Preamble
Preamble
This Cookie Policy (the "Policy") is issued by BL PLATFORM S.L. (hereinafter, the "Provider", the "Company" or "We") in its capacity as Data Controller and describes, with the precision required by the regulatory framework set out in Article III, the cookies and similar technologies installed on the User's terminal device upon access to the websites accessible at blocalapp.com, www.blocalapp.com and any subdomain operated by the Provider (collectively, the "Platform").
The Policy is to be read jointly with the Privacy Policy, the Legal Notice and the GDPR Rights Notice, all of which together form the data-protection framework binding upon the User.
Article I
Defined Terms
A small data file deposited on the User's terminal device by a web server upon visit, capable of being retrieved upon subsequent visits for the purposes set out in this Policy.
A cookie set by the domain visible in the address bar of the User's browser, i.e. operated directly by the Provider.
A cookie set by a domain different from the one visible in the address bar of the User's browser.
A cookie automatically erased from the User's terminal device upon termination of the browser session.
A cookie persisting on the User's terminal device beyond the termination of the browser session, until its expiry date or its express deletion by the User.
Local storage, session storage, IndexedDB, web beacons, pixels, fingerprinting techniques and any further client-side state-keeping mechanism, regardless of the technical implementation.
Article II
Identity of the Data Controller
Controller: BL PLATFORM S.L.
NIF: B88709738
Registered Office: Carrer de Lepant, 270, 08013 Barcelona, Spain
Privacy & Data Protection Enquiries: support@blocalapp.com
Article III
Regulatory Framework
This Policy is drafted in compliance with: (i) Article 22(2) of Spanish Law 34/2002, on Information Society Services and Electronic Commerce ("LSSI-CE"), as amended by Royal Decree-Law 13/2012; (ii) Article 5(3) of Directive 2002/58/EC ("ePrivacy Directive"), as transposed into Spanish law; (iii) Regulation (EU) 2016/679 ("GDPR"); (iv) Spanish Organic Law 3/2018, on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"); and (v) the technical guidance issued by the Agencia Española de Protección de Datos ("AEPD") on the use of cookies, in its current version.
Article IV
What are Cookies?
A cookie is a small file of data that a web server transmits to the User's terminal device upon visit of a website and which the device returns to the same server upon subsequent requests. Cookies enable the Platform to recognise the User's device, to preserve session state, to remember preferences, to ensure security and, where consent has been granted, to measure usage or to personalise content. Cookies do not by themselves execute programmes and cannot, under normal conditions, deliver viruses to the User's device.
Article V
Categories by Function
Cookies indispensable for the operation of the Platform: authentication, session persistence, CSRF protection, load balancing and basic security. Exempt from prior consent under Article 22(2) LSSI-CE.
Cookies storing User-selected preferences such as language, theme, region or accessibility settings. Considered functional and, in accordance with the AEPD's current guidance, may benefit from the technical exemption where strictly limited to remembering such preferences.
Cookies deployed for bot detection, abuse mitigation and fraud prevention by the edge network provider (Cloudflare). The Provider considers these to be strictly necessary for the security of the Platform within the meaning of Article 6(1)(f) GDPR.
Cookies measuring aggregated and pseudonymous usage of the Platform for the purpose of capacity planning and product improvement. Subject to prior opt-in consent.
Not deployed by the Provider on the public Platform.
Article VI
Categories by Origin
Cookies are classified, by origin, as first-party cookies (set by the domain blocalapp.com) and third-party cookies (set by a domain other than blocalapp.com, typically by a sub-processor enumerated in the Privacy Policy). The inventory in Article VIII indicates the origin of each cookie.
Article VII
Categories by Duration
Cookies are classified, by duration, as session cookies (erased upon termination of the browser session) and persistent cookies (preserved on the terminal device until their expiry date or their express deletion by the User). The inventory in Article VIII indicates the duration of each cookie.
Article VIII
Cookie Inventory
The following table sets out the cookies deployed on the Platform at the effective date of this Policy. The inventory is reviewed periodically and may evolve. Any material change shall be reflected herein and shall, where applicable, trigger a fresh consent request.
| Name | Provider | Category | Purpose | Duration |
|---|---|---|---|---|
| sb-access-token | blocalapp.com | Strictly Necessary | Authenticated session bearer token. | Session / 1 hour |
| sb-refresh-token | blocalapp.com | Strictly Necessary | Refresh of the authenticated session. | Persistent / up to 30 days |
| csrf-token | blocalapp.com | Strictly Necessary | Protection against Cross-Site Request Forgery. | Session |
| bl_consent | blocalapp.com | Strictly Necessary | Stores the User's cookie-consent decisions and their version. | 12 months |
| bl_theme | blocalapp.com | Preferences | Stores the User's selected theme (light / dark / system). | 12 months |
| bl_locale | blocalapp.com | Preferences | Stores the User's selected language. | 12 months |
| __cf_bm | cloudflare.com | Security | Bot management — distinguishes humans from automated agents. | 30 minutes |
| cf_clearance | cloudflare.com | Security | Confirms passage of a security challenge. | 30 minutes — 1 year |
| __stripe_mid | stripe.com | Strictly Necessary (checkout) | Fraud prevention on checkout flows. | 1 year |
| __stripe_sid | stripe.com | Strictly Necessary (checkout) | Fraud prevention on checkout flows. | 30 minutes |
Article IX
Similar Technologies
In addition to cookies in the strict sense, the Platform makes use of the following client-side state-keeping mechanisms:
Used for the persistence of UI preferences, theme selection and short-lived authentication artefacts. Data stored therein remains on the User's terminal device and is not, of itself, transmitted to the Provider's servers.
Used, where applicable, for the local caching of non-sensitive reference data in order to improve perceived performance.
Open-source bot-detection signals (BotD / FingerprintJS) are computed in-memory at the moment of the request and are not persisted on the User's device.
Article X
No Third-Party Marketing Trackers
The Provider expressly confirms that the public Platform does not deploy Google Analytics, Google Tag Manager, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Hotjar, FullStory, session-replay tools, advertising pixels or any equivalent third-party marketing or behavioural-advertising technology. Should any such technology be introduced in the future, its deployment shall be conditioned upon the User's prior, granular, freely-given and revocable opt-in consent, expressed through the consent banner described in Article XII.
Article XI
Legal Bases for the Use of Cookies
Strictly necessary technical cookies (authentication, session, CSRF, load balancing, security) are exempt from prior consent and are deployed on the basis of the technical exemption.
Security-oriented bot-detection cookies are deployed on the basis of the Provider's legitimate interest in preserving the integrity and availability of the Platform.
Analytics, preference (where not strictly technical) and any future marketing cookies are conditioned upon the User's prior opt-in consent.
Article XII
Granular Consent
Upon first visit to the Platform, the User is presented with a consent banner permitting the User to: (i) accept all non-essential cookies; (ii) reject all non-essential cookies; or (iii) configure granular preferences per cookie category. The "reject all" option is presented with the same prominence as the "accept all" option, in line with EDPB Guidelines 03/2022. No non-essential cookie is deposited prior to the express affirmation of consent.
The record of consent — including the time stamp, the version of the Policy in force at the moment of consent and the categories accepted — is preserved as evidence in accordance with the accountability principle of Article 5(2) GDPR.
Article XIII
Withdrawal & Modification of Consent
The User may at any time review, modify or withdraw consent without prejudice to the lawfulness of the Processing carried out prior to such withdrawal, by clicking the "Cookie Preferences" link in the footer of the Platform or the button below:
Article XIV
Browser-Level Controls
In addition to the in-product preferences centre, the User may configure the User's browser to block, restrict or selectively erase cookies. The blocking of strictly necessary cookies may, however, render certain functionalities of the Platform inaccessible. Instructions issued by the principal browser publishers are available at the following addresses:
Article XV
Do Not Track & Global Privacy Control
The Platform honours, on a best-efforts basis, the Global Privacy Control (GPC) signal. Where the GPC signal is transmitted by the User's browser, the Provider shall treat such signal as a valid expression of refusal of any non-essential cookie. The legacy DNT ("Do Not Track") header is, in light of the absence of an industry consensus on its semantic meaning, not relied upon as a definitive expression of preference; the User is encouraged to rely on the in-product preferences centre.
Article XVI
International Transfers
Certain cookies originate from sub-processors established outside the European Economic Area, in particular Cloudflare (security cookies) and, where applicable, Stripe (payment-related cookies on checkout flows). Any international transfer of personal data resulting from such cookies is governed by the Article 46 GDPR mechanisms described in the Privacy Policy (Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework).
Article XVII
Retention Periods
The retention period of each cookie is set out in the inventory at Article VIII. As a general rule, persistent cookies relating to consent and to the basic functioning of the Platform are retained for a maximum of twenty-four (24) months, after which a fresh consent shall be requested. The User may at any time erase any cookie through the controls described in Articles XIII and XIV.
Article XVIII
Amendments
The Provider reserves the right to amend the present Policy at any time, in particular in order to reflect changes to the cookies deployed on the Platform or to the applicable regulatory framework. Material amendments shall be reflected in the version indicator above and, where they entail the deployment of a new category of cookies subject to consent, shall trigger a fresh request for the User's express opt-in.
Article XIX
Contact
Controller: BL PLATFORM S.L.
NIF: B88709738
Registered Office: Carrer de Lepant, 270, 08013 Barcelona, Spain
Privacy & Data Protection Enquiries: support@blocalapp.com
Supervisory authority — Agencia Española de Protección de Datos: www.aepd.es
End of Document · BL PLATFORM S.L. · © 2026