Privacy Policy

We collect information in three ways: what you give us directly, what's generated as you use the platform, and what we receive from trusted third-party services.

Account information: When you sign up, Clerk (our authentication provider) handles your email address, name, and OAuth tokens (if you sign in with Google or GitHub). We receive a user ID and basic profile information from Clerk.

Learning activity: We store your roadmaps, topics, lesson progress, quiz scores, and completed topics to power personalized learning and progress tracking.

Uploaded content: If you upload a PDF syllabus, we temporarily store it to generate your personalized roadmap. Uploaded files are not shared or used for model training.

Usage data: We collect anonymized usage patterns (features used, pages visited, session duration) to improve the platform. This data cannot identify you personally.

Payment information: If you subscribe, payment details (card number, billing address) are handled entirely by our payment processor. We never see or store raw payment credentials.

We use your data only for legitimate purposes directly related to providing and improving the CrackLab experience.

• ◆Generate personalized AI roadmaps and lessons tailored to your skill level and goals.
• ◆Track your learning progress, completed topics, and quiz performance.
• ◆Send transactional emails (account confirmation, password reset, billing receipts).
• ◆Process subscription payments and manage billing history.
• ◆Detect and prevent abuse, fraud, and policy violations.
• ◆Analyze anonymized usage patterns to improve platform features.
• ◆Respond to your support requests and feedback.

CrackLab uses Anthropic Claude (via the Anthropic API) to generate lesson content, roadmaps, quiz questions, and mentor chat responses. All AI requests are made server-side — your prompts and topic data are never sent directly from your browser to Anthropic.

When you request a lesson or roadmap, we send the topic, your skill level, and any uploaded syllabus content to Anthropic's API. We do not include personally identifiable information (your name, email, user ID) in these requests.

Responses from Anthropic are cached in Upstash Redis to reduce costs and improve performance. Cached content is the lesson text only — no personal data is cached.

We work with carefully selected third-party services to operate the platform. Each handles data per their own privacy policies.

• ◆Clerk (auth.clerk.com) — Authentication, user sessions, OAuth. Handles passwords and OAuth tokens.
• ◆Supabase (supabase.com) — PostgreSQL database hosting. Stores your roadmaps, progress, and lesson data. SOC 2 Type II certified.
• ◆Anthropic (anthropic.com) — AI model provider for lesson and roadmap generation.
• ◆Upstash (upstash.com) — Redis caching for AI-generated content. Anonymized content only.
• ◆Sentry (sentry.io) — Error monitoring. Captures stack traces and anonymized request data to help us fix bugs.
• ◆Stripe or equivalent — Payment processing for subscriptions. We never receive your raw card details.
• ◆Vercel or equivalent hosting — Platform deployment and CDN. May log anonymized request metadata.

CrackLab uses a minimal set of cookies required to operate the platform. We do not use advertising cookies or sell cookie data.

• ◆Authentication cookies — Set by Clerk to maintain your logged-in session. Essential, cannot be disabled.
• ◆Session cookies — Short-lived cookies that expire when you close your browser.
• ◆Preference cookies — Store UI preferences like theme and layout settings.
• ◆Analytics (if enabled) — Anonymized usage data to understand how features are used. No personal identifiers.

For full details on cookie types and management, see our Cookie Policy.

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g., financial records for tax purposes, which we retain for 7 years).

Anonymized, aggregated usage statistics (with no link to your identity) may be retained indefinitely for platform improvement purposes.

Uploaded PDF files are deleted within 7 days of being processed, or immediately upon account deletion — whichever is earlier.

Regardless of your location, you have the following rights regarding your data:

• ◆Access — Request a copy of the personal data we hold about you.
• ◆Correction — Ask us to correct inaccurate or incomplete data.
• ◆Deletion — Request deletion of your account and associated personal data.
• ◆Portability — Request your learning data in a machine-readable format.
• ◆Objection — Object to processing of your data for specific purposes.
• ◆Restriction — Ask us to restrict processing while a dispute is resolved.

To exercise any of these rights, email privacy@cracklab.dev. We will respond within 5 business days.

We use industry-standard security measures to protect your data. All data in transit is encrypted using TLS 1.2+. Data at rest is encrypted by our hosting and database providers (Supabase, Upstash).

Access to production systems is restricted to authorized personnel only. We do not store passwords — authentication is handled entirely by Clerk.

Despite our best efforts, no system is 100% secure. In the unlikely event of a data breach that affects your personal data, we will notify you within 72 hours of becoming aware of it.

CrackLab is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us at privacy@cracklab.dev and we will delete the account immediately.

CrackLab operates from India and uses services hosted in the United States and European Union (Supabase, Anthropic, Clerk, Upstash). By using the platform, you consent to your data being transferred to and processed in these countries.

For users in the EU/UK, transfers are made under appropriate safeguards (Standard Contractual Clauses or equivalent mechanisms) as required by GDPR.

For users in India, we operate in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act). You have the right to access, correct, and erase your personal data. You may nominate a representative to exercise these rights.

As a Data Fiduciary under the DPDP Act, we process your personal data only for the specific, clear purposes described in this policy and with your implied or explicit consent (given at account creation). We do not process data for any incompatible purpose without additional consent.

To exercise your rights under the DPDP Act, contact: privacy@cracklab.dev

If you are located in the European Union or United Kingdom, the General Data Protection Regulation (GDPR) grants you additional rights. Our legal basis for processing your data is:

• ◆Contract performance — processing necessary to provide the service you signed up for.
• ◆Legitimate interests — anonymized analytics to improve the platform.
• ◆Legal obligation — financial records for tax compliance.
• ◆Consent — for optional communications such as newsletters.

You have the right to lodge a complaint with your national data protection authority if you believe we have violated your rights.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Privacy questions or data requests:

• ◆Privacy & data requests: privacy@cracklab.dev
• ◆General support: support@cracklab.dev
• ◆Response time: 5 business days for privacy requests