MakeBlock Privacy Policy

Makeblock values your privacy. This Privacy Policy (the “Policy”) explains how we collect, use, share, and protect your Personal Data when you use our websites, (ii) devices (“Devices”), (iii) mobile or desktop software (“Applications”), or (iv) any other products, programs, or services we provide (together, the “Service”). New or additional features we launch are covered by this Policy unless we provide a separate notice.

Your Personal Data may be processed in the countries/regions where you use the Service and where we, our affiliates, or service providers operate, subject to Applicable Law. References to “we”, “us” or “our” mean the controller identified in Annex I (and its affiliates involved in operating the Service). “You” means any individual whose Personal Data we process.

1. INTRODUCTION AND SCOPE

This Policy describes: (a) what we collect, (b) how we use it, (c) how we share it, and (d) your rights and choices (including under GDPR and U.S. state privacy laws; see section 14). It does not cover anonymous, aggregated, or de-identified data unless it is linked back to you. Additional rights and disclosures may apply depending on your jurisdiction under other Applicable Laws.

2. WHO WE ARE & DATA RESPONSIBILITY

We act as the “Controller” of your Personal Data (the entity that decides how and why your data is used). The primary controller responsible depends on the website or service you are using, as listed in Annex I attached to this policy.

Key Partners & Operational Modes
To provide our service effectively, we may rely on established third parties. Specifically note the following data relationships:
- Platform Provider (Shopify): We utilize Shopify to manage our storefront and related operations. By shopping or interacting with us, your data is processed through Shopify’s systems in accordance with Shopify’s Privacy Policy and industry security standards.

3. HOW TO CONTACT US

Your feedback and resolving complaints efficiently are important to us. If you have questions about your data rights:
- Email: service@makeblock.com
- If you live in the United States, XTL US INC., Attn: Privacy Notice Inquiry, 2019 Leghorn Street, Mountain View, California 94043.
- If you live in the EEA, the UK, Makeblock Europe B.V., Attn: Privacy Notice Inquiry, Westplein 12, Rotterdam, The Netherland.
- If you are located outside the EEA/UK or the United States, you may contact us at service@makeblock.com to exercise your data subject rights, including requests for access, correction, deletion, restriction/suspension of processing, and withdrawal of consent where applicable. We will respond in accordance with Applicable Law.

4. PERSONAL DATA WE COLLECT

We collect only what we need to provide and improve the Service. We do not collect Social Security Numbers, biometric identifiers (e.g., fingerprints/facial templates), or health information as part of our standard Services, and we do not collect precise geolocation unless you enable a feature that requires it. If we need sensitive data for a specific feature or to meet legal obligations, we will provide additional notice and, where required, obtain your consent, and use it only for that purpose.

Categories：
- Identity Data: name/preferred name; usernames/display names; user ID; avatar/profile image (if provided); and, where required by law or for certain transactions, government-issued identifiers.
- Contact Data: mailing address, email, phone, billing address.
- Credentials & Settings: login credentials/tokens; account preferences and settings. Passwords are stored in hashed form.
- Financial & Services Data: purchase, payment method type, transaction history, returns, warranty claims. Payments are processed by third-party payment providers (we generally do not store full card numbers).
- Device & Content Data: device identifiers (e.g., serial number), firmware/app versions, crash/error logs; content you create/upload or that is generated/uploaded from your Device when you use enabled features (e.g., feature-generated photos, files, or diagnostic artifacts).
- Usage Data: pages/features used, time spent, interaction logs, referrers, and (where enabled) usage metadata for features such as chat and local networking (including Wi-Fi).
- Technical Identifiers: IP address (approximate location), browser/device details, time zone, server/request logs.
- Profile Data: profile fields you choose to share (e.g., bio/interests).
- Marketing & Communications Data: marketing preferences and related interactions.
- Sensitive Personal Data: Certain data may be considered sensitive under some laws (e.g., account credentials and, where enabled, precise geolocation). We use or disclose such data only as permitted by Applicable Law and as described in this Policy.
- Aggregated/de-identified data: may be used for analytics; treated as Personal Data if re-linked to you.

5. CONSEQUENCES OF NOT PROVIDING DATA

Where we need to process specific data either by law or under the terms of a contract (for example, fulfilling a physical shipping order or activating device software), and you fail to provide required fields, we may be unable to accept the order or fully activate features dependent on specific input (for example, warranty activation or verification of ID/serial-number mismatches). If active Services exist and required data is not provided or maintained, we may need to suspend or cancel affected Services where delivery becomes commercially unviable or impossible. We distinguish required (“Mandatory”) information from strictly voluntary (“Recommended only”) information at the point of collection.

6. METHODOLOGY FOR COLLECTION

We collect Personal Data from multiple sources:
A. Direct Interactions (Information you give us): you enter data when creating/registering an account, subscribing to newsletters/alerts, requesting support or troubleshooting, providing feedback, signing agreements, or participating in competitions, surveys, or promotions.
B. Automated Technologies (Information collected via use): browsing and use of the Service generate technical data (for example through cookies, server logs, web beacons, pixels, embedded scripts, and standard mobile SDKs). We may also engage in behavioral tracking via these technologies. Depending on your browser and device, you may be able to limit certain tracking through browser settings and cookie controls. Please note that “Do Not Track” (DNT) signals are not uniformly interpreted, and our Sites may not respond to all DNT signals. You can control cookies via the methods described in Section 12 and you can opt out of certain targeted advertising/sharing as described in section 13. If you disable cookies, certain features of the Services may not function properly.
C. Data via Third Parties & Public Sources: where permitted by law, we may receive or enrich information from:
- Linked Sign-on partners and providers: our Services may allow you to log in through a third-party social network or authentication service, such as Shopify, Apple, Google, and Facebook. When you use these single sign-on services, we do not receive your login credentials. Instead, we receive authentication tokens and any Personal Data you choose to share through the relevant third-party service (for example, Identity Data, Contact Data, and Profile Data, depending on your settings with that third party).
- Analytics partners: such as Google Analytics and similar tools that provide aggregated reporting.

7. HOW WE USE YOUR PERSONAL DATA: PURPOSES & LEGAL BASES

We use Personal Data in accordance with applicable law. For transparency (including GDPR Article 13 / CCPA obligations), below are the main purposes for which we process Personal Data and the lawful basis we rely on:
A. To Enable Service Functionality & Delivery (Contract Performance): we process Identity Data, Contact Data, Financial Data, and Services Data to fulfill our contract with you, including processing orders, payments, shipments, enabling device usage, and providing core software features. We may process certain Personal Data as necessary to perform a contract with you (e.g., to process orders, deliver products, provide customer support, and handle returns/refunds), as permitted by Applicable Law.
B. To Manage Relationship, Notifications, and Support (Contract or Legitimate Interests): we process Contact Data and Profile Data to notify you about changes to terms or products (including software updates and bug alerts) and to provide troubleshooting and customer support (including warranty and account issues).
C. Operations: Security & Business Integrity (Legitimate Interests and sometimes Legal Obligation): we analyze Usage Data and Technical Identifiers to maintain systems, detect and prevent fraud and misuse, investigate violations of terms, and prevent automated traffic that may affect Service performance.
D. Analysis (Growth) Improvement (Legitimate Interests; with privacy controls): we use analytics (often aggregated) to improve features and user experience, including models guiding Service logic, subject to applicable privacy controls and legal requirements.
E. Marketing & Advertising Recommendations (Legitimate Interests or Consent): we may send newsletters, offers, or product recommendations. Where required, we rely on consent for certain marketing-related tracking. Where required, we rely on your consent for certain marketing-related tracking, and you can opt out at any time through the unsubscribe link in our promotional emails, via the “Cookie Settings” link, by enabling browser-based controls such as Do Not Track (DNT), or by contacting us. If you wish to completely deactivate or delete your account, please contact us in accordance with Section 3. For a fuller mapping of purposes, data categories, and legal bases, see Annex II

8. WHO WE SHARE WITH

To provide the Service and achieve the purposes described above, we may share Personal Data with authorized parties that need it.
A. Structured Shared Network (Inter-company group transfers): for efficiency, data may flow among affiliated corporate organizations worldwide for joint administrative and operational purposes, subject to appropriate confidentiality and safeguards.
B. External Processors (Vendors): we use vendors under contractual obligations to protect Personal Data. Categories include:
- Hosting, infrastructure, and content delivery: hosting providers and IT tools supporting online store and Service functions (including the Shopify ecosystem and Microsoft Azure).
- Payment processing and billing support: checkout facilitators and payment processors that process payments in accordance with applicable security standards.
- Fraud detection and security monitoring: vendors that help detect, prevent, and investigate potentially fraudulent or malicious activity.
- Order fulfillment and logistics (if applicable): warehouse and courier partners to deliver products, using the minimum contact and address details necessary for delivery.
- Customer support tools: tools used to manage customer inquiries, communications, and troubleshooting.
- Analytics and measurement tools: tools we use to understand site performance and user interactions (subject to applicable law and your settings).
- Email/SMS communications and marketing service providers (where applicable): providers that help deliver service messages, transactional notifications, and (where permitted) marketing communication
C. Legal / Safety Imperatives: where required by law or necessary to protect rights, safety, and property, data may be disclosed to regulators, governmental tax authorities, law enforcement (valid court orders/warrants), or parties involved in corporate transactions (such as mergers or asset sales). We may disclose Personal Data to enforce or apply our terms (including for billing and collection purposes). If necessary, we may also disclose or exchange information with other companies and organizations for fraud protection and credit risk reduction, and to protect the rights, property, or safety of us, our customers, or others.
Categories of Personal Data disclosed. The categories of Personal Data we may disclose include Identity Data, Contact Data, Financial Data, Services Data, Marketing and Communications Data, Profile Data, Usage Data, Technical Identifiers, Device Data, and Content Data, depending on the nature of the Service and the recipients described above.
International Transfers: we may transfer data across borders, including outside the EEA/UK. Where required, we use safeguards recognized by relevant jurisdictions (such as Standard Contractual Clauses (“SCCs”) or equivalent mechanisms) to help ensure continued protection. You may request further information about the safeguards we use for international transfers by contacting us as set out in Section 3.
Marketing / Ads Opt-outs: sharing with advertising networks (if applicable) typically depends on your cookie choices. See Section 12 for cookie controls and opt-out options.

9. DATA SECURITY

We use technical and organizational safeguards designed to protect Personal Data, including:
- Pseudonymisation and encryption: removing direct identifiers from certain internal analysis datasets where appropriate; using encryption and other safeguards to protect Personal Data in transit and at rest.
- Access controls: limiting access to personnel with a legitimate business need, under role-based controls.
- Incident response: procedures to assess and notify relevant authorities and affected individuals where required by law.
- Your responsibility: you are responsible for keeping your account credentials confidential and using strong passwords.
Public areas. If the Services include public or interactive areas (for example, forums or message boards), any information you submit there may be viewed by any user and should be treated as public.
Transmission over the internet. The transmission of information via the internet is not completely secure. While we use reasonable safeguards, we cannot guarantee the security of Personal Data transmitted to or through our Services; any transmission is at your own risk.

10. HOW LONG WE KEEP YOUR DATA

Makeblock retains Personal Data only for the period necessary to provide you with makeblock products or services and for achieving legitimate and essential business purposes, such as making data-driven business decisions about new features and offerings, complying with legal obligations, or resolving disputes. We apply retention periods across the following key categories:
- Data retained until you request us to remove it: for example, we may retain surveys, research, and promotions data until you withdraw consent or opt-out to honor your preferences and comply with marketing regulations.
- Legal / Admin / Tax laws: sales transactional records (for example invoice history) may be retained for the minimum period required by applicable tax and accounting laws.
- Legal defense windows: we retain necessary records for the duration of applicable statutes of limitations so we can establish, exercise, or defend legal rights if disputes arise.
- Active utility period: certain technical and transient logs (for example crash logs) may be retained for shorter periods and deleted, anonymized, or otherwise securely destroyed when no longer needed, subject to legal requirements.
We will not keep your Personal Data longer than necessary for the purposes stated in this Policy. When it is no longer needed, we will delete it or irreversibly anonymize it unless a longer retention period is required by law.

11. YOUR RIGHTS & CONTROLS

Depending on your jurisdiction (for example EU/EEA, UK, or certain U.S. states), you may have rights regarding your Personal Data. We honor applicable rights unless an exception applies. You may have the right to request:
- Access (“Right to Know”)
- Correction / Rectification
- Deletion (“Erasure”) (subject to legal exceptions)
- Data Portability (where applicable)
- Restrict or Object to Processing (including direct marketing)
- Withdraw Consent (where we rely on consent)
- Automated decision-making. We do not use solely automated processing (including profiling) to make decisions that produce legal or similarly significant effects for individuals. If this changes, we will provide notice and any rights required by Applicable Law.
- Lodge a Complaint: if you are in the EEA/UK, you may lodge a complaint with your local data protection supervisory authority.
How to exercise your rights: contact us using the details in Section 3, or use self-service tools (such as delete-account functions) where available.
No fees usually required: requests are generally free, but we may charge a reasonable fee or refuse requests where permitted by law if they are manifestly unfounded or excessive.
Response time: we normally respond within one month after verifying your identity. Where legally permitted, we may extend for complex requests (up to 60 days total) and will notify you.
Appeals (certain U.S. states). If we decline to take action on your request, you may appeal our decision by emailing service@makeblock.com with the subject line “Privacy Request Appeal”. Please include your original request and our response. We will respond to appeals within the timeframe required by Applicable Law.
Authorized agents (California and certain jurisdictions). In some jurisdictions, you may designate an authorized agent to submit requests on your behalf. We may require the authorized agent to provide proof of authorization and may also require you to verify your identity directly with us.

12. COOKIES

We use cookies and similar technologies on our Sites and Applications to (i) operate core functions (such as account login, security, and checkout), (ii) measure performance and improve the Service, and (iii) where permitted by Applicable Law and your choices, support marketing and advertising.
Your choices. You can manage cookies and similar technologies through your browser and device settings (for example, blocking or deleting cookies). If we make a cookie banner or preference tool available on a particular Site or Application, you may also use it to manage non-essential cookies. If you disable certain cookies, parts of the Service may not function properly.
Third-party technologies. Some third parties may place cookies/pixels/SDKs on our Sites or in our Applications to provide content, analytics, or advertising. Their use of these technologies is governed by their own policies.

13. PRIVACY CHOICES / OPT-OUTS

(a) Email marketing. You may opt out of promotional emails at any time by using the unsubscribe link in our emails. You may continue to receive non-promotional messages (e.g., order, account, and service notices).
(b) Targeted advertising / cross-context behavioral advertising. Where applicable under State Privacy Laws, you may opt out of our processing of Personal Data for targeted advertising by contacting us at service@makeblock.com with the subject line “Opt out of Targeted Advertising”.
(c) “Sale” / “Share” of Personal Data (U.S. states). Where applicable, you may opt out of the “sale” or “sharing” of your Personal Data (as those terms are defined by State Privacy Laws, including California) by contacting us at service@makeblock.com with the subject line “Do Not Sell or Share My Personal Data”.
(d) Cookies and similar technologies. You can manage cookies through your browser/device controls. If a cookie banner or preference tool is available on a particular Site or Application, you can also use it to manage non-essential cookies. See Section 12.

14. ADDITIONAL REGIONAL / STATE NOTICES

A. United States State Privacy Notice.
These disclosures supplement the main body of this Policy for residents of certain U.S. states (this “U.S. State Privacy Notice”). For details on how we collect, use, disclose, and otherwise process Personal Data, please read the main body of this Policy. Capitalized terms not defined here have the meanings given elsewhere in this Policy or under applicable U.S. state privacy laws (“State Privacy Laws”). If there is any conflict between this U.S. State Privacy Notice and the rest of this Policy, this U.S. State Privacy Notice controls only for covered U.S. state residents and their Personal Data.
Covered U.S. States. This U.S. State Privacy Notice applies to residents of the following states (as applicable, now or in the future): California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia.
Nevada Residents. Nevada provides a limited right to opt out of certain sales of personal information. Although we do not currently “sell” Personal Data in a manner that triggers Nevada’s opt-out requirements, Nevada residents may submit an opt-out request using the contact details in Section 3.
Personal Data Disclosures, “Sales,” and Targeted Advertising
We disclose the categories of Personal Data we collect to the categories of recipients described in Section 8. Under certain State Privacy Laws, some disclosures may be considered the “sale” of Personal Data or the processing/sharing of Personal Data for “targeted advertising” (also called cross-context behavioral advertising). You can opt out where required (see Sections 11–13 and “Your Additional U.S. Privacy Rights” below).
We do not sell the Personal Data of individuals we know to be under 16 years of age and we do not share such information for targeted advertising purposes.
Sensitive Personal Data
Certain data elements may be considered “Sensitive Personal Data” under some State Privacy Laws, such as account credentials and, where enabled, precise geolocation. Payment card details are generally collected and processed by third-party payment providers. We use or disclose Sensitive Personal Data only as reasonably necessary and proportionate to provide the products and services you request; verify and improve services; detect and prevent security incidents, fraud, and unlawful activity; ensure physical safety; perform services on behalf of the business; and for short-term, transient use. We do not use Sensitive Personal Data to infer characteristics about you, and we do not sell Sensitive Personal Data or share it for targeted advertising.
De-Identified Information
We may create or receive de-identified information that cannot reasonably be linked to an individual or household. Where we maintain de-identified information, we keep it in de-identified form and do not attempt to re-identify it except as permitted or required by law.
Automated Decision-Making and Profiling
We do not conduct automated processing of Personal Data for decisions that produce legal or similarly significant effects. If Applicable Law nevertheless provides an opt-out right for certain profiling/targeting activities, you may exercise it as described in Sections 11–13.
Your Additional U.S. Privacy Rights
Depending on your state of residency and subject to legal limitations and exceptions, you may have the right to know/access, portability, correction, deletion, opt-out of targeted advertising, opt-out of “sales,” and (in some states) control of Sensitive Personal Data.
Past 12 months (California and certain states). In the past 12 months, we may have disclosed the categories of Personal Data listed in Section 4 to the categories of recipients described in Section 8 for business purposes (e.g., order fulfillment, payment processing, customer support, security, analytics, and marketing communications). We do not knowingly “sell” Personal Data in exchange for money. However, some disclosures (such as to advertising/analytics partners via cookies or similar technologies) may be considered “sale” or “sharing” under certain State Privacy Laws. You may opt out as described in Section 13.
B. EEA/UK/Switzerland Privacy Supplement
If you are located in the EEA, the UK, or Switzerland, this Section supplements the Policy. If there is any conflict, this Section prevails for those jurisdictions. Where GDPR/UK GDPR applies, our legal bases include performance of a contract, legal obligation, legitimate interests, and consent (see Section 7 ). Where we rely on legitimate interests, you may object as described in Section 11. International transfers: where we transfer Personal Data outside the EEA/UK, we use lawful transfer mechanisms such as adequacy decisions and Standard Contractual Clauses (or equivalent mechanisms), as applicable. You may also have the right not to receive retaliatory or discriminatory treatment for exercising these rights, subject to Applicable Law.

15. CHILDREN’S AND MINORS’ PRIVACY

Not Intended for Children Our Products and Services are primarily intended for use by parents, schools, and educators in educational settings. We do not directly or knowingly collect Personal Data from children.
Age Definitions The definition of "children" and "minors" is determined by the applicable laws of your jurisdiction. Generally, we consider individuals under the age of 13 to be children, and individuals under the age of 16 to be minors. However, if local laws or regulations provide for different age thresholds, we will adhere to the definitions under such local laws.
Data Removal for Children If you are a parent or guardian and believe that a child under the age of 13 (or the applicable age of consent in your jurisdiction) has provided us with Personal Data without appropriate consent, please contact us immediately at service@makeblock.com. We will take steps to verify the information and delete it in accordance with Applicable Law.
Protection for Minors We are committed to protecting the privacy of minors. For individuals we know to be under the age of 16, we will not “sell” or “share” their Personal Data for the purpose of cross-context behavioral advertising.