Back to Legal

Privacy Policy

How Mobalab handles personal data in Bloque

Last Updated: May 1, 2026

1. Introduction

This Privacy Policy explains how Mobalab, KK collects, uses, stores, and shares personal data and related service data when you use Bloque.

We operate this policy with Japanese privacy requirements, the GDPR, and other applicable data protection laws in mind.

2. Controller Information

  • Company: Mobalab, KK
  • Address: 910 Senzawa, Mobara, Chiba 299-4103, Japan
  • Email: info@bloque.run
  • Legal contact page: /legal/contact

3. Data We Collect

Account Data

  • Email address
  • Display name, username, and profile details
  • Account preferences such as language settings

Authentication Data

  • Identifiers from OAuth providers
  • Tokens needed to maintain authentication
  • API keys, access tokens, refresh tokens, client secrets, and similar credentials that you ask us to store so you can connect external services

Service Usage Data

  • Projects, profiles, and MCP server configurations
  • Binary files uploaded by AI agents on your behalf to the per-profile shared workspace (raw bytes; we do not inspect file contents; isolated per profile).
  • Diagnostic event logs scoped to your account, including: authentication events (sign-in, sign-out, failed attempts, OAuth provider used); MCP server connection events (start, stop, crash) and stderr output; tool call events (server name, tool name, duration, success or failure — never tool arguments or results); API key lifecycle (create, delete — last 4 characters only, never the full key); and routing events (runner assignment, authentication failures). Tokens, passwords, request bodies, tool arguments, and tool results are never recorded.
  • MCP activity metadata such as server names or identifiers, tool names, prompt names, resource names, success or failure states, and execution timing
  • Messages and information you send through support channels
  • Information you submit through demo, sales, waitlist, or similar forms, such as your name, email address, company, and message content

Technical Data

  • IP address, browser, and device information
  • Session cookies and local storage data for preferences
  • Analytics data collected via Google Analytics when you consent to analytics cookies. Includes page views, session duration, and usage patterns.

Signup Waitlist

  • When a plan is at capacity and you join the waitlist — either automatically during Free account creation or when you click "Join the waitlist" on the subscription page — we record your email address, optional display name, and the requested plan.

4. Purposes and Legal Bases

  • Providing the service and managing your account: performance of a contract
  • Sending account, billing, support, security, and service-related communications: performance of a contract or legitimate interests
  • Onboarding, product education, re-engagement emails, and responding to demo, sales, waitlist, or similar inquiries: legitimate interests or, where required by law, your consent
  • Security monitoring, fraud prevention, and incident response: legitimate interests
  • Compliance, accounting, tax, and protection of rights: legal obligations or legitimate interests
  • Analytics (Google Analytics): we request your explicit consent via the cookie consent banner before collecting analytics data. You may withdraw consent at any time by clearing your browser's local storage.

5. Sharing and Processors

We may share personal data with vendors and service providers that help us operate Bloque, including hosting, authentication, email delivery, payments, analytics, and support infrastructure.

Where needed to connect or run an MCP server that you configure, we may also transmit or use relevant data and credentials with the external services, MCP servers, or identity providers that you direct us to use.

We may also disclose information where required by law, to protect rights or safety, to investigate abuse or security incidents, or in connection with a merger, acquisition, financing, reorganization, or sale of all or part of our business.

6. International Transfers

Your information may be processed in Japan and other countries. When we transfer personal data from the EEA, the UK, or similar jurisdictions, we use appropriate safeguards such as standard contractual clauses where required.

Some of our processors or infrastructure providers may be located outside Japan. Where applicable law requires it, we provide notice, obtain consent, or implement contractual and other appropriate safeguards for those transfers.

Where applicable, you may contact us to request additional information about those safeguards.

7. Security

  • We use access controls, authentication, logging, and operational monitoring.
  • Sensitive configuration data, API keys, OAuth tokens, client secrets, and similar stored secrets are encrypted at rest.
  • For STDIO MCP server workloads, we use isolated execution environments and related technical and operational safeguards designed to reduce cross-tenant exposure.
  • Agent-uploaded files in the shared workspace are stored as raw bytes on the runner host. Isolation is enforced by per-profile filesystem namespaces and bwrap sandboxing; files are inaccessible across profiles. Files are not encrypted at rest in the current version.
  • We maintain operational safeguards such as vulnerability response, backups, and security reviews.

8. Cookies and Similar Technologies

  • We use essential cookies and similar technologies to keep you signed in, remember your preferences, and protect the service.
  • We may use browser local storage or similar device storage to save settings such as theme and language preferences.
  • We use Google Analytics for optional usage analytics. We ask for your explicit consent via the cookie consent banner before enabling it. You can withdraw consent at any time by clearing your browser's local storage.

9. Retention

We retain personal data for as long as needed to provide the service, comply with law, resolve disputes, maintain records, and protect the security and integrity of Bloque. Diagnostic logs are retained for 30 days, after which they are automatically deleted.

Agent-uploaded files in the shared workspace are deleted when your MCP session pool idle-evicts (approximately 1 hour after the last connection closes), or immediately on account deletion. They are not retained for diagnostic purposes.

Signup waitlist data (email address and optional display name) is retained until a seat is assigned and your account is created or upgraded, or until you request removal by contacting privacy@bloque.run.

Some account, billing, tax, fraud-prevention, security, and legal-compliance records may be kept longer when needed for those purposes. After account deletion, we may keep limited information where required for legal, accounting, fraud-prevention, or security purposes, and we delete or anonymize data when it is no longer needed.

10. Your Rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or port your personal data, and to withdraw consent where processing is based on consent.

To make a request, contact us at info@bloque.run or through /legal/contact. We may need to verify your identity before completing the request.

You may also use those channels for privacy complaints or requests relating to disclosures, corrections, suspension of use, or third-party sharing under applicable law, including Japanese privacy law where applicable.

11. Children

Bloque is not intended for children under 16. If we learn that we collected personal data from a child under 16 without appropriate authorization, we will take reasonable steps to delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make a material change, we will provide notice by updating this page, through the service, or by another reasonable method.

13. Contact

Privacy questions and requests can be sent to info@bloque.run or through /legal/contact.

If you are in the EEA, the UK, Switzerland, or another jurisdiction with a supervisory authority, you may also have the right to lodge a complaint with that authority.