Privacy Policy

1. Who We Are

LeakCode (the “Service”, “we”, “us”) operates the website at leakcode.dev. We are the data controller for personal information collected through the Service. For privacy questions or to exercise any rights described in this policy, contact [email protected].

2. Information We Collect

Account information. When you create an account we collect your email address and a one-way hashed version of your password. We never store your password in plain text. If you sign in with Google or GitHub OAuth we receive your email address and a provider user ID. We do not receive your social-network friend lists, profile pictures, or contact lists.

Subscription information. If you subscribe to a paid plan, our payment processors (Stripe or PayPal) collect and store your billing information. We receive only a customer ID, your subscription status, and the country and postal code you provided at checkout. We never see, transmit, or store your full card number, CVC, or bank account number.

Usage data. Our analytics provider (Plausible) records anonymous page-view events. This data does not include cookies, fingerprints, IP addresses, or anything that can identify you personally. It tells us only how many people visited a page, which referring site they came from, and which country (at the country level, not city or precise location).

Server logs. Our hosting provider (Fly.io) keeps short-lived operational logs of HTTP requests for security and reliability. These logs may include your IP address and user agent. They are retained for less than 7 days and are not used for advertising, profiling, or sale.

Optional contact. If you email us or use the support form, we retain your message and email address so we can respond.

3. What We Do Not Collect

• Your real name, phone number, home address, or date of birth (we do not ask for them).
• Your card number, CVC, or bank details (those go directly to Stripe or PayPal, never to us).
• Your precise GPS location.
• Your device contacts, photos, microphone, or camera.
• Your browsing history on other websites.
• Sensitive personal data such as health, biometric, racial, religious, or political information.

4. How We Use Your Information

We process the limited information described above only for the following purposes:

• Account access – signing you in, keeping your session active, and identifying your bookmarks.
• Billing – processing subscriptions through Stripe or PayPal and unlocking premium features.
• Communication – sending account-critical email such as verification, password reset, billing confirmations, and replies to your support messages.
• Service operation – running and securing the platform, preventing fraud and abuse.
• Aggregate improvement – understanding which pages are popular at the population level (via cookieless Plausible) so we can improve the product.

5. What We Do Not Do

• We do not sell, rent, or trade your personal information to anyone, ever.
• We do not share your data with advertisers or ad networks.
• We do not run third-party tracking pixels, retargeting tags, or behavioral advertising.
• We do not use your data, your account, your bookmarks, or your search history to train AI models.
• We do not build profiles about you or score you for any purpose.
• We do not engage in cross-site tracking or fingerprinting.
• We do not engage in “dark patterns” designed to manipulate consent or hide cancellation.

6. Cookies

We use a single first-party session cookie (lc_session) to keep you signed in, plus very short-lived (10 minute) cookies during Google or GitHub OAuth sign-in to prevent CSRF attacks. We do not use advertising cookies, social tracking pixels, or any third-party tracking technology. Plausible Analytics is cookieless by design.

7. Data Retention

• Account data: retained while your account is active. If you delete your account, your personal data is erased from our database within 30 days, with the exception of records we are legally required to keep (e.g. tax records relating to a paid subscription).
• Server logs: less than 7 days.
• Aggregate analytics: anonymous and may be retained indefinitely. They cannot be used to identify you.
• Support emails: retained for up to 24 months, then deleted.

8. Third-Party Services

We rely on the following sub-processors to operate the Service. Each is contractually required to handle your data only on our instructions, and each has its own privacy policy.

• Stripe, Inc. – payment processing.
• PayPal Holdings, Inc. – payment processing.
• Google LLC – optional OAuth sign-in.
• GitHub, Inc. – optional OAuth sign-in.
• Plausible Insights OU – cookieless, EU-hosted analytics.
• Cloudflare, Inc. – DNS and edge security.
• Fly.io (Fly Apps, Inc.) – application hosting.
• Resend, Inc. – transactional email delivery.

9. Your Rights (GDPR, UK GDPR)

If you are located in the UK or European Economic Area, you have the following rights regarding your personal data:

• The right to access the personal data we hold about you.
• The right to rectification of inaccurate data.
• The right to erasure (the “right to be forgotten”).
• The right to restrict or object to processing.
• The right to data portability – receive your data in a machine-readable format.
• The right to withdraw consent at any time.
• The right to lodge a complaint with your local supervisory authority (in the UK, the ICO at ico.org.uk).

To exercise any of these rights, email [email protected]. We respond within 30 days. Our legal basis for processing is the performance of our contract with you (your account and subscription) and our legitimate interest in operating the Service securely.

10. Your Rights (California, CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what categories of personal information we collect and how we use them.
• Request a copy of the personal information we hold about you.
• Request deletion of your personal information.
• Correct inaccurate personal information.
• Opt out of the “sale” or “sharing” of personal information.
• Not be discriminated against for exercising these rights.

We do not sell or share personal information as those terms are defined under the CCPA and CPRA. We have not sold or shared personal information in the past 12 months. To exercise any other right, email [email protected].

11. International Data Transfers

The Service is operated from servers in the United States (Fly.io, Iad region). If you access the Service from outside the United States, your information will be transferred to and processed in the United States. Where required by law, transfers from the EU/UK rely on Standard Contractual Clauses or equivalent safeguards.

12. Children’s Privacy

The Service is intended for users aged 16 and older. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, contact us and we will delete it promptly.

13. Security

We protect your data with HTTPS in transit, hashed passwords (bcrypt), HttpOnly and Secure session cookies, OAuth state tokens to prevent CSRF, server-side rate limits on authentication endpoints, and Cloudflare protection at the edge. No system is perfectly secure, but we work to reduce risk and respond promptly to any incident. If a breach affecting your data occurs we will notify you and the relevant supervisory authority within the legally required timeframe.

14. Marketing Email

The only emails we send are account-critical: verification, password reset, billing receipts, replies to your support messages, and material policy changes. We do not send marketing or promotional email without your explicit prior consent. Every email we send includes our postal contact and a way to reach us, in compliance with the US CAN-SPAM Act.

15. Changes to This Policy

If we change how we handle your information in any material way, we will update the “Last updated” date at the top of this page and notify registered users by email. Non-material changes (clarifications, formatting, additional sub-processors of the same type) may be made without individual notice.

16. Contact

Privacy questions, data subject requests, and complaints: [email protected].