Privacy Policy
Privacy Policy
This page describes how HackCode handles demo requests, accounts, educational activity, security logging, and privacy rights across the public site and the product.
1. Controller and contact
Controller: Michaela Vavrova
Legal form: Sole trader / Slovak trade-license holder (zivnostnik, SZCO)
Place of business: Tehelna 1024/23, 920 01 Hlohovec, Slovakia
IČO: 57 433 917
Trade register no.: 250-62235
Privacy contact: hackcode.eu@gmail.com
2. What data HackCode handles
Public demo requests: email, optional name, organization, message, source, locale, delivery status, and related admin notes.
User accounts: identity fields, role, password hash, language preference, status, and timestamps.
Educational product data: enrollments, challenge submissions, course progress, section mistakes, badges, and profile content.
Authenticated feedback submissions: three product ratings, optional comment, device/browser context, locale, and account activity snapshot at submit time.
Operational data: invite tokens, preview access audit logs, tenant audit logs, API telemetry, and limited security metadata.
Billing data for Individual Pro: Stripe customer identifier, subscription state, trial and payment lifecycle events, invoices, and basic billing metadata.
Optional public-site analytics after consent: first-party visit events and conversion events for marketing pages.
3. Why we process the data and our lawful bases
Demo requests: legitimate interests to handle inbound pilot or business interest and communicate about the requested demo.
Accounts, invites, authentication, and transactional emails: steps prior to a contract and legitimate interests in operating the service securely.
Educational progress, challenge review, and platform operations: legitimate interests in delivering the product to invited users and partner organizations.
Authenticated product feedback: legitimate interests in improving product usability, reliability, and rollout decisions with account-linked context.
Billing, trial, promo grants, and subscription management through Stripe: performance of a contract and legitimate interests in operating paid Individual Pro access.
Security, audit trails, abuse prevention, and incident investigation: legitimate interests and, where applicable, legal obligation.
Optional public-site analytics cookies and visitor-level telemetry: consent.
4. Storage and hosting reality
The public site and product run on a self-managed Ubuntu VPS operated through VDSina.
The PostgreSQL database, backups, and application runtime are currently operated on the same VPS environment.
Application/runtime logs live on the VPS host, while API telemetry, preview access logs, and product telemetry are also stored in PostgreSQL tables.
Profile avatars and banners use Vercel Blob when blob storage is configured in the environment.
Individual Pro billing and subscription processing run through Stripe.
5. Processors and sharing
HackCode shares data only with infrastructure and delivery providers needed to run the product.
VDSina: Infrastructure hosting for the public site, application runtime, database, backups, and host-level logs. Data shared: Account data, demo requests, educational progress data, audit logs, and operational metadata stored on the VPS. Region / transfer note: Exact VPS region is not publicly asserted in the current legal surface.. The current deployment VPS is operated through VDSina. A specific hosting region is published only if explicitly confirmed in deployment configuration.
Google Gemini: AI generation for course hints, mentor sessions, and challenge autofill routes. Data shared: Prompt content, challenge/course context, and limited request metadata needed to produce the response. Region / transfer note: Google-controlled infrastructure. International transfers depend on Google processing locations and must be reviewed against the live Google terms used by the deployment.
Vercel Blob: Public object storage for profile avatars and banner uploads. Data shared: User-uploaded profile images and the public URLs generated for those assets. Region / transfer note: Vercel-managed object storage. Blob storage is active in the current environment for public asset uploads and delivery.
Mailtrap: Transactional email delivery (primary) for invite, demo, and privacy emails. Data shared: Recipient email address, sender address, message subject, and message body for invite/demo/privacy emails. Region / transfer note: Mailtrap-managed infrastructure. Configured in the current environment for transactional email delivery.
Google Gmail SMTP: Transactional email delivery (fallback) for invite, demo, and privacy emails. Data shared: Recipient email address, sender address, message subject, and message body for invite/demo/privacy emails. Region / transfer note: Google-managed email infrastructure. Configured as the active SMTP relay in the current environment; message processing follows Google mail infrastructure locations.
Stripe: Subscription billing for Individual Pro plans. Data shared: Email, customer identifier, subscription metadata, billing status, and payment lifecycle events. Region / transfer note: Stripe-managed infrastructure. Stripe may process data internationally according to the merchant account region and Stripe terms.
6. Retention summary
Public visit analytics events: 90 days.
Product telemetry events: 180 days.
API request telemetry: 14 days in raw event form, with aggregated operational statistics retained separately.
Tenant audit logs: 365 days, then retention review unless a security or legal-defense exception applies.
Preview access logs, demo requests, privacy requests, and cookie consent records are retained while operationally or legally necessary and then reviewed under the retention schedule.
Feedback submissions: retained while the product team still needs the signal for product operations, trust, and support review, then reviewed under the retention schedule.
User account and educational records: retained while the account or organization relationship remains active, then handled under the DSAR and retention runbooks.
7. Minors and student data posture
HackCode currently operates in a mixed model: some flows are partner or admin-led through schools or organizations, while direct interest from students can also exist.
HackCode does not currently rely on a polished direct-to-child consumer consent flow. Where minors are involved through school-led onboarding, the school or responsible adult context must provide the lawful-basis layer.
If a direct child-consent flow is introduced later, this policy and the product flow must be updated before launch.
8. Your rights
You may request access, rectification, erasure, restriction, objection, portability, or deletion of demo-contact data.
Use the legal contact hackcode.eu@gmail.com or the privacy request flow on /legal.
HackCode verifies identity before acting on sensitive requests.
