Privacy Policy
Last updated: 2026-05-07
We try to collect as little as possible. Here's exactly what we store, why, and how to remove it.
1. What we collect
| Data | Why | Where it lives |
|---|---|---|
| Email, first name, last name | Account identity, sending password reset emails, personalizing certificates | Cloudflare D1 database |
| Password (hashed) | Authentication. Stored as PBKDF2-SHA256 with a per-user random salt โ we never store or see your plaintext password | Cloudflare D1 |
| Lesson progress, attempts, best code submitted | Showing your progress, resuming where you left off, awarding badges/certificates | Cloudflare D1 |
| Streak / activity dates | The ๐ฅ counter on your dashboard | Cloudflare D1 |
| Stripe customer ID and subscription ID | Linking your account to your Pro subscription | Cloudflare D1; Stripe holds the actual payment data |
| Stripe processes your card details | Payment processing | Stripe โ Pythonator never sees your card number |
| Server logs (request URLs, timing, IP for tens of seconds) | Debugging and abuse detection | Cloudflare; rotated within 24 hours |
2. What we do NOT collect
- Your code. Pyodide runs Python in your browser. Sandbox code never leaves your device.
- Card details. Stripe handles checkout end-to-end.
- Browsing history outside Pythonator. No cross-site tracking pixels or analytics scripts on subdomains.
- Profiling for advertising. We don't sell or share data with advertisers.
3. Cookies and local storage
We use localStorage on your device to keep your session token (a JWT) so you stay logged in between visits. We don't set tracking cookies. You can clear localStorage at any time via your browser's developer tools.
4. Third parties we use
- Cloudflare โ hosts the application, the Worker API, and the database (D1). Their privacy policy: cloudflare.com/privacypolicy.
- Stripe โ processes payments. Their privacy policy: stripe.com/privacy.
- Resend โ sends password-reset and account emails. Their privacy policy: resend.com/legal/privacy-policy.
- jsDelivr CDN โ serves Pyodide. They may log standard CDN metadata (URL, IP, timestamp).
5. Email
We email you only for transactional reasons (password resets, billing receipts, important account notices). We don't send marketing email. If we ever start, it'll be opt-in.
6. Children
The Kids track is designed for ages 7+. If you are under 13, please use the service with a parent or guardian's involvement, and have them create the account on your behalf. We do not knowingly collect data from children under 13.
7. Your rights
- Access โ log in and you can see all of your data on the dashboard. For machine-readable export, contact us.
- Correction โ change your email or password from the account settings page.
- Deletion โ delete your account from the account settings page. This wipes your row in our database within 30 days. Stripe billing history is retained per their data policy and applicable law.
- Portability โ request a copy of your data by contacting us.
8. Security
Passwords are hashed with PBKDF2-SHA256. Data in transit is encrypted (TLS). Database access is locked down to the Worker. We do our best, but no system is perfectly secure โ please use a unique password.
9. Changes
If we change this policy materially, we'll let you know by email or in-app notice before the change takes effect.
10. Contact
Privacy questions: contact us at the email associated with your account or through the support channel published on the site.
Pythonator ยท 2026