HackProduct

Privacy Policy

How data moves through HackProduct.

This policy explains what HackProduct collects, why it is used, which vendors process it, how long it is kept, and how account holders can ask for access or deletion.

Placeholder: needs legal review before public launch.

Last updated: May 6, 2026

Data We Collect

  • Account data: name, email address, authentication provider, avatar, password hash handled by Supabase, linked identity data, and account security events.
  • Profile data: plan, onboarding answers, role preferences, calibration results, skill progress, streak state, XP, saved settings, notification choices, and referral attribution.
  • Practice data: challenge starts, submissions, answers, diagrams, code, test results, discussion posts, replies, votes, reports, feedback, scorecards, and learning history.
  • Hatch coaching data: messages, prompts, generated feedback, usage counts, safety signals, and voice-rule replacement logs when model output is cleaned before display.
  • Billing data: Stripe customer, subscription, invoice, coupon, promotion code, tax, and billing portal identifiers. Full payment card numbers are processed by Stripe, not HackProduct.
  • Affiliate data: affiliate codes, Stripe Connect account identifiers, click counts, hashed IP and user-agent signals, commission rows, payout status, and transfer identifiers.
  • Device and network data: IP address, user-agent, cookies, session identifiers, rate-limit counters, analytics events if accepted, and error diagnostics.

How We Use Data

  • Run the product, authenticate accounts, route users through onboarding, preserve workspace state, and show progress across practice surfaces.
  • Generate Hatch coaching, grade submissions, recommend next practice, maintain usage limits, and prevent cost spikes or abuse.
  • Process payments, taxes, refunds, coupons, trials, billing notices, affiliate attribution, and Stripe Connect payouts.
  • Send transactional email such as verification links, password reset links, billing notices, streak reminders, weekly digests, discussion replies, and account alerts.
  • Improve product quality through aggregate usage analysis, bug reports, moderation review, security logs, and support requests.
  • Meet legal, tax, accounting, fraud prevention, and security obligations.

Third Parties

  • Supabase provides authentication, database, storage, and server-side access controls.
  • AI processing providers support Hatch coaching and grading features.
  • Automated moderation providers may be used to screen user-submitted discussion or abuse-report content.
  • Stripe processes checkout, subscriptions, tax, invoices, refunds, coupons, billing portal sessions, and payment method updates.
  • Stripe Connect supports affiliate onboarding and commission payouts where available.
  • Resend sends transactional email.
  • Vercel hosts the application and runs scheduled jobs.
  • Cloudflare Turnstile helps detect bot signup and account recovery attempts.
  • Upstash Redis stores rate-limit counters and related short-lived operational data.
  • Sentry may capture application errors when error monitoring is enabled.
  • PostHog may collect product analytics when analytics is enabled and a visitor accepts non-essential cookies.

Retention

  • Account, billing, and security records are kept while the account exists and longer when required for tax, fraud prevention, dispute, or legal reasons.
  • Practice history, scorecards, learner state, and discussion content are kept while the account exists unless deleted by the account holder or removed under moderation rules.
  • Hatch chat and generated feedback retention may vary by plan. Free-plan history may be pruned sooner than Pro-plan history once automated retention jobs are active.
  • Rate-limit data, Turnstile checks, session cookies, and operational logs are kept for shorter periods based on security and debugging needs.
  • Affiliate commission and payout records are kept for accounting and dispute review after payout.

Rights And Choices

  • Account holders can request access, correction, export, or deletion of personal data by contacting privacy@hackproduct.dev.
  • Notification preferences can be changed in settings or through signed unsubscribe links in email.
  • Cookie choices are saved in the current browser. Essential storage is required for login, security, billing, and core product operation.
  • Deleting an account removes profile data and cascaded practice data where technically possible. Some billing, security, affiliate, tax, dispute, and audit records may remain when retention is required.
  • Affiliate payouts through Stripe Connect may require additional identity, tax, and bank account information handled by Stripe.

Contact

Privacy requests can be sent to privacy@hackproduct.dev. Include the account email address and the request type.