Privacy Policy

Last updated: 2026-04-16 · Effective: 2026-04-16

Lok-N-Blok Systems LLC ("we", "us", "Lok-N-Blok") respects your privacy. This policy explains what information we collect when you use blokusa.com and our related services, how we use it, how we share it, and what choices you have.

Short version: we collect as little as we can while still doing our jobs, we never sell your data, and every investor/distributor interaction is covered by an explicitly executed NCNDA.

1. What we collect

Information you give us directly

• Account information — email address, name, entity/firm name, role/title when you request investor, distributor, or customer access.
• Authentication data — password (hashed with bcrypt at 12 rounds; we never see or store the plaintext), one-time reset tokens (hashed, 30-minute expiry, single-use).
• Form submissions — anything you type into the estimator, builder, mortgage calculator, contact, or approval-request forms.
• NCNDA acceptance — for investor data room access, we record that you executed the NCNDA along with the email tied to that session.

Information we collect automatically

• Server logs — IP address, user-agent string, requested path, referrer, timestamp of every request.
• On-site analytics — pageviews, heartbeats (every 15 seconds while tab is visible), scroll depth, outbound link clicks, form-field intent signals, and time-on-page. Captured by our own analytics engine; we do not use Google Analytics, Meta Pixel, or any third-party tracking pixel.
• Session cookies — a single signed session cookie (lnb.sid) that is HttpOnly, Secure in production, and SameSite=Lax.

Information we do NOT collect

• We do not collect payment-card information directly. Any payment processing (deposits, subscriptions) is performed through third-party processors; we receive only the completion status.
• We do not use Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insights, or any cross-site advertising tracker.

2. How we use your information

• To authenticate you and secure your account.
• To deliver the services you've requested (e.g., show you the investor data room once approved; deliver your project estimate).
• To maintain an auditable record of who viewed what and when, as required by the NCNDA and for our own security.
• To improve the site: aggregate analytics (top pages, bounce rate, time-on-page) help us decide what to build next.
• To send transactional email (password resets, approval notifications, estimate deliveries) from info@blokusa.com.

3. How we share your information

We never sell your personal information. We share only in these cases:

• With the Lok-N-Blok team — admins and authorized assistants may view the same information needed to provide you service (e.g., approve your access request).
• Infrastructure providers — we use Railway (hosting) and Google Workspace (email). These providers process data on our behalf under their own privacy policies.
• Legal obligations — if required by valid legal process, we comply to the narrowest extent necessary.
• NCNDA-protected parties — inside the investor data room, your identity is watermarked on every document view so breaches are attributable. Watermarks are not shared with anyone outside the Lok-N-Blok executive team and their advisors.

4. How long we keep information

• Active accounts — retained for the life of the account.
• Server access logs — 90 days, then rotated and archived in compressed form for another 12 months.
• Analytics events — retained for 18 months in raw form; aggregate metrics retained indefinitely.
• Kevin Harrington data room — access expires on the date configured server-side (HARRINGTON_EXPIRES); after that, the gate auto-rejects.
• Deleted accounts — permanently removed from users.json within 7 days; audit logs retain the email reference for security forensics.

5. Your rights

• Access — email info@blokusa.com for a copy of information we have on you.
• Correction — sign in and use the profile/change-password screen, or email us.
• Deletion — email info@blokusa.com; we'll confirm identity and delete within 7 business days.
• Portability — we'll provide a JSON export of your data on request.
• Opt out — you can sign out at any time. Non-essential cookies: we don't set any.

6. Security

• Passwords are bcrypt-hashed at 12 rounds; we cannot recover a forgotten password — only reset it.
• Transport is HTTPS-only; HSTS is enforced with a 1-year max-age and includeSubDomains.
• Sessions are signed + HttpOnly + SameSite=Lax; scoped to the authenticated role and rotated on privilege change.
• Every login attempt, password change, reset request, and access decision is audit-logged server-side.
• Security vulnerabilities can be reported via /.well-known/security.txt.

7. Children's privacy

blokusa.com is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If we learn we have, we will delete it.

8. Changes to this policy

We may update this policy; when we do, we'll post the new version here and update the "Last updated" date at the top. Material changes will be announced via email to active accounts.

9. Contact

Questions, requests, or concerns: info@blokusa.com.

Lok-N-Blok Systems LLC · Confidential communications governed by executed NCNDA where applicable.