create an account and send you important notices about your account.
  • Username or display name — used to identify your account within BloxPlan.
  • Password (hashed) — stored in encrypted form; we do not have access to your plaintext password.

User-generated content

  • Saved projects and game plans — the planning content you create and save inside BloxPlan.
  • AI generation prompts and outputs — text you enter into AI-assisted features and the responses generated.

Usage and technical data

  • IP address and general location — collected automatically when you visit our site.
  • Browser type and device information — used for security and compatibility.
  • Pages visited, clicks, and feature usage — used to understand how the product is being used.
  • Session data and timestamps — used for debugging, security, and analytics.

Payment information (future)

  • Billing email and payment method details — collected by Stripe on our behalf when you subscribe to a paid plan. We do not store full card numbers. See Section 7.

Support communications

  • Messages you send us — emails or support requests you submit, including any information you include in those messages.
Section 2

Why we collect it — our purposes

We collect personal information only for specific, legitimate purposes. We do not collect data "just in case" or sell it to third parties.

  • To provide the service — creating and maintaining your account, storing your saved projects, and delivering AI-generated content.
  • To communicate with you — sending account-related notices (email confirmations, password resets, important policy updates).
  • To improve BloxPlan — analysing how features are used so we can fix problems and build better tools.
  • To process payments — billing for paid plans via Stripe (when payments are enabled).
  • To provide support — responding to questions, bug reports, or issues you contact us about.
  • To comply with the law — meeting our obligations under PIPEDA, Quebec Law 25, and any other applicable laws.
  • To protect security — detecting and preventing fraud, abuse, or unauthorised access.

We will not use your personal information for unrelated purposes without asking for your consent first.

Section 3

How we collect personal information

  • Directly from you — when you create an account, fill out a form, use a feature, or contact us.
  • Automatically — through cookies, analytics tools, and server logs when you use our site or app.
  • Through third-party tools — Supabase (authentication), Stripe (payments), and analytics providers may collect technical data as part of delivering our service. See Section 8.
Under Quebec Law 25, we will not place non-essential cookies or tracking technologies on your device without your explicit consent. A cookie preference tool will be implemented before BloxPlan's public launch.
Section 4

AI-powered features and generated content

BloxPlan uses third-party AI providers (currently Anthropic's Claude API) to power features like game plan generation, description writing, and monetization suggestions. Here is what you should know:

  • Your prompts are sent to Anthropic — when you use an AI feature, the text you provide (your prompt) and the response generated are transmitted to Anthropic's servers for processing.
  • Your data is not used to train AI models — under our commercial agreement with Anthropic, your inputs and outputs are not used to train or improve Anthropic's models. API logs are retained by Anthropic for a limited period (currently up to 7 days) for safety and operational purposes.
  • Do not include sensitive personal information in prompts — AI features are designed for game planning content. Avoid entering sensitive personal data (health info, financial details, passwords, etc.) into AI generation fields.
  • Generated content is not professional advice — AI outputs are starting points and creative suggestions, not legal, financial, or professional advice.

If we change AI providers in the future, we will update this policy and inform you as appropriate. For more on how Anthropic handles data, see Anthropic's Privacy Policy.

Section 5

How saved projects are stored

When you save a project in BloxPlan — including game plans, monetization ideas, thumbnail briefs, and descriptions — that content is stored in our database managed by Supabase.

  • Your content belongs to you — we do not use your saved projects for any purpose other than providing the service to you.
  • Encryption at rest — your project data is encrypted at rest using AES-256 encryption via Supabase's infrastructure.
  • Encryption in transit — all data transmitted between your device and our servers uses TLS (HTTPS).
  • Access controls — only you can access your projects. BloxPlan staff may access project data only when strictly necessary for support or security purposes, and only on a need-to-know basis.
  • Deletion — when you delete a project, it is removed from the database. Residual copies in backups are overwritten within standard backup rotation cycles.
Section 6

Analytics and usage tracking

We use analytics to understand how BloxPlan is being used, which features are most valuable, and where we should focus improvements. This is in our legitimate interest as a product team.

  • What we track — pages visited, features clicked, session length, errors encountered, and general usage patterns.
  • What we do not track — we do not track the content of your game plans or the specific text in your AI prompts for analytics purposes.
  • Anonymisation — where possible, analytics data is aggregated and anonymised so it cannot be linked back to individual users.
  • Third-party analytics tools — if we use a third-party analytics provider (such as PostHog or Vercel Analytics), it will be listed in Section 8.

You may opt out of non-essential analytics tracking at any time. When you first visit BloxPlan, a cookie consent banner lets you choose Essentials Only to disable analytics. To reset your choice, clear your browser data for bloxplan.app and the banner will reappear. You can also contact us at privacy@bloxplan.app.

Section 7

Payment processing through Stripe

BloxPlan does not currently charge for access. When paid plans are introduced, payment processing will be handled by Stripe, a PCI-DSS Level 1 certified payment processor.

  • What Stripe collects — payment card details, billing address, email, and transaction data. Stripe uses tokenisation — your full card number is never stored on BloxPlan's servers.
  • What BloxPlan sees — we receive a token reference, the last four digits of your card, your billing email, and transaction status. We do not handle or store raw card data.
  • Stripe's independent privacy practices — Stripe is an independent data controller for the data it processes. Their practices are governed by Stripe's Privacy Policy.
  • Cross-border processing — Stripe is a US-based company. Payment data may be processed outside Canada. Stripe maintains a Data Processing Agreement and participates in the EU-U.S. Data Privacy Framework.

We will update this section when paid plans become available and will seek appropriate consent before processing payment information.

Section 8

Third-party services we use

BloxPlan relies on the following third-party service providers to operate. Each provider has its own privacy policy and, where applicable, we have entered into or will enter into a Data Processing Agreement (DPA) with them.

Supabase
Database & Authentication

Stores your account information, authentication credentials, and saved project data. Data is encrypted at rest (AES-256) and in transit (TLS). Supabase is hosted on AWS infrastructure. Supabase Privacy Policy →

Vercel
Hosting & Deployment

Hosts and delivers BloxPlan's website and application. Vercel processes technical data (IP address, request logs) as part of serving web requests. Vercel completes SOC 2 Type 2 audits and is certified under the EU-U.S. Data Privacy Framework. Vercel Privacy Policy →

Anthropic
AI Generation (Claude API)

Powers BloxPlan's AI-assisted game planning features. Prompts and outputs are processed by Anthropic. Under our commercial agreement, your data is not used to train Anthropic's models. API logs are retained by Anthropic for up to 7 days. Anthropic Privacy Policy →

Stripe
Payment Processing (future)

Will process subscription payments when paid plans are introduced. Stripe operates independently as a payment processor and data controller. Stripe Privacy Policy →

We will update this list if we add, remove, or change service providers that process your personal information.

Section 9

Data sharing

We do not sell your personal information. We do not share your personal information with third parties for advertising or marketing purposes.

We share data only in the following limited circumstances:

  • With service providers — as listed in Section 8, where necessary to operate the platform (hosting, database, AI features, payments).
  • For legal compliance — if required by law, court order, or government authority, we may be required to disclose information. We will notify you if legally permitted to do so.
  • To protect safety — if we reasonably believe disclosure is necessary to prevent harm or investigate fraud, abuse, or security threats.
  • Business transfer — if BloxPlan is acquired, merged, or transferred, your information may be transferred to the new owner, subject to the same privacy protections. We will provide advance notice where possible.
Section 10

Data retention

We retain personal information only as long as necessary for the purpose it was collected, or as required by law. Here are our general retention practices:

Data type Retention period
Active account data (email, profile) Retained while your account is active, plus up to 30 days after deletion request
Saved projects and game plans Retained while your account is active; deleted within 30 days of account deletion
AI prompt/output logs (our side) Not retained — Anthropic retains API logs for up to 7 days
Usage analytics Up to 12 months, then aggregated or anonymised
Support communications Up to 2 years (for dispute resolution)
Payment records (when applicable) 7 years (required by Canadian tax law)
Security incident records (Law 25) 5 years from date of incident

When data is no longer needed, we destroy, erase, or anonymise it in a manner that prevents reconstruction.

Section 11

Security measures

We take reasonable steps to protect your personal information from unauthorised access, disclosure, alteration, and destruction.

  • Encryption in transit — all data is transmitted over HTTPS/TLS.
  • Encryption at rest — database contents are encrypted at rest via Supabase (AES-256).
  • Password hashing — passwords are never stored in plaintext; they are hashed using industry-standard algorithms.
  • Access controls — access to personal data is limited to personnel who need it to provide support or operate the service.
  • Third-party security — we rely on service providers (Supabase, Vercel, Stripe) who maintain their own security standards and compliance certifications.

No method of transmission over the internet is 100% secure. While we do our best to protect your data, we cannot guarantee absolute security.

Security breaches: In the event of a data breach that creates a real risk of significant harm to individuals, we will notify the Office of the Privacy Commissioner of Canada (PIPEDA) and the Commission d'accès à l'information du Québec (CAI) as required by law. Under Quebec Law 25, we aim to notify the CAI within 72 hours of discovering a breach. We will also notify affected individuals as required.

Section 12

Your privacy rights

Under PIPEDA and Quebec Law 25, you have the following rights with respect to your personal information:

Right to Access

Request a copy of the personal information we hold about you. We will respond within 30 days.

Right to Correct

Ask us to correct any inaccurate or incomplete personal information we hold about you.

Right to Delete

Request deletion of your personal information and account. Deletion may be subject to legal retention requirements.

Right to Data Portability

Request your personal data in a portable, structured format so you can transfer it elsewhere (Quebec Law 25).

Right to Withdraw Consent

Withdraw your consent to non-essential data processing at any time. This will not affect past processing.

Right to Complain

Lodge a complaint with the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec (CAI).

To exercise any of these rights, contact us at privacy@bloxplan.app. We will respond within 30 days. We may need to verify your identity before processing your request.

Office of the Privacy Commissioner of Canada: priv.gc.ca
Commission d'accès à l'information du Québec (CAI): cai.gouv.qc.ca

Section 13

Children and younger users

BloxPlan is a tool for Roblox creators and is not specifically directed at children. However, we recognise that many Roblox creators are young, and we take children's privacy seriously.

  • Under 13 (PIPEDA) — we require verifiable parental or guardian consent before collecting personal information from children under 13. If we discover that a child under 13 has created an account without parental consent, we will delete the account and associated data promptly.
  • Under 14 (Quebec Law 25) — under Quebec law, we require explicit parental or guardian consent before collecting personal information from children under 14.
  • Ages 14–17 — users aged 14 to 17 may use BloxPlan, but we encourage parental awareness and involvement. We treat minors' data with heightened care.

Parents or guardians who believe their child has created an account without consent can contact us at privacy@bloxplan.app to request deletion of the account and all associated data.

Section 14

International data transfers

BloxPlan is based in Quebec, Canada. However, the third-party services we use (Supabase, Vercel, Anthropic, Stripe) are headquartered in the United States and process data on servers that may be located outside Canada.

By using BloxPlan, you acknowledge that your personal information may be transferred to and processed in the United States or other countries. We mitigate the risks of cross-border transfers by:

  • Using service providers with strong privacy commitments, certifications (SOC 2, DPF), and available Data Processing Agreements.
  • Selecting providers that limit data use to what is necessary to provide the service.
  • Reviewing provider privacy and security practices before integrating them.

If you have questions about cross-border data transfers, contact us at privacy@bloxplan.app.

Section 15

Roblox non-affiliation

BloxPlan is an independent tool created for Roblox creators. BloxPlan is not affiliated with, endorsed by, sponsored by, or otherwise connected to Roblox Corporation. "Roblox" is a trademark of Roblox Corporation. Any references to Roblox, Roblox games, or the Roblox platform are for descriptive purposes only.

BloxPlan does not have access to your Roblox account, Roblox game data, or any information held by Roblox Corporation. We do not share your BloxPlan information with Roblox Corporation.

Section 16

Updates to this policy

We may update this Privacy Policy from time to time as BloxPlan's features, services, and legal obligations evolve. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Notify registered users by email for significant changes (such as new data collection practices, new third-party processors, or changes to your rights).
  • Post a notice on the BloxPlan website or dashboard where appropriate.

We encourage you to review this policy periodically. Continued use of BloxPlan after a change is posted constitutes acceptance of the updated policy, to the extent permitted by law.

Section 17

Contact us / Privacy Officer

If you have questions, concerns, or requests related to your privacy or this policy, please contact us. Under PIPEDA, we are required to designate a Privacy Officer who is accountable for our compliance.

Privacy Officer — BloxPlan

📧 privacy@bloxplan.app

📍 Quebec, Canada

We aim to respond to all privacy requests within 30 days. If your request is complex or you have submitted multiple requests, we may extend this period by up to an additional 30 days and will inform you of the extension.

If you are not satisfied with our response, you have the right to contact: