Security

Concrete measures, not marketing fluff. Here's exactly how we protect your data.

📱

Local-First Architecture

Your blocklist, blocking statistics, settings, and focus session history are stored exclusively on your device. None of this data is ever transmitted to our servers or anywhere else.

🚫

Zero Analytics

BlockOut contains no analytics SDKs, no tracking pixels, no telemetry, and no crash reporting services. We have no idea how you use the app — and that's by design.

🔐

Device ID Hashing

When you activate a license key, your device identifier is hashed with SHA-256 before storage. We store only the hash — the raw device ID never touches our database. Even with full database access, your device identity cannot be recovered.

🎲

Cryptographic Key Generation

License keys are generated using the Web Crypto API's getRandomValues — a cryptographically secure random number generator. Keys are not sequential, predictable, or derivable from any input.

Webhook Signature Verification

Payment webhooks from Stripe are verified using HMAC-SHA256 signature validation with constant-time comparison. Replay attacks are prevented by rejecting signatures older than 5 minutes. No spoofed webhook can trigger license creation.

🔒

Encrypted at Rest

Our license database is hosted on Cloudflare D1, which encrypts all data at rest. Backups are encrypted. Access requires Cloudflare account credentials with two-factor authentication.

🌐

Encrypted in Transit

All connections between the BlockOut app and our servers use HTTPS with TLS. There is no fallback to unencrypted HTTP. Certificate transparency is enforced.

📋

Minimal Data Collection

The only data we store on our servers is what's strictly necessary for license validation: your email address (for key delivery) and a hashed device identifier (for device limits). That's it. No usage data, no browsing history, no personal profiles.

🛡

No Third-Party Data Sharing

We do not share data with analytics vendors, ad networks, data brokers, or any other third party. Payment processing is handled by Stripe, who never receives your blocklist, usage data, or device information.

Have a security concern or found a vulnerability?

Contact Us