Privacy Policy · Cruxible

This Privacy Policy explains what data Cruxible (cruxible.dev) collects, how we use it, the legal bases we rely on, who we share it with, and the rights you have. We designed Cruxible to be privacy-friendly: identity is local-first and we do not sell your data.

1. Summary

Your handle, theme, feed preferences, and daily counters live in your browser’s local storage — not on our servers by default.
GitHub login is optional; it adds your GitHub username and avatar.
Coding tests and many computations run client-side in your browser.
We do not use third-party advertising cookies and we do not sell personal data.
You have rights to access, delete, and port your data — see “Your rights”.

2. Data we collect

Stored locally in your browser

Handle — the display name you choose, kept in local storage.
Preferences — theme (dark/light paper), feed preferences, and similar UI settings.
Progress & counters — daily challenge counters and local activity state.

Collected when you take certain actions

GitHub OAuth data (optional) — if you sign in with GitHub, we receive your GitHub login (username) and avatar URL to identify you.
Gameplay, rating & activity — challenge and lesson outcomes, Elo rating and tier, and related activity used to power the arena, leaderboard, and your profile. When a durable database is configured, this may be stored server-side associated with your handle.
Design judge submissions — when you use the Design track, your design submission and prompt answers are sent to our AI judge provider to produce a score.
Supporter payments (optional) — if you make a contribution, our payment processor handles your payment details; we receive confirmation and limited transaction metadata, not your full card details.

Collected automatically

Basic technical logs — our hosting provider may process standard server logs (such as IP address, user-agent, timestamps, and requested URLs) to operate, secure, and debug the Service.

3. How we use data

To provide the Service — run challenges, lessons, ratings, leaderboards, and profiles.
To remember your identity and preferences across sessions.
To score Design submissions via our AI judge.
To secure the Service, detect abuse and cheating, and debug problems.
To process optional supporter contributions.
To comply with legal obligations and enforce our terms.

We do not use your data for third-party advertising, and we do not sell or rent personal data.

4. Legal bases (GDPR / UK GDPR)

If you are in the EEA or UK, we process personal data on these bases under Article 6(1) GDPR:

Contract (Art. 6(1)(b)) — to provide the Service you request, including accounts, ratings, and the design judge.
Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, maintain leaderboards, and improve features, balanced against your rights.
Consent (Art. 6(1)(a)) — where required, for example optional integrations; you may withdraw consent at any time.
Legal obligation (Art. 6(1)(c)) — to comply with applicable law.

5. Cookies & local storage

Cruxible primarily uses browser local storage (for your handle, theme, feed preferences, and daily counters) rather than tracking cookies. If you sign in with GitHub, an essential session cookie maintains your authenticated session. We do not use third-party advertising or cross-site tracking cookies. For details, see our Cookie & Local Storage Policy.

6. Third parties & sub-processors

We share data only as needed to run the Service, with providers that may include:

Vercel — hosting and content delivery (processes technical logs).
GitHub — optional OAuth login (username and avatar).
Anthropic — the AI judge that scores Design submissions.
A payment processor — for optional supporter contributions.

These providers act as our processors or independent controllers under their own policies. We do not sell personal data to anyone.

7. Data retention

Data stored in your browser’s local storage remains until you clear it. Where we store gameplay, rating, or account data server-side, we keep it for as long as your handle is active and as needed to provide the Service, resolve disputes, and meet legal obligations, after which we delete or anonymize it. Technical logs are retained for a limited period for security and debugging.

8. International data transfers

Our providers may process data in countries other than yours, including the United States. Where personal data is transferred out of the EEA or UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or an equivalent mechanism, as offered by the relevant provider.

9. Security

We use reasonable technical and organizational measures to protect data, including transport encryption (HTTPS) and running untrusted code in sandboxes. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. Keep your devices and any login credentials secure.

10. Your rights

EEA / UK (GDPR)

Subject to conditions and exemptions, you have the right to:

access the personal data we hold about you;
request correction of inaccurate data;
request erasure (“right to be forgotten”);
restrict or object to certain processing, including processing based on legitimate interests;
data portability (receive your data in a portable format);
withdraw consent where processing is based on consent;
lodge a complaint with your local data protection authority.

California (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect and how we use it, to request deletion, to correct inaccurate information, and to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not knowingly process the sensitive personal information of consumers for purposes requiring opt-out. We honor browser-based opt-out signals such as Global Privacy Control (GPC) and recognize “Do Not Track” signals to the extent the Service responds to them. We will not discriminate against you for exercising your rights.

Other regions

Residents of Canada (PIPEDA), Brazil (LGPD), and similar jurisdictions have comparable rights to access, correct, delete, and obtain information about the processing of their data. To exercise any right, email legal@cruxible.dev. Because identity is local-first, you can also exercise many rights yourself by clearing your browser storage or revoking the GitHub OAuth grant in your GitHub settings. We may need to verify your request before acting on it.

11. Children’s privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13 (or under the higher minimum age that applies in your region). This is consistent with the U.S. Children’s Online Privacy Protection Act (COPPA) and equivalent laws. If you believe a child has provided us personal information, contact us and we will delete it.

12. Data controller & contact

The data controller for the Service is the Cruxible maintainer. For privacy questions or to exercise your rights, contact legal@cruxible.dev.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will revise the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.