Introduction

We ("we," "our," or "us") operate StreakUp. StreakUp lets you commit to challenges and publish progress logs that form a consistent public record of your activity. This Privacy Policy explains how we collect, use, disclose, and protect information when you visit our website or use our services (the "Services").

Information we collect

Account and profile information

Examples include email address, display username, onboarding fields such as skills, biography, avatar images, URLs you add to your profile, timezone and preference settings, identifiers emitted by OAuth providers you enable, authentication tokens or session metadata orchestrated via Supabase Auth (including MFA factors when turned on), and other account attributes you supply while using the Services.

Challenge, log, and upload content

We store textual logs, uploads, tagging, timelines, proofs, statuses, edits, moderation notes (once available), thumbnails, attachments, relational keys tying records together, summaries such as streak counts, timestamps, and pointers to objects kept in Supabase Storage.

Publicly accessible content

Some timelines and profiles are reachable on public URLs without authentication. Assume anything exposed there can be copied, indexed by search engines, or shared externally.

Communications

Conversations initiated with our team—for example emails about support incidents—contain the identifiers, routing metadata, and textual content needed to respond or maintain service history.

How we use information

• Provide onboarding, personalization, timelines, uploads, dashboards, moderation tools (when available), and notifications.
• Authenticate sessions, mitigate abuse or fraud, enforce rate limits, and investigate reliability incidents.
• Operate and secure the infrastructure using telemetry from hosting stacks, diagnostics from Sentry, and optional uptime checks.
• Understand product usage via analytics when configured, including aggregated experimentation or funnel telemetry.
• Meet legal obligations, respond to lawful requests, and defend our legal interests.
• Support mergers, financings, or asset transfers subject to confidentiality commitments consistent with this Policy.

Legal bases (EEA / UK analogs)

Applicable regimes such as GDPR or UK GDPR distinguish legal bases such as contractual necessity, legitimate interests (balanced against your rights), compliance with legal duties, or consent depending on processing. Where GDPR-style laws apply we generally rely on contractual necessity to deliver signed-in services, legitimate interests to secure and improve the Services, legal obligation where statutes require retention or disclosure, or consent when consent is appropriate for optional tracking.

You may lodge requests to access, rectify, erase, restrict, port, object to certain processing—or withdraw consent where relied upon—and raise complaints before supervisory authorities. Some requests may conflict with lawful retention duties.

Disclosure and subprocessors

We share personal information only with subprocessors that help us operate the Services, advisers under confidentiality, successors as described below—or authorities when lawful process obligates disclosure. Within that ordinary course we do not sell personal information to data brokers. Some U.S. state statutes treat exchanges with analytics or advertising vendors as "sales" or "sharing" irrespective of monetization wording; confirm classifications with counsel, configure subprocessors thoughtfully, and offer opt-outs when required locally.

Representative subprocessors

• Supabase provides Postgres persistence, Authentication, Storage, realtime channels—and related tooling your deployment enables.
• Sentry receives error telemetry and diagnostics scoped by scrubbing filters and retention you configure inside Sentry.
• Hosting and delivery. Next.js workloads execute on infrastructure subprocessors controlled by whoever deploys the Servicesor each emitting network and compute logs incidental to HTTPS delivery and serverless invokes.

If we reorganize merger, acquisition, financing—or sell assets touching personal datasets, transferees must honor commitments materially consistent with this Policy unless applicable law mandates different notice or renewed consent steps.

Retention and deletion

We retain operational data while accounts stay active. Backups operated by Postgres, Supabase Storage, or hosting vendors may temporarily retain snapshots after deletes. Investigation holds, subpoenas, or lawful retention timelines can postpone erasure independently. SaaS backends you configure (analytics, observability logging) purge events per their TTL settings. Deleted database rows or storage objects might persist briefly inside replicas or caches until replication completes.

Security

We rely on safeguards that include HTTPS, infrastructure from reputable vendors, disciplined secrets handling, patching, and constrained access even though no online service can guarantee absolute security. Protect MFA-backed email tied to SSO, revoke unused OAuth grants, safeguard devices, and rotate API tokens. We escalate incident reports submitted with authenticated detail suited for engineers to investigate.

Your privacy rights

Depending on where you live, privacy laws may give you rights such as access, correction, deletion, portability, objection to certain processing, appeal assistance, Shine-the-Light style notices—or analogous opt-outs. We verify identities before acting on requests to guard against spoofing.

Privacy requests: support@streakup.club.

External links & OAuth

Profile links such as repos or storefronts, and OAuth consent screens hosted solely by identity providers, are governed by their own policies. Read each provider's notices before approving scopes or exchanging tokens.

Children

The Services are not directed at children under 13. Parents or guardians who believe we mistakenly collected a child's data should contact us using the privacy channels listed above so we can delete the relevant account, subject only to lawful retention obligations.

Policy updates

We revise this Privacy Policy from time to time. Material updates change the Last updated date above—or minor clarifications likewise refresh that label for transparency. Please review periodically alongside any companion Terms updates you accept elsewhere.