Privacy Policy

1. Introduction

ProofStack ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using ProofStack, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, username, password (hashed), profile information
• Authentication Data: GitHub OAuth tokens (if you connect your GitHub account)
• Uploaded Content: Files you upload (code, audio, video, documents), metadata, descriptions
• Communication: Messages you send through contact forms or support requests

2.2 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent on the Service
• Device Information: Browser type, operating system, IP address, device identifiers
• Log Data: Access times, error logs, API requests
• Cookies and Tracking: Session cookies, authentication tokens, analytics cookies

2.3 Third-Party Data

• GitHub Data: Repository information, commit history, public profile data (with your permission)
• Analytics Data: Aggregated usage statistics from PostHog and Vercel Analytics

3. How We Use Your Information

3.1 Service Provision

• Creating and managing your account
• Storing and displaying your uploaded content
• Processing and analyzing your files using AI systems
• Generating skill extractions and portfolio insights
• Creating cryptographic proofs and signatures
• Enabling GitHub integration and verification

3.2 AI Analysis and Processing

Important: By uploading files to ProofStack, you explicitly consent to AI analysis of your content. This includes:

• Text Analysis: Code, documents, and text files are processed by large language models (LLMs) to extract skills, identify technologies, and generate summaries
• Audio/Video Transcription: Media files are transcribed using speech-to-text AI services (OpenAI Whisper)
• Third-Party AI Services: Your content may be sent to third-party AI providers (OpenAI, Anthropic, Hugging Face, local Ollama instances) for processing
• Data Retention by AI Providers: Third-party AI services may temporarily cache your content for processing. We use zero-retention APIs where available

Note: We do not train AI models on your private content. AI analysis is solely for providing the Service to you.

3.3 Communication and Support

• Responding to your inquiries and support requests
• Sending service-related notifications and updates
• Notifying you of changes to our Terms or Privacy Policy

3.4 Analytics and Improvement

• Understanding how users interact with the Service
• Identifying and fixing bugs and technical issues
• Improving Service performance and user experience
• Developing new features and functionality

3.5 Security and Legal Compliance

• Detecting and preventing fraud, abuse, and security incidents
• Enforcing our Terms of Service
• Complying with legal obligations and responding to lawful requests

4. Data Sharing and Disclosure

4.1 Public Information

Your portfolio and uploaded content are public by default. Anyone with the link to your portfolio can view your samples, skills, and analyses. Do not upload sensitive or confidential information.

4.2 Service Providers

We share data with third-party service providers who help us operate the Service:

• Supabase: Database and authentication (data stored in US cloud infrastructure)
• Cloudinary: File storage and media processing
• OpenAI: AI analysis and transcription services
• Anthropic/Hugging Face: Alternative AI analysis providers
• Vercel: Hosting and deployment infrastructure
• PostHog: Product analytics and user behavior tracking
• Sentry: Error monitoring and performance tracking
• GitHub: OAuth authentication and repository integration

4.3 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or to protect our rights and safety or the rights and safety of others.

4.4 Business Transfers

If ProofStack is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

4.5 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

5. Data Retention

5.1 Active Accounts: We retain your data for as long as your account is active or as needed to provide the Service.

5.2 Account Deletion: When you delete your account:

• Your account is immediately deactivated and inaccessible
• Uploaded files are removed from Cloudinary storage within 30 days
• Personal data is permanently deleted from our databases within 90 days
• Backups containing your data are purged within 180 days
• Anonymized analytics data (without personal identifiers) may be retained indefinitely

5.3 Legal Retention: We may retain certain information for longer periods if required by law or to resolve disputes.

6. Data Security

We implement reasonable security measures to protect your information, including:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of data at rest (database and file storage)
• Secure authentication with hashed passwords and OAuth tokens
• Regular security monitoring and vulnerability scanning
• Access controls and authentication for our systems
• Error monitoring and logging via Sentry

Note: No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Privacy Rights

You have the following rights regarding your data:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate information in your account settings
• Deletion: Request permanent deletion of your account and data via dashboard settings
• Portability: Export your data in a machine-readable format
• Objection: Object to certain processing of your data
• Opt-Out: Disable analytics cookies and tracking (may limit functionality)
• Withdraw Consent: Revoke consent for data processing by deleting your account

To exercise these rights, visit your dashboard settings or contact us at privacy@proofstack.com.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience:

8.1 Essential Cookies

• Authentication tokens (required for login)
• Session management cookies
• Security cookies (CSRF protection)

8.2 Analytics Cookies

• PostHog analytics (product usage, feature adoption)
• Vercel Analytics (page views, performance metrics)

You can control cookies through your browser settings, but disabling cookies may limit Service functionality.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. By using the Service, you consent to such transfers. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.

10. Children's Privacy

ProofStack is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will promptly delete such information.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your CCPA rights

To exercise your CCPA rights, contact privacy@proofstack.com.

12. GDPR Rights (European Users)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

Our legal basis for processing includes: consent (for AI analysis), contract performance (for providing the Service), and legitimate interests (for security and improvement).

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or prominent notice on the Service. Your continued use after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Privacy Officer: privacy@proofstack.com
General Support: support@proofstack.com
Data Deletion Requests: Via dashboard settings or privacy@proofstack.com