Privacy Policy

This page describes how HackCode handles accounts, educational activity, security logging, and privacy rights across the public site and the product.

1. Controller and contact

Controller: Michaela Vavrova

Legal form: Sole trader / Slovak trade-license holder (zivnostnik, SZCO)

Place of business: Tehelna 1024/23, 920 01 Hlohovec, Slovakia

IČO: 57 433 917

Trade register no.: 250-62235

Privacy contact: [email protected]

2. What data HackCode handles

User accounts: identity fields, role, password hash, language preference, status, and timestamps.
Educational product data: enrollments, challenge submissions, course progress, section mistakes, badges, and profile content.
Lab project posts: project titles, descriptions, links, tech stacks, uploaded images, visibility settings, and space membership metadata.
Public profile and signal data: only the profile, portfolio, and visibility fields that a user explicitly leaves in public mode.
Authenticated feedback submissions: three product ratings, optional comment, device/browser context, locale, and account activity snapshot at submit time.
Operational data: invite tokens, tenant audit logs, API telemetry, and limited security metadata.
Billing data for Learner Pro: Stripe customer identifier, subscription state, trial and payment lifecycle events, invoices, and basic billing metadata.
Optional public-site analytics after consent: first-party visit events and conversion events for marketing pages.

3. Why we process the data and our lawful bases

Accounts, invites, authentication, and transactional emails: steps prior to a contract and legitimate interests in operating the service securely.
Educational progress, challenge review, and platform operations: legitimate interests in delivering the product to learners, mentors, and any organizations that operate private spaces on HackCode.
Authenticated product feedback: legitimate interests in improving product usability, reliability, and rollout decisions with account-linked context.
Billing, trial, promo grants, and subscription management through Stripe: performance of a contract and legitimate interests in operating paid Learner Pro access.
Security, audit trails, abuse prevention, and incident investigation: legitimate interests and, where applicable, legal obligation.
Optional public-site analytics cookies and visitor-level telemetry: consent.

4. Storage and hosting reality

The public site and product run on a self-managed Ubuntu VPS operated through VDSina in Amsterdam, Netherlands.
The PostgreSQL database, backups, and application runtime are currently operated on the same VPS environment.
Application/runtime logs live on the VPS host, while API telemetry and product telemetry are also stored in PostgreSQL tables.
Profile avatars and banners use Vercel Blob when blob storage is configured in the environment.
Learner Pro billing and subscription processing run through Stripe under the current Slovakia-linked merchant setup.
Google AI processing is configured for Europe-region workloads in the current deployment.

5. Processors and sharing

HackCode shares data only with infrastructure and delivery providers needed to run the product.

VDSina: Infrastructure hosting for the public site, application runtime, database, backups, and host-level logs. Data shared: Account data, demo requests, educational progress data, audit logs, and operational metadata stored on the VPS. Region / transfer note: Amsterdam, Netherlands. The current deployment VPS is operated through VDSina. A specific hosting region is published only if explicitly confirmed in deployment configuration.
Google Gemini: AI generation for course hints, mentor sessions, and challenge autofill routes. Data shared: Prompt content, challenge/course context, and limited request metadata needed to produce the response. Region / transfer note: Europe-region processing. The current deployment is configured to use Europe-region processing for Google AI workloads. Any later processor-region change must be reflected in the legal surface before rollout.
Vercel Blob: Public object storage for profile avatars and banner uploads. Data shared: User-uploaded profile images and the public URLs generated for those assets. Region / transfer note: Vercel-managed object storage. Blob storage is active in the current environment for public asset uploads and delivery.
Mailtrap: Transactional email delivery (primary) for invite, demo, and privacy emails. Data shared: Recipient email address, sender address, message subject, and message body for invite/demo/privacy emails. Region / transfer note: Mailtrap-managed infrastructure. Configured in the current environment for transactional email delivery.
Google Gmail SMTP: Transactional email delivery (fallback) for invite, demo, and privacy emails. Data shared: Recipient email address, sender address, message subject, and message body for invite/demo/privacy emails. Region / transfer note: Google-managed email infrastructure. Configured as the active SMTP relay in the current environment; message processing follows Google mail infrastructure locations.

6. Retention summary

Public visit analytics events: 90 days.
Product telemetry events: 180 days.
API request telemetry: 14 days in raw event form, with aggregated operational statistics retained separately.
Tenant audit logs: 365 days, then retention review unless a security or legal-defense exception applies.
Privacy requests and cookie consent records are retained while operationally or legally necessary and then reviewed under the retention schedule.
Feedback submissions: retained while the product team still needs the signal for product operations, trust, and support review, then reviewed under the retention schedule.
User account and educational records: kept while the account or any linked organization relationship is active. After that, the data is either deleted on request (via the privacy request flow), removed on our regular retention schedule, or kept longer only if the law requires it.

7. Public profile and visibility controls

Only the profile and portfolio fields that a user explicitly leaves in public mode should appear in the public learner profile.
If a user switches the profile back to private mode, that profile should no longer be publicly discoverable as a public learner signal.
Public leaderboards and other public signal surfaces should respect the current visibility state of the profile.
If watcher-organization or company-specific visibility layers are added later, they must be explained both in-product and in this policy.

8. Minors and learner data posture

HackCode self-serve signup is intended for users aged 13+.
If a user is under 18 and joins through the direct self-serve flow, that user must have permission from a parent or legal guardian.
The platform is moderated for a 13+ audience, but HackCode does not currently operate a fully polished direct-to-child parent-consent workflow.
Where minors are involved through mentor-led or organization-led onboarding, that organization or another responsible adult context must provide the lawful-basis layer and supervision context.
If a stronger direct child-consent flow is introduced later, this policy and the product flow must be updated before launch.

9. Your rights

You may request access, rectification, erasure, restriction, objection, or portability of data.
Use the legal contact [email protected] or the privacy request flow on /legal.
HackCode verifies identity before acting on sensitive requests.

EN SK