Privacy Policy

Contact: michael@realdev.dev

1. Introduction

RealDev ("we," "us," or "our") operates the RealDev platform at realdev.dev. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service.

This Privacy Policy applies to all users of the Service, including visitors who do not create an account. By using the Service, you consent to the data practices described in this policy.

If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

Information You Provide Directly:

Account Information: Email address, display name, and password (stored as a bcrypt hash — we never store plaintext passwords). If you sign up via Google OAuth, we receive your name, email, and profile picture from Google.

Profile Information: Optional details you add to your profile, such as a bio or display preferences.

Payment Information: When subscribing to the Pro Plan, payment details (credit card number, billing address) are collected and processed directly by Stripe. RealDev does not store your full payment card details.

Code Submissions: Source code you write, upload, and submit through the Service for challenge evaluation.

Communications: Emails or messages you send to us, including support requests and feedback.

Information Collected Automatically:

Usage Data: Pages visited, features used, challenges attempted, submission frequency, and session duration.

IP Address: Collected for security purposes including rate limiting, abuse detection, and progressive IP blocking.

Browser and Device Information: Browser type, operating system, device type, and screen resolution.

Cookies and Tokens: Session cookies, JWT authentication tokens, and user preference settings stored in your browser.

Server Logs: HTTP request logs including timestamps, request paths, response codes, and response times. Logs are retained for 30 to 90 days.

Code Execution Metadata: Container resource usage, execution duration, and exit codes (not the content of your code output).

Information from Third Parties:

Google OAuth: If you authenticate via Google, we receive your Google profile information (name, email, profile picture) as authorized by your Google account settings.

Stripe: Payment confirmation status, subscription state, and customer ID. We do not receive your full card number from Stripe.

3. How We Use Your Information

We use the information we collect for the following purposes:

Providing the Service: To operate, maintain, and deliver the features of the platform, including running your code in Docker containers and displaying your results.

Authentication and Security: To verify your identity, manage sessions, enforce rate limits, detect abuse, and protect against unauthorized access through progressive IP blocking.

Processing Payments: To manage Pro Plan subscriptions, process charges through Stripe, and handle billing inquiries.

AI-Powered Features: To send your submitted code to the Anthropic Claude API for code review and script generation when you use AI features.

Communications: To send transactional emails (account verification, password reset, subscription confirmations) and mailing list messages if you have subscribed.

Analytics and Improvement: To understand how users interact with the Service, identify areas for improvement, and develop new features.

Legal Compliance: To comply with applicable laws, regulations, and legal processes.

4. How We Share Your Information

We do NOT sell your personal information to third parties. We share information only as described below:

Stripe: Payment method details, billing address, and transaction information for payment processing and subscription management.

Google: Only if you use Google OAuth — authentication tokens are exchanged to verify your identity. We do not send additional data to Google.

Anthropic (Claude API): When you request AI code reviews, your submitted code and challenge context are sent to Anthropic for processing. No personal account information is included in API requests.

Resend: Your email address and email content for transactional email delivery (verification, password reset, mailing list). Resend processes emails on our behalf.

Hosting Providers: Our infrastructure providers may process data as part of hosting the Service. Data is encrypted in transit and at rest.

Legal Requirements: We may disclose information if required by law, subpoena, court order, or governmental regulation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Cookies & Tracking

We use cookies and similar technologies for essential Service functionality:

Session Cookies: Maintain your authenticated session while you use the Service. These expire when you close your browser or after the session timeout.

Authentication Tokens: JWT access tokens (15-minute expiry) and refresh tokens (7-day expiry) stored as HTTP-only cookies for secure session management.

User Preferences: Theme settings, editor preferences, and UI configuration stored locally in your browser.

We do NOT use advertising cookies, third-party tracking cookies, or cross-site tracking technologies. We do not participate in ad networks or sell browsing data.

6. Data Retention

We retain your data according to the following schedule:

Account Data: Retained for as long as your account is active. If you delete your account, your personal information is removed within 30 days, except as required by law.

Code Submissions: Retained while your account is active. Deleted within 30 days of account deletion.

Payment Records: Retained for 7 years as required by tax and financial regulations.

Server Logs: Retained for 30 to 90 days, then automatically purged.

Security Logs: Authentication failures, rate limit violations, and IP blocking records are retained for up to 1 year for security analysis.

Mailing List Data: Retained until you unsubscribe. Unsubscribe records are retained to honor your opt-out preference.

7. Data Security

We implement industry-standard security measures to protect your personal information:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).

Password Security: Passwords are hashed using bcrypt with salt rounds before storage. We never store or log plaintext passwords.

Container Isolation: Code execution occurs in isolated Docker containers with resource limits, non-root users, and network restrictions to prevent unauthorized access.

Rate Limiting: API endpoints are protected by rate limiting to prevent abuse, with progressive IP blocking for repeated authentication failures.

Access Controls: Administrative functions require verified admin roles. Internal access to user data is restricted and logged.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Access: You may request a copy of the personal information we hold about you.

Correction: You may request that we correct inaccurate or incomplete information through your profile settings or by contacting us.

Deletion: You may request deletion of your account and associated personal data. Certain data may be retained as required by law.

Data Portability: You may request your data in a machine-readable format.

Opt-Out: You may unsubscribe from mailing list communications at any time using the unsubscribe link in any email or by visiting the unsubscribe page.

CCPA Rights (California Residents): California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information.

GDPR Rights (EEA Residents): If you are in the European Economic Area, you have rights under the General Data Protection Regulation, including the right to access, rectify, erase, restrict processing, and data portability. To exercise these rights, contact us at michael@realdev.dev.

9. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at michael@realdev.dev.

If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information promptly, in compliance with the Children's Online Privacy Protection Act (COPPA).

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. We will notify you of material changes by posting the updated policy on the Service and updating the "Last Updated" date.

For significant changes, we will provide additional notice, such as sending an email to registered users or displaying a prominent notice on the Service. Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the changes.

11. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: michael@realdev.dev

For data protection inquiries, rights requests, or complaints, please include "Privacy Request" in the subject line to ensure timely processing.