Privacy Policy

Version: 0.2 | 20 April 2026

1. Data Controller

The controller within the meaning of the GDPR is: Lyubomira Petkova, Von-der-Tann-Straße 17, 67433 Neustadt an der Weinstraße.

General e-mail: info@blocaro.com
Privacy e-mail: privacy@blocaro.com
Legal/DSA e-mail: legal@blocaro.com

2. Data Processing When Visiting the Website

In the publicly accessible area, we do not use any analytics tools, marketing cookies, or comparable technologies. A cookie consent banner is currently not required.

When accessing the website, technically necessary connection data is processed (IP address, date/time, page accessed, browser type, operating system). Legal basis: Art. 6(1)(f) GDPR. Log files are deleted after at most 14 days.

3. Data Processing When Using the Platform

a) Registration and user account: To create a user account, we process your e-mail address and password (stored in cryptographically encrypted form). Legal basis: Art. 6(1)(b) GDPR.

b) Document upload and granular sharing: When uploading documents, we process the contained content and metadata. When inviting third parties, we process their e-mail address. Data protection information is transmitted in the invitation e-mail or at the latest upon first access. Legal basis: Art. 6(1)(b) GDPR.

c) Authentication: In the logged-in area, access tokens and refresh tokens are stored in the browser's localStorage. Legal basis: Art. 6(1)(b) GDPR, § 25(2) No. 2 TDDDG.

d) B2B use: To the extent that business customers process personal data of third parties in documents, Blocaro acts as a data processor (Art. 28 GDPR). A DPA is provided.

4. Transfer of Data to Service Providers

  • Hosting: Hetzner Online GmbH, server location Falkenstein, Germany
  • E-mail dispatch: Resend Inc., EU region
  • Payment processing: Stripe Payments Europe Ltd.
  • Error monitoring: Functional Software Inc. (Sentry), USA

Third-country transfers only take place on the basis of the legal requirements, in particular the EU Commission's standard contractual clauses.

5. Storage Period and Data Deletion

Data is stored for as long as your account is active. After termination of contract: days 0-14 full access, days 15-29 read-only access with export capability (ZIP archive), from day 30 automatic deletion. Immediate deletion possible upon explicit request. Server log files are deleted after 14 days.

6. Your Rights as a Data Subject

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR)

Please direct requests to: privacy@blocaro.com

7. Profiling

Exclusively automated decision-making including profiling within the meaning of Art. 22 GDPR does not take place.