Privacy Policy
Last updated: 2026-04-17 · Effective: 2026-04-17
Legacy Builders Acquisitions Group LLC ("we", "us", "Lok-N-Blok") respects your privacy. This policy explains what information we collect when you use blokusa.com and our related services, how we use it, how we share it, and what choices you have.
Short version: We collect as little as we can while still doing our jobs. We do not sell or share your personal information. Every investor/distributor interaction is covered by an explicitly executed NCNDA. Passwords are bcrypt-hashed at 12 rounds. No Google Analytics, no Meta Pixel, no third-party ad trackers.
1. What we collect
Information you give us directly
- Account information — email address, name, entity/firm name, role/title when you request investor, distributor, or customer access.
- Authentication data — password (hashed with bcrypt at 12 rounds; we never see or store the plaintext), one-time reset tokens (hashed, 30-minute expiry, single-use).
- Form submissions — anything you type into the estimator, builder, mortgage calculator, contact, or approval-request forms.
- NCNDA acceptance — for investor data room access, we record that you executed the NCNDA along with the email tied to that session.
Information we collect automatically
- Server logs — IP address, user-agent string, requested path, referrer, timestamp of every request.
- On-site analytics — pageviews, heartbeats (every 15 seconds while tab is visible), scroll depth, outbound link clicks, form-field intent signals, and time-on-page. Captured by our own analytics engine; we do not use Google Analytics, Meta Pixel, or any third-party tracking pixel.
- Session cookies — a single signed session cookie (
lnb.sid) that is HttpOnly, Secure in production, and SameSite=Lax. See our Cookie Policy.
Information we do NOT collect
- We do not collect payment-card information directly. Any payment processing (deposits, subscriptions) is performed through third-party processors; we receive only the completion status.
- We do not use Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insights, or any cross-site advertising tracker.
2. Lawful basis for processing (GDPR / UK GDPR)
Where GDPR or UK GDPR applies, we rely on the following lawful bases:
| Processing activity | Lawful basis | GDPR Art. 6(1) |
|---|
| Creating + authenticating your account | Performance of a contract | (b) |
| Responding to estimator + contact submissions | Pre-contract steps | (b) |
| Transactional email (password reset, approvals) | Performance of a contract | (b) |
| Server logs, security monitoring, rate limits | Legitimate interests (security) | (f) |
| On-site aggregated analytics | Legitimate interests (service improvement) | (f) |
| NCNDA audit log enforcement | Legal obligation + legitimate interests | (c), (f) |
| Subpoena + regulator response | Legal obligation | (c) |
| Marketing email (only if you opt in) | Consent | (a) |
Full rights under GDPR / UK GDPR (access, erasure, portability, etc.) are described at /legal/gdpr.html.
3. How we use your information
- To authenticate you and secure your account.
- To deliver the services you've requested (e.g., show you the investor data room once approved; deliver your project estimate).
- To maintain an auditable record of who viewed what and when, as required by the NCNDA and for our own security.
- To improve the site: aggregate analytics (top pages, bounce rate, time-on-page) help us decide what to build next.
- To send transactional email (password resets, approval notifications, estimate deliveries) from info@blokusa.com.
4. How we share your information
We never sell your personal information. We share only in these cases:
- With the Lok-N-Blok team — admins and authorized assistants may view the same information needed to provide you service (e.g., approve your access request).
- Infrastructure providers — we use Railway (hosting) and Google Workspace (email). These providers process data on our behalf under their own privacy policies and the written DPAs described at /legal/subprocessors.html.
- Legal obligations — if required by valid legal process, we comply to the narrowest extent necessary.
- NCNDA-protected parties — inside the investor data room, your identity is watermarked on every document view so breaches are attributable. Watermarks are not shared with anyone outside the Lok-N-Blok executive team and their advisors.
5. Data retention schedule
| Data | Retention | Reason |
|---|
| Active account data | Life of the account | Service provision |
| Deleted account data | Permanently removed within 7 days | User request |
| Server access logs | 90 days live + 12 months compressed archive | Security forensics |
| Authentication audit log | 2 years | Security + compliance |
| Analytics events (raw) | 18 months | Trend analysis |
| Analytics aggregates | Indefinite | Historical trend reporting |
| NCNDA acceptance + data-room access log | 7 years | Legal-claim preservation |
| Email audit log (delivery) | 2 years | Deliverability troubleshooting |
| Cookie/consent log | Life of account + 3 years | Compliance proof |
| Kevin Harrington data room access | Expires on HARRINGTON_EXPIRES date | Time-limited investor engagement |
6. Your rights
- Access — email info@blokusa.com for a copy of information we have on you.
- Correction — sign in and use the profile/change-password screen, or email us.
- Deletion — email info@blokusa.com; we'll confirm identity and delete within 7 business days.
- Portability — we'll provide a JSON export of your data on request.
- Opt out — you can sign out at any time. Non-essential cookies: we don't set any.
Region-specific rights:
- California residents — see CCPA / CPRA Rights.
- EEA / UK / Swiss residents — see GDPR Rights.
- Global Privacy Control (GPC) — we honor the
Sec-GPC: 1 header as a "do not sell or share" signal.
7. Security
- Passwords are bcrypt-hashed at 12 rounds; we cannot recover a forgotten password — only reset it.
- Transport is HTTPS-only; HSTS is enforced with a 1-year max-age and
includeSubDomains.
- Sessions are signed + HttpOnly + SameSite=Lax; scoped to the authenticated role and rotated on privilege change.
- Every login attempt, password change, reset request, and access decision is audit-logged server-side.
- We run a HIBP k-anonymity breach check on every password change and reject passwords found in any known breach.
- Account-level lockout: 10 consecutive failed logins within 30 minutes triggers a 30-minute lock.
- Full security posture documented at /security.html. Vulnerabilities reportable via /.well-known/security.txt.
8. International transfers
Your data is processed in the United States (Railway hosting + Google Workspace email). For transfers from the EEA, UK, or Switzerland we rely on EU Standard Contractual Clauses, the UK IDTA, the Swiss FADP addendum, and where applicable the EU-US Data Privacy Framework. See GDPR § 5.
9. Children's privacy
blokusa.com is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If we learn we have, we will delete it. For California residents under 16, see our CCPA minors notice.
10. Data breach notification
If a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and notify the competent supervisory authority within 72 hours of becoming aware, in accordance with applicable law (GDPR Art. 33 + 34, state breach-notification statutes).
11. Changes to this policy
We may update this policy; when we do, we'll post the new version here and update the "Last updated" date at the top. Material changes will be announced via email to active accounts at least 14 days in advance.
12. Contact
Questions, requests, or concerns: info@blokusa.com · (786) 723-7757 · Legacy Builders Acquisitions Group LLC.
Read alongside our Terms of Service, Cookie Policy, CCPA Rights, GDPR Rights, Subprocessors, and the Legal Center index.