Logo
BlockAI · Mobile App

BlockAI Privacy Policy

Last updated: 11 June 2026

The 30-second summary

  • We never see your X (Twitter) password. The app shows X's login page inside an in-app browser; you sign in exactly like you would in Safari or Chrome.
  • After login, we capture the X session cookies your phone already holds and send them, exactly once, to BlockAI's servers so the Telegram bot can act on your behalf.
  • We collect no advertising identifiers, no location, no contacts, no photos, no microphone access. The app has exactly one purpose and exactly the permissions to do it.
  • We sell nothing and share nothing with third-party advertisers or data brokers.

What the app reads from x.com

The in-app browser loads https://x.com. After you sign in, it reads:

  • auth_token: the X session cookie that proves you're logged in. Marked HTTP-only by X, so only privileged code (the app, not JavaScript inside a webpage) can read it.
  • ct0: the X CSRF cookie that pairs with auth_token on every authenticated X request.
  • twid: contains your numeric X user id. Used only as a hint when matching your account to the connection record.
  • Your X handle (@username) from the in-page profile link. Used so the Telegram bot can confirm which account it's linked to.

We do not read your DMs, your feed, other users' data, or your X password. There is no other data extraction from x.com.

What the app sends to our servers

Exactly one HTTPS request, once per connect attempt, to https://www.blockmm.ai/api/connect-app:

  • The setup token the Telegram bot issued you (8-character single-use code, 24-hour TTL).
  • The cookies described above (auth_token, ct0) and the X handle.
  • No device ID, no advertising ID, no location, no analytics ping.

The server validates the token, writes the connection to MongoDB Atlas (encrypted at rest), and notifies your Telegram account that the link succeeded. The cookies are then used by the BlockAI worker exclusively to drive the GeniusX / CloneX / boost flows you've subscribed to in the bot.

What's stored locally on your phone

Practically nothing. The in-app browser maintains its own cookie store while it's open; once you complete the connect flow there's nothing for the app to persist. Uninstalling the app removes all of it instantly.

Data retention

  • Connection records (cookies + handle) are retained for as long as the connection is active in the BlockAI bot. Cookies expire on X's server side after ~30 days; we delete them at that point or sooner if you disconnect via the bot.
  • The Telegram bot's record of your subscription state + billing history is retained for 7 years to comply with UK HMRC requirements.
  • You can request deletion of all data at any time by emailing privacy@blockmm.ai.

Permissions the app asks for

  • Internet — to load x.com inside the in-app browser and POST captured cookies to blockmm.ai.
  • That's it. No camera, microphone, contacts, location, photos, calendars, biometrics, motion sensors, Bluetooth, or push notifications.

Third parties

  • X / Twitter — the in-app browser loads x.com to let you sign in. X sees this exactly as it would a normal Safari / Chrome login.
  • Apple / Google — host the app store binary you installed. We have no direct exchange of personal data with either, beyond what every published app exchanges.
  • MongoDB Atlas — encrypted database where connection records live, hosted in our Vercel-attached region.
  • No advertising SDKs, no analytics SDKs, no crash-reporting SDKs in this v1.

Your rights (UK GDPR / EU GDPR)

You have the right to access, correct, delete, port, or restrict the processing of your personal data. Email privacy@blockmm.ai with your request. We respond within 30 days. If you're unhappy, you can complain to the UK ICO at ico.org.uk.

Changes to this policy

Material changes (new data collected, new third parties, longer retention) will be announced in-app + via the Telegram bot at least 14 days before they take effect.

Contact

Privacy / data requests: privacy@blockmm.ai. General support: hello@blockmm.ai.