stackpicks.dev
Back to directory

Privacy Policy

Last updated: 21 May 2026

This Privacy Policy explains what data StackPicks (“we”, “the directory”) collects when you use the site, why we collect it, who we share it with, and how you can control it. It is written in plain language. If anything is unclear, email nuvexalearning@gmail.com.

We comply with India's Digital Personal Data Protection Act 2023 (DPDP Act) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. What data we collect

1.1 Information you provide directly

  • Email address — when you subscribe to the newsletter or create an account
  • Account details — name, company, phone, GSTIN (for Indian business customers buying sponsorships)
  • Payment metadata — Razorpay transaction IDs, billing address. We do not store card numbers, UPI handles, or bank details — those are held by Razorpay

1.2 Information we collect automatically

  • Anonymised analytics — page views, referrers, user-agent strings via Plausible (no cookies, no fingerprinting, no IP storage)
  • Outbound click hashes — when you click a repo link, we record a SHA-256 hash of your IP combined with a daily-rotating salt. The raw IP is never stored. The hash cannot be reversed and resets every 24 hours, so we can't reconstruct your browsing history across days
  • Server logs — minimal HTTP request logs retained for 14 days for security and debugging

2. Why we collect it

  • To deliver the service (show the directory, accept payments, send the newsletter)
  • To improve curation quality (aggregate click data tells us which takes are useful)
  • To prevent abuse (rate-limiting, fraud detection)
  • To meet legal and tax obligations (invoicing, GST records)

3. What we don't do

  • We do not sell personal data to advertisers, brokers, or third parties
  • We do not use behavioural ad networks (no Google Ads pixel, no Facebook pixel)
  • We do not run cross-site tracking
  • We do not maintain shadow profiles of non-users

4. Cookies

We use the minimum cookies necessary to operate the site:

  • Session cookies — for logged-in users only, expire on logout
  • CSRF tokens — for payment and form submissions, expire on submit

We do not set advertising, marketing, or analytics cookies. Plausible operates cookie-free. No cookie banner is needed because we don't set any optional cookies. If you don't want even the essential cookies, your browser's privacy mode will block them — the site still works.

5. Third-party services we use

Each handles your data under its own privacy policy:

  • Razorpay — payment processing (PCI-DSS Level 1 certified)
  • Supabase — database hosting (Mumbai region, SOC 2 Type 2)
  • Vercel / Railway — application hosting
  • Resend — transactional + newsletter email delivery
  • Plausible — privacy-friendly analytics (no cookies, no PII)
  • GitHub — public repo data only, no user-identifying queries

6. Data retention

  • Account data — kept while the account is active, deleted 90 days after deletion request
  • Payment records — kept for 7 years to meet Indian tax law
  • Newsletter subscriptions — kept until you unsubscribe (one click in every email)
  • Outbound click hashes — aggregated and rotated daily, raw entries purged after 30 days
  • Server logs — 14 days

7. Your rights

Under the DPDP Act (India) and GDPR (EU) you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and all associated data
  • Export your data in a portable format (JSON)
  • Withdraw consent for any optional processing
  • Lodge a complaint with the Data Protection Board of India or your local supervisory authority

Exercise any of these by emailing nuvexalearning@gmail.com with the subject “Data request”. We respond within 30 days.

8. Data transfers outside India

Some service providers (Resend, Plausible, Vercel) operate servers outside India. Where this happens, we ensure equivalent safeguards via the provider's standard contractual clauses. Supabase data is stored in the Mumbai (ap-south-1) region.

9. Children

The service is not directed at children under 18. We do not knowingly collect data from anyone under 18. If you believe a child has provided personal data, email us and we'll delete it.

10. Changes to this policy

We update this policy when our practices change. Material changes will be announced via the newsletter and a banner on the site for at least 14 days. The “last updated” date at the top reflects the latest revision.

11. Contact

Grievance Officer / Data Protection Officer: reachable at nuvexalearning@gmail.com or +91 9667879848.