Data & Compliance
Effective: April 7, 2026
This page explains how AutoBlox handles your personal data, how we comply with privacy regulations worldwide, and how you can exercise your legal rights. It supplements our Privacy Policy.
GDPR — European Residents
The General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies to personal data of individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland. AutoBlox is committed to full compliance.
Lawful basis
| Processing activity | Legal basis |
|---|---|
| Account creation and management | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails | Contract performance (Art. 6(1)(b)) |
| Optional product analytics | Consent (Art. 6(1)(a)) |
| Fraud prevention and security | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Recording policy acceptance | Legal obligation / Legitimate interest |
Data subject rights
Under GDPR you have the following rights. To exercise them, email autoblox.problems@gmail.com with “GDPR Request” in the subject line. We will respond within 30 days.
- Access (Art. 15) — receive a copy of the data we hold about you.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”).
- Restriction (Art. 18) — ask us to restrict processing in certain circumstances.
- Portability (Art. 20) — receive your data in a machine-readable format (JSON).
- Objection (Art. 21) — object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)) — withdraw any previously given consent at any time.
- Complaints — lodge a complaint with your local supervisory authority (e.g. ICO in the UK, DPC in Ireland).
International transfers
Where we transfer data outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or on adequacy decisions where applicable.
Data Protection Officer
AutoBlox does not currently meet the threshold requiring a formal DPO appointment. Privacy inquiries are handled directly by our team at autoblox.problems@gmail.com.
CCPA — California Residents
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California residents specific rights over their personal information.
Personal information we collect
| Category | Examples | Purpose |
|---|---|---|
| Identifiers | Email address, user ID, IP address | Account, security |
| Account credentials | Hashed password, API key | Authentication |
| Internet activity | Pages visited, feature usage | Analytics, improvement |
| Geolocation (coarse) | Country inferred from IP | Compliance, abuse prevention |
| AI-generated content | Prompts, generated Lua scripts, project data | Providing the service |
| Commercial information | Stripe customer ID, subscription tier | Billing |
We do not sell your personal information
AutoBlox does not sell, rent, or share personal information with third parties for their commercial purposes. The CCPA “opt-out of sale” right is therefore automatically satisfied.
Your CCPA rights
- Right to know — request disclosure of the personal information we collect, use, and share.
- Right to delete — request deletion of your personal information, subject to certain exceptions.
- Right to correct — request correction of inaccurate personal information.
- Right to opt-out of sale/sharing — we don't sell; this is automatically satisfied.
- Right to limit use of sensitive personal information — we do not use or disclose sensitive personal information beyond what is necessary to provide the service.
- Right to non-discrimination — we will not discriminate against you for exercising these rights.
How to submit a CCPA request
Email autoblox.problems@gmail.com with “CCPA Request” in the subject line. Include your full name and the email address on your account. We will verify your identity and respond within 45 days (with a possible 45-day extension if we notify you).
You may designate an authorized agent to make a request on your behalf by providing written authorization.
AI & Your Data
How AI processes your input
When you send a message or prompt to AutoBlox, it is transmitted to OpenAI's API for inference. OpenAI processes these prompts under their own Privacy Policy. AutoBlox has a data processing agreement with OpenAI. As of the date of this policy, OpenAI does not use API inputs to train its models by default.
No training on your data
AutoBlox will not use your prompts, generated code, or project content to train, fine-tune, or evaluate AI models without your explicit written consent. If we ever introduce an opt-in training program, it will be clearly labeled and separate from these terms.
Automated decision-making
AutoBlox does not make legally significant automated decisions about you (e.g., credit, employment). AI-generated code suggestions are provided as developer tools and do not constitute binding decisions.
Retention of AI-generated content
Prompts and generated outputs are stored in your account so you can retrieve them later. You can delete individual projects from your dashboard. Deleting your account will remove all associated AI content within 30 days.
Security Practices
- All data is transmitted over TLS 1.2 or higher.
- Data at rest is encrypted in Cloudflare D1 and related infrastructure.
- Passwords are hashed with bcrypt (cost factor 12).
- Authentication is handled by Auth0 with optional MFA.
- Access to production data is restricted to authorized team members on a need-to-know basis.
- We conduct periodic security reviews and act on reported vulnerabilities promptly.
To report a security vulnerability, email autoblox.problems@gmail.com with “Security Report” in the subject. We will acknowledge within 48 hours.
Submitting a Data Request
We honor the following request types. All requests should be sent to autoblox.problems@gmail.com.
| Request type | Response time | What you get |
|---|---|---|
| Data export (portability) | 30 days | JSON file of your account data, projects, and chat history |
| Data deletion | 30 days | Confirmation of erasure (billing records excepted per law) |
| Data correction | 14 days | Confirmation of update |
| Access / disclosure | 30 days | Summary of what data we hold and how we use it |
| Opt-out of analytics | Immediate | Analytics stopped for your account |
We may need to verify your identity before fulfilling a request. Typically this means confirming from the email address on your account.
Sub-processors
We use the following third-party sub-processors that may process personal data on our behalf:
| Sub-processor | Role | Location |
|---|---|---|
| Auth0 (Okta) | Authentication & identity | USA / Global |
| Cloudflare | Database (D1), CDN, edge compute, security | USA / Global |
| Stripe | Payment processing | USA |
| Resend | Transactional email | USA |
| PostHog | Product analytics | USA / EU |
| OpenAI | AI inference | USA |
| Vercel | Web hosting & deployment | USA / Global |
All sub-processors are bound by data processing agreements consistent with GDPR Article 28 requirements.
Contact & Further Information
For any data-related questions or to exercise your rights, contact autoblox.problems@gmail.com.
See also: Privacy Policy · Terms of Service · Security