Privacy Policy

Last updated: May 5, 2026

steep (steep.shashankthattai.dev) is operated by Shashank Thattai (sole proprietor), located in the United States. This policy explains what personal data we collect, how we use it, who we share it with, and what rights you have over it. By using the site you agree to the practices described here.

1. Information we collect

From you directly

• Account info: name, email, hashed password.
• Order info: products purchased, license type, your GitHub username (only for github_invite products).
• Billing info: billing address + country are collected by Stripe at checkout. We never see or store card numbers.
• Communication: messages you send via the contact form or by replying to our emails.

Automatically

• Authentication cookies issued by Supabase (HTTP-only, SameSite=Lax) so you stay signed in.
• A/B testing cookie assigning a theme variant on first visit. Expires after 30 days.
• Analytics: page views, referrer, country (city-level at most) via Vercel Analytics. No personal identifiers.
• Server logs: IP address, request timestamp, route accessed. Retained for 30 days for abuse prevention then deleted.

2. How we use your data

• To process and fulfill your orders.
• To send transactional emails (receipts, downloads, refunds).
• To send marketing emails — only if you opt in via the newsletter signup. Unsubscribe link in every email.
• To respond to support requests.
• To detect and prevent fraud / abuse.
• To comply with our legal obligations (taxes, accounting).

3. Who we share data with (sub-processors)

We use the minimum number of vendors needed to operate. Each is bound by their own privacy commitments and data processing agreements:

• Stripe — payment processing, tax calculation, fraud screening. PCI DSS Level 1.
• Supabase — application database + authentication. Hosted in the US.
• Vercel — site hosting, analytics, edge network.
• Resend — transactional email delivery.
• Cloudflare (optional) — bot protection / CAPTCHA on signup and contact forms.
• GitHub — collaborator invites for code-starter products only. We send your GitHub username + email; we never receive your GitHub credentials.
• Sentry (when enabled) — error monitoring. Stack traces and request metadata; no payload bodies.

We do not sell, rent, or trade your personal data.

4. International transfers

We are based in the United States; if you access the site from outside the US, your data is transferred to and processed there. Sub-processors above process data in their respective regions (primarily US).

5. Data retention

• Account info: kept while your account is active, deleted within 30 days of account deletion.
• Orders / payments: retained for 7 years for tax and accounting purposes (anonymized after account deletion).
• Email subscribers: kept until you unsubscribe.
• Server logs: 30 days.

6. Your rights

Regardless of where you live, you can:

• Access your data — view it via your account page.
• Correct errors via the same account page.
• Delete your account at /account → Delete my account. Order records are retained but anonymized.
• Export your data — email shashankthattai@gmail.com for a copy.
• Opt out of marketing emails via the unsubscribe link in any email.

EU/EEA visitors

You have additional rights under the GDPR, including the right to object to processing, restrict processing, and lodge a complaint with your local supervisory authority. Email shashankthattai@gmail.com to exercise any of these.

California visitors

Under the CCPA, you have the right to know what personal information we've collected, request deletion, and opt out of sale of personal information. We do not sell your personal information.

7. Security

All traffic is encrypted with TLS. Authentication uses HTTP-only cookies. Database access is gated by row-level security. Stripe handles all card data; we never see or store it. We rotate API credentials regularly. No system is perfectly secure; we recommend using a unique password on this site (different from your email provider) and enabling MFA on your account.

8. Children

The site is not directed at children under 16, and we don't knowingly collect data from them. If you believe we have, email us and we'll delete it.

9. Changes to this policy

We may update this policy as our practices change. The “Last updated” date above indicates the most recent revision. If changes are material we'll notify registered users by email.

10. Contact

Questions, concerns, or to exercise any of the rights above: shashankthattai@gmail.com.