Privacy Policy

Controller: Michaela Vavrova

Legal form: Sole trader / Slovak trade-license holder (zivnostnik, SZCO)

Place of business: Tehelna 1024/23, 920 01 Hlohovec, Slovakia

IČO: 57 433 917

Trade register no.: 250-62235

Privacy contact: [email protected]

• Public demo requests: email, optional name, organization, message, source, locale, delivery status, and related admin notes.

• User accounts: identity fields, role, password hash, language preference, status, and timestamps.

• Educational product data: enrollments, challenge submissions, course progress, section mistakes, badges, and profile content.

• Authenticated feedback submissions: three product ratings, optional comment, device/browser context, locale, and account activity snapshot at submit time.

• Operational data: invite tokens, preview access audit logs, tenant audit logs, API telemetry, and limited security metadata.

• Optional public-site analytics after consent: first-party visit events and conversion events for marketing pages.

• Demo requests: legitimate interests to handle inbound pilot/business interest and communicate about the requested demo.

• Accounts, invites, authentication, and transactional emails: steps prior to a contract and legitimate interests in operating the service securely.

• Educational progress, challenge review, and platform operations: legitimate interests in delivering the product to invited users and partner organizations.

• Authenticated product feedback: legitimate interests in improving product usability, reliability, and rollout decisions with account-linked context.

• Security, audit trails, abuse prevention, and incident investigation: legitimate interests and, where applicable, legal obligation.

• Optional public-site analytics cookies and visitor-level telemetry: consent.

• The public site and product run on a self-managed Ubuntu VPS operated through VDSina.

• The PostgreSQL database, backups, and application runtime are currently operated on the same VPS environment.

• Application/runtime logs live on the VPS host, while API telemetry, preview access logs, and product telemetry are also stored in PostgreSQL tables.

• Profile avatars and banners use Vercel Blob when blob storage is configured in the environment.

HackCode shares data only with infrastructure and delivery providers needed to run the product.

• VDSina: Infrastructure hosting for the public site, application runtime, database, backups, and host-level logs. Data shared: Account data, demo requests, educational progress data, audit logs, and operational metadata stored on the VPS. Region/transfer note: Exact VPS region is not publicly asserted in the current legal surface.. The current deployment VPS is operated through VDSina. A specific hosting region is published only if explicitly confirmed in deployment configuration.

• Google Gemini: AI generation for course hints and challenge autofill routes. Data shared: Prompt content, challenge/course context, and limited request metadata needed to produce the response. Region/transfer note: Google-controlled infrastructure. International transfers depend on Google processing locations and must be reviewed against the live Google terms used by the deployment.

• Vercel Blob: Public object storage for profile avatars and banner uploads. Data shared: User-uploaded profile images and the public URLs generated for those assets. Region/transfer note: Vercel-managed object storage. Blob storage is active in the current environment for public asset uploads and delivery.

• Mailtrap: Transactional email delivery (primary) for invite, demo, and privacy emails. Data shared: Recipient email address, sender address, message subject, and message body for invite/demo/privacy emails. Region/transfer note: Mailtrap-managed infrastructure. Configured in the current environment for transactional email delivery.

• Google Gmail SMTP: Transactional email delivery (fallback) for invite, demo, and privacy emails. Data shared: Recipient email address, sender address, message subject, and message body for invite/demo/privacy emails. Region/transfer note: Google-managed email infrastructure. Configured as the active SMTP relay in the current environment; message processing follows Google mail infrastructure locations.

• Public visit analytics events: 90 days.

• Product telemetry events: 180 days.

• API request telemetry: 14 days in raw event form, with aggregated operational statistics retained separately.

• Tenant audit logs: 365 days, then retention review unless a security or legal-defense exception applies.

• Preview access logs, demo requests, privacy requests, and cookie consent records are retained while operationally or legally necessary and then reviewed under the retention schedule.

• Feedback submissions: retained while the product team still needs the signal for product operations, trust, and support review, then reviewed under the retention schedule.

• User account and educational records: retained while the account or organization relationship remains active, then handled under the DSAR and retention runbooks.

• HackCode currently operates in a mixed model: some flows are partner/admin-led through schools or organizations, while direct interest from students can also exist.

• HackCode does not currently rely on a polished direct-to-child consumer consent flow. Where minors are involved through school-led onboarding, the school or responsible adult context must provide the lawful-basis layer.

• If a direct child-consent flow is introduced later, this policy and the product flow must be updated before launch.

• You may request access, rectification, erasure, restriction, objection, portability, or deletion of demo-contact data.

• Use the legal contact [email protected] or the privacy request flow on /legal.

• HackCode verifies identity before acting on sensitive requests.

English is the primary operating text today. Slovak summary content for the same legal surface is provided on the public legal pages and should be kept aligned with this policy.