$devstack
$ cat ~/legal/privacy.md

privacy policy

How we handle your personal data on devstack, and the rights you have under the GDPR.

last updated: 2026-05-11
Draft notice: This page is a starting draft. Replace every [PLACEHOLDER] with your real details and have a qualified lawyer review the final wording before launch.

Who is responsible (Data Controller)

The controller responsible for the processing of personal data on this website under the GDPR is:

  • [YOUR FULL NAME]
  • [YOUR POSTAL ADDRESS]
  • Email: [CONTACT EMAIL]

For all questions about data protection, you can reach us at the email above.

What data we collect

We process the following categories of personal data:

1. Account data (via Clerk)

When you create an account we use Clerk for authentication. Clerk receives and stores your email address and, depending on the sign-in method, OAuth identifiers (e.g. GitHub, Google) and profile information you authorize the provider to share. See Clerk's privacy notice at clerk.com/legal/privacy.

2. Profile data (entered by you)

Everything you fill in on your devstack profile: display name, slug, bio, favorite editor / LLM / harness / UI, and the social links you choose to publish (GitHub, X, YouTube, Twitch, Instagram). This data is public and indexable by search engines.

3. Technical data

Standard server and application logs that our hosting provider (Vercel) and backend (Convex) collect to deliver and protect the service: IP address, user agent, request timestamps, error traces. These logs are retained for a limited period as documented by the respective sub-processors.

4. Cookies

We only set cookies that are strictly necessary to operate the site, such as Clerk authentication cookies. We do not use advertising or cross-site tracking cookies. See our cookie notice for details.

Purposes and legal bases

  • Providing the service (account creation, login, publishing your profile) — performance of a contract (Art. 6(1)(b) GDPR).
  • Security, abuse prevention, debugging — legitimate interest in operating a safe service (Art. 6(1)(f) GDPR).
  • Compliance with legal obligations — Art. 6(1)(c) GDPR, where applicable.

Sub-processors and international transfers

We use the following sub-processors. They may process your data outside the EU/EEA (primarily in the United States). Transfers are protected by Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

How long we keep your data

  • Account and profile data: for as long as your account exists. When you delete your account, we delete the associated profile record immediately and remove residual copies from backups within 30 days.
  • Server logs: retained by our sub-processors for the periods set out in their documentation (typically 30–90 days).

Your rights under the GDPR

You have the right to:

  • access the personal data we hold about you (Art. 15);
  • have inaccurate data rectified (Art. 16);
  • have your data erased (Art. 17);
  • restrict processing in certain cases (Art. 18);
  • data portability (Art. 20);
  • object to processing based on legitimate interests (Art. 21);
  • withdraw any consent at any time, without affecting the lawfulness of processing carried out before withdrawal;
  • lodge a complaint with a supervisory authority — for users in Poland, this is the Prezes Urzędu Ochrony Danych Osobowych (UODO); users in other EU/EEA states can contact their national authority.

To exercise any of these rights, email [CONTACT EMAIL]. Account deletion can be requested in-app from your dashboard once that feature ships, or by email until then.

Minimum age

devstack is not intended for children. You must be at least 16 years old to create an account. We do not knowingly collect data from anyone younger.

Changes to this policy

We may update this policy from time to time. The "last updated" date above reflects the latest version. Material changes will be announced before they take effect.