Privacy Policy
Last updated: November 24, 2025
Privacy Policy
Last Updated: November 24, 2025
The Northern Web (Company Registration No. 12393938) ("we", "us", "our") operates StackPass. This Privacy Policy explains how we collect, use, and protect your personal information in compliance with UK GDPR and Data Protection Act 2018.
1. Information We Collect
1.1 GitHub Account Data
When you sign up via GitHub OAuth:
- Name, email address, username
- Profile picture and public bio
- Public repositories and contribution statistics
- Organizations and public activity
1.2 Profile Information
- Custom bio and location (optional)
- Social media links (optional)
- Featured projects and tech stack
- Availability status and messages
1.3 Payment Information
- Stripe Customer ID and Subscription ID
- Subscription status and expiry date
- We never see or store your card details (handled by Stripe)
1.4 Hackathon Data
- Registration status, team information
- Project submissions (code, demo links, descriptions)
- Votes and scores (if you participate in judging)
1.5 Usage and Analytics
- Pages visited, features used
- Device type, browser, IP address
- Session duration and interactions
- Performance metrics (via Vercel Analytics)
1.6 Communications
- Contact form submissions
- Support ticket messages
- Email correspondence
2. How We Use Your Information
2.1 Service Delivery
- Authenticate you and manage your account
- Display your developer profile
- Sync GitHub data automatically
- Process premium subscriptions
- Manage hackathon registrations and prizes
2.2 Communication
-
Transactional (cannot opt-out):
- Account confirmations, password resets
- Subscription receipts and renewals
- Hackathon registration confirmations
- Prize winner notifications
-
Promotional (opt-out available):
- Hackathon announcements (for premium members)
- Product updates and new features
- Platform improvements
2.3 Platform Improvement
- Analyze usage patterns to improve UX
- Monitor performance and fix bugs
- Develop features based on user needs
2.4 Legal and Security
- Prevent fraud and abuse
- Enforce Terms of Service
- Comply with legal obligations
- Respond to legal requests
3. Legal Basis for Processing (GDPR Article 6)
| Purpose | Legal Basis |
|---|---|
| Account management | Contract performance |
| Premium subscriptions | Contract performance |
| Hackathon administration | Contract performance |
| Platform improvement | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Marketing emails | Consent (opt-in) |
| Legal compliance | Legal obligation |
4. Data Sharing
4.1 Service Providers
Stripe (Payment Processing):
- Location: US/EU
- Purpose: Process subscriptions
- Data: Email, Customer ID, payment amounts
- Privacy Policy: https://stripe.com/privacy
GitHub (Authentication):
- Location: US
- Purpose: OAuth login, profile sync
- Data: Public GitHub information
- Privacy Policy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement
Resend (Email Delivery):
- Location: US
- Purpose: Send transactional and marketing emails
- Data: Email address, message content
- Privacy Policy: https://resend.com/legal/privacy-policy
Vercel (Hosting & Analytics):
- Location: US/EU
- Purpose: Host platform, collect anonymized analytics
- Data: Pageviews, performance metrics
- Privacy Policy: https://vercel.com/legal/privacy-policy
Supabase (Database):
- Location: EU (London region)
- Purpose: Store application data
- Data: All user data
- Privacy Policy: https://supabase.com/privacy
4.2 Public Data
- Your developer profile (unless set to private)
- Hackathon submissions and results
- Public GitHub repositories and stats
4.3 No Data Selling
We do not sell, rent, or trade your personal data to third parties.
5. International Data Transfers
- Primary data storage: EU (Supabase London)
- Third-party services may process in US (Stripe, GitHub, Vercel, Resend)
- Safeguards: Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework
- GitHub, Stripe, Vercel certified under EU-US adequacy mechanisms
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | While account is active |
| Deleted account data | 30 days (except as noted below) |
| Payment records | 7 years (legal requirement) |
| Hackathon submissions | Indefinitely (competition records) |
| Email communications | 2 years |
| Analytics data | 2 years (anonymized) |
7. Your Privacy Rights (GDPR)
7.1 Right of Access
Request a copy of all data we hold about you.
7.2 Right to Rectification
Correct inaccurate or outdated information.
7.3 Right to Erasure
Request deletion of your data (subject to legal retention requirements).
7.4 Right to Data Portability
Export your data in JSON format.
7.5 Right to Restrict Processing
Limit how we use your data in certain circumstances.
7.6 Right to Object
Object to data processing based on legitimate interest.
7.7 Right to Withdraw Consent
Unsubscribe from marketing emails or revoke optional permissions.
How to Exercise Rights:
- Email: hello@thenorthern-web.co.uk
- Subject: "Privacy Rights Request"
- Include: Your StackPass email and specific request
- Response time: Within 30 days
8. Security Measures
- Encryption: TLS/SSL for all data in transit, AES-256 at rest
- Authentication: OAuth 2.0 via GitHub (no passwords stored)
- Database: Row-Level Security (RLS) policies on all tables
- Access Control: Minimal employee access, audit logging
- Payment: PCI-DSS compliant via Stripe
9. Cookies
9.1 Essential Cookies
next-auth.session-token: Authentication (required)next-auth.csrf-token: Security (required)
9.2 Analytics
- Vercel Analytics: Anonymized pageview tracking
Manage Cookies: Browser settings or Cookie Policy
10. Children's Privacy
- Age Requirement: 13+ for account creation
- Hackathons: 18+ or parental consent required
- No Intentional Collection: We don't target or knowingly collect data from children under 13
- Parent Requests: Contact us to delete a child's data
11. Do Not Track (DNT)
We honor Do Not Track signals. Enable DNT in your browser to opt-out of analytics tracking.
12. Data Breach Notification
In the event of a data breach:
- Timeline: Notification within 72 hours (GDPR requirement)
- Method: Email to affected users
- Content: What happened, what data affected, what we're doing
- Authority Notification: ICO notified as required
13. Your Choices
13.1 Profile Visibility
- Set profile to private in account settings
- Control which projects are featured
- Manage social links and bio
13.2 Marketing Preferences
- Opt-out via email footer unsubscribe link
- Manage preferences in account settings
- Transactional emails cannot be disabled
13.3 Data Export
- Export your data anytime via account settings
- Includes: Profile, submissions, connections
- Format: JSON
13.4 Account Deletion
- Delete account in settings
- Data removed within 30 days
- Some data retained for legal compliance
14. Third-Party Links
StackPass contains links to external websites (GitHub, project demos). We are not responsible for their privacy practices. Review their policies separately.
15. Updates to This Policy
- Notification: Material changes emailed to all users
- Effective Date: Changes effective 30 days after notice
- Continued Use: Constitutes acceptance of updated policy
- Archive: Previous versions available upon request
16. Contact Us
Privacy Inquiries:
- Email: hello@thenorthern-web.co.uk
- Subject: "Privacy Policy Question"
Data Protection Officer:
- Email: hello@thenorthern-web.co.uk
- Subject: "DPO - Data Rights Request"
Company Details:
- The Northern Web
- Company No. 12393938
- United Kingdom
Supervisory Authority:
- Information Commissioner's Office (ICO)
- Website: https://ico.org.uk
- For UK/EU users to file complaints
Effective Date: November 24, 2025
This policy complies with UK GDPR, Data Protection Act 2018, and CCPA requirements.