Skip to content

Privacy Policy

Last updated

We’re a small platform that runs your code, tracks your progress, and helps you learn. That requires a little data — but only what we actually need. Here’s the full picture.

1. What we collect

When you create an account we collect your email address, username, and an encrypted hash of your password. We never store passwords in plain text.

When you submit code to a lesson we record the source you submitted, the language, the result of the run, and timing/memory metrics. This is what powers your progress tracking, attempt history, and the AI feedback feature when enabled.

We use cookies to keep you signed in (a JWT in localStorage) and a small set of preferences such as your selected language for project courses. We do not use third-party advertising trackers.

Server logs include your IP address, user agent, and the routes you visit. These are kept for up to 30 days for debugging and abuse prevention.

2. How we use it

Email is used for transactional messages: account verification, password reset, and (if you opt in) occasional product announcements. We do not sell or rent your email.

Submitted code is used to evaluate your lesson against the course's test cases, to display your progress to you, and — if you explicitly enable the AI coaching feature — to send the relevant lesson context to our LLM provider for feedback.

Aggregated, non-identifying telemetry (which lessons people start, where they get stuck, completion rates) is used to improve the curriculum.

3. Third parties

Email delivery: Resend (transactional only).

Code execution: Judge0, isolated per submission.

AI coaching (optional, off by default): OpenRouter, routing to the configured Claude model. Your code and the lesson prompt are sent; nothing else.

Payments (when enabled): Stripe. We never see your card number — Stripe handles it.

Object storage for user-uploaded images (avatars, course covers): self-hosted MinIO on our infrastructure.

4. Your rights

You can export all data we hold on you, or delete your account entirely, from the Settings page in your dashboard. Deletion is immediate and irreversible.

If you're an EU/UK resident, you have the right to access, correct, or erase your personal data, and to object to our processing. Contact us at the address below to exercise these rights.

5. Security

We use TLS for all traffic. Passwords are bcrypt-hashed. Session tokens are signed with a server-side secret and rotated on logout.

If we ever discover a breach affecting your data, we will notify you within 72 hours, as required by applicable law.

6. Contact

Questions about this policy? Email [email protected].

See also: Terms · Cookies