From f93b96111c3cd37f453dbcbdc64885247a402e45 Mon Sep 17 00:00:00 2001 From: Echo Date: Mon, 17 Nov 2025 10:05:57 -0500 Subject: [PATCH 1/2] add privacy policy --- app/views/static_pages/privacy.html.erb | 316 ++++++++++++++++++++++++ config/routes.rb | 1 + 2 files changed, 317 insertions(+) create mode 100644 app/views/static_pages/privacy.html.erb diff --git a/app/views/static_pages/privacy.html.erb b/app/views/static_pages/privacy.html.erb new file mode 100644 index 000000000..1852c2016 --- /dev/null +++ b/app/views/static_pages/privacy.html.erb @@ -0,0 +1,316 @@ +<% content_for :head do %> + + +<% end %> + +
+
+

Hackatime Privacy Policy

+

Last updated: November 15, 2025 • Effective: December 15, 2025

+ +
+

Introduction

+

+ Hello! This privacy policy explains how Hackatime collects, uses, stores, and protects your personal information. It is essential that you read and understand this policy, as it pertains to your data. However, if you are short on time, here are the key points. +

+
    +
  • + Your data is never sold to third parties. + Hack Club is funded by generous donations from amazing people and not by advertisers who want your data. While we share data with trusted service providers (subprocessors) to operate Hackatime and deliver Hack Club programs, we never sell your personal information. Your data remains safe and secure with us, and you can request its deletion by contacting us. +
    • +
  • + We strive to minimize the amount of information required. + We are not a bank; we do not need everything. We only need some basic info (more on that later!) to keep your account in order; everything else is optional. +
    • +
  • + We give you control. + We give you the ability to control your data on Hackatime. We are one of the first Hack Club programs to put you in the driver's seat when it comes to your data, and we want to keep you in the driver’s seat. +
    • +
  • + We care. + We are humans at the end of the day who have worked in security and know the consequences of poor data handling. We strive to be better and take responsibility for our actions. This document will hold us to our word. +
    • +
+ +

Who we are

+

+ Hackatime is owned and operated by Hack Club, a 501(c)(3) nonprofit organization from Vermont, United States. We are a global network of high school makers & student-led coding clubs where young people build the agency, the network, and the technical talent to think big & do big things in the world. Founded in 2014 by 16-year-old Zach Latta, Hack Clubs are now present in nearly 1,000 high schools, serving tens of thousands of students each year. Hack Club has been featured on the TODAY Show, in The Wall Street Journal, and in numerous other publications nationwide. If you are writing a story or have other press inquiries, please contact Hack Club Co-founder Christina Asquith: christina@hackclub.com. +

+

+ Our business address is 8605 Santa Monica Blvd, Suite 86294, West Hollywood, CA 90069. Our EIN is 81-2908499, and you can use this number to look us up in the IRS database. We are also transparent in most of our financial transactions, including how funds are allocated to programs such as Hackatime. +

+ +

Information we collect from you

+

We collect certain information when you use Hackatime. This includes information you provide to us, data we collect automatically, and information we receive from other sources.

+
    +
  • + When you sign up for Hackatime, your email and username will be stored to serve your account. Depending on whether you sign in with Slack, we may also receive your Slack account information (including Slack User ID, username, avatar URL, timezone, and OAuth tokens, which are encrypted at rest). You can also link your GitHub account to Hackatime, which will enable us to retrieve basic information about your account, including your GitHub User ID, username, avatar URL, timezone, and OAuth tokens (which are encrypted at rest). For all external connections, you can consult with the provider to determine precisely what data is collected. +
    • +
  • + Time logging is at the core of how Hackatime works. You upload data to Hackatime using various methods and extensions, and we use that data to serve you your statistics. The data stored depends on your editor/extension, but typically includes: timestamps, file paths, project names, programming languages, editor names, operating system information, machine names, branch names, user agent strings, IP addresses, and code metrics (lines added and/or deleted, cursor positions). IP addresses are appended to heartbeat data by default for fraud prevention purposes. +
    • +
  • + Physical mail rewards: If you participate in streak-based programs, you may provide your physical address to receive letters and rewards. This information is stored separately and is optional. +
    • +
  • + We also collect data for analytics purposes. This includes IP addresses from website visits, request logging, and page view tracking. This helps us determine how many people are using Hackatime and where they are from. Geocoding has been disabled in the analytics system. +
    • +
+ +

How we use your information

+

Under certain data protection laws, such as the GDPR, companies are required to have a “legal basis”, aka a valid reason, to process personal information. We use the data we collect, including account information and data you upload, as well as metrics, for the following reasons and in accordance with these legal bases (where applicable).

+ +

To fulfill our contract with you

+
    +
  • + To provide you with services. + We use your information to provide you with Hackatime services. For example, when you upload your heartbeats, we use your account information to associate that data with your account, which can be accessed by you or other third parties later. +
    • +
  • + To provide data for our programs. + Hackatime was made to help Hack Club track time spent on programs and events. The data shared is available in a public API. You can disable this public API at any time. +
    • +
+ +

For our legitimate business interests

+
    +
  • + To prevent abuse. + We have had people attempt to leverage external scripts or programs to inflate the time logged and gain an unfair advantage artificially, so we must protect our programs from abuse. To this end, we collect and analyze heartbeat patterns, IP addresses, machine identifiers, and user agents. Users may be assigned trust levels based on a manual review. +
    • +
  • + To improve our services. + We may use your information to help us improve Hackatime and understand how you use it, what features you may want, and how to make it easier to use. +
    • +
+ +

To comply with our legal obligations

+

We retain and use your information in connection with potential legal claims as necessary, for compliance, regulatory, and auditing purposes. For example, we retain your information as required by law or if we are compelled to do so by a court order or regulatory body. Also, when you exercise any of your applicable legal rights to access, amend, or delete your personal information, we may request additional information from you for the purpose of confirming your identity.

+ +

Sharing your information

+

Your information stays on your platform, but we may share it with other parties in the following ways:

+ +
    +
  • + To serve our public API. + We provide a public API interface for developers to interact with our service. This can be used to build apps around our API. You can disable your account data from appearing in this API on the settings page under “Privacy Settings.” +
    • +
  • + To aid Hack Club programs. + Hack Club uses Hackatime to measure the time you spend on programming projects and may use Hackatime data when you submit to their programs. You can opt out of this by choosing not to participate in Hack Club programs. +
    • +
  • + To prevent abuse. + Hack Club is not immune to fraud, and we may share your data with dedicated fraud teams to ensure the integrity of your information. This step is only taken when you submit your time to Hack Club programs. +
    • +
+ +

Data retention

+

We retain personal data as long as it is necessary for our purposes or as required by law. Different types of data have different retention periods:

+
    +
  • + Heartbeat data: Retained indefinitely while your account is active. You can download heartbeats. +
    • +
  • + Test heartbeats: Automatically deleted after 7 days. +
    • +
  • + Leaderboard data: Deleted after 2 days. +
    • +
  • + Email verification requests: Expired requests are automatically removed. +
    • +
  • + Successful background jobs: Cleaned up after 1 day. +
    • +
+

+ Currently, there are no automated account deletion features. If you wish to delete your account and all associated data, please contact us at hackatime@hackclub.com. We will work with you to complete this process. However, users who have been convicted of fraud may face restrictions on immediate account deletion and/or downloading their data to prevent ban evasion. +

+ +

Safeguarding your personal data

+

Your data is highly personal, and we take steps to ensure it stays in safe hands. All information sent within our services is encrypted. We use Transport Layer Security (TLS) to encrypt text and images in transit. We also enforce proper access controls to limit which of our employees and contractors have access to your personal data. Those under binding non-disclosure agreements (NDAs) are contractually bound to protect and responsibly access your data.

+ +

Exercising your rights

+

Your data is your data, and we give you the power to access it. Local laws may require different requirements, but users should have some fundamental rights over their data. Here’s how you can control how your data is used, how to delete your data, or request access to your data.

+ +

Opt out of our public API.

+

+ We provide a public API interface for developers to interact with our services. This can be used to build apps around our API. When enabled, the public API allows access to your coding statistics, including total coding time, programming languages used, projects worked on, time ranges/spans of activity, and aggregated activity data. The API does not expose individual heartbeat data or personally identifiable information beyond your chosen username. You can disable your account data from appearing in this API on the settings page under “Privacy Settings.” +

+ +

Download your data.

+

+ We give you tools to download all your data or select specific time frames for your data. You can locate this option in the settings section of your account under “Download Your Data.” The export includes all heartbeat information in JSON format. Please be aware that if you have been suspected of abuse, this option could be restricted to protect the integrity of our platform. +

+ +

Delete your account.

+

+ You can delete your account by contacting us at hackatime@hackclub.com. Deleting your account permanently deletes identifying information. We enforce a 30-day waiting period before your data is deleted. In this window, you are allowed to cancel your request to delete your data at any time before the 30-day grace period. However, be warned that in this 30-day window, you will be unable to perform any other actions with your account, which includes, but is not limited to, uploading more data to your account, downloading data from your account, or using it to submit to Hack Club programs. +

+

+ After the 30-day window, your account will be deleted, and you can recreate it at any time under a new email address. Your old email address will still be kept on file to ensure any restrictions on your account persist to prevent ban evasion. +

+

+ People who have been suspected of fraud will be unable to request account deletion for one year following the ban on their account. (If your account was banned on April 1st of 2025, you will only be able to request a deletion after April 1st, 2026) +

+

+ If you become ineligible to participate in Hack Club programs (e.g., due to aging out at 19 or other eligibility changes), you may request account deletion; however, historical data associations may be preserved for integrity purposes (e.g., leaderboard history). Personally identifiable information will be removed. +

+ +

Subprocessors

+

+ Hackatime uses subprocessors, which are other companies and services involved in the transmission and/or handling of your data. We carefully vet subprocessors to ensure that they maintain the security and privacy of your data. Below is a list of subprocessors with which we currently engage. +

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Subprocessor namePurposeData processedLocation
Hetzner Online GmbHData processing and storage, hosting providerData sent to Hackatime’s servers, including but not limited to heartbeats, trust levels, and addressesGermany
coolLabs Technologies BtProvides tools to manage Hackatime servers and the Hackatime application via its Coolify Cloud serviceCredentials to the application database and auxiliary services; credentials to the Hackatime server.Hungary
Astrodon Corporation dba Loops.soTo send emails to Hackatime usersName, email address, contents of communications sentUnited States
Slack Technologies, LLCTo communicate bans and for Slack-based authenticationEmail address. If you are banned, then Slack will see the messages we send you.United States
Cloudflare, Inc.Provides DDoS prevention and CDN servicesWeb traffic sent to the Hackatime application and APIUnited States
GitHub, Inc.Git commit linking to Hackatime sessions and projectsEmail address, GitHub usernameUnited States
Sentry, Inc.Error and performance monitoringTraces of requests, errors, and logs created by the Hackatime serviceUnited States
Formagrid, Inc. dba AirtableAddress storage for Hackatime letters.
(formerly): time transfer from the Neighborhood program.		Email address, full name, home addressUnited States
Google, Inc.IP address geolocation for country identification.IP addressUnited States
Amazon Web Services, Inc.To send emails to Hackatime usersName, email address, contents of communications sentUnited States
Tilde, Inc. dba SkylightApplication performance monitoringPerformance metrics, request traces, timing dataUnited States
Honeybadger, Inc.Error tracking and uptime monitoringError logs, stack traces, request contextUnited States
Hack Club (mail.hackclub.com)Physical mail delivery service for rewards and lettersName, mailing address, email address.United States
+
+ +

Changes to this policy

+

+ We will update this policy as new features or developments in the legal landscape change. We always indicate the date the last changes were published. We will provide a minimum of 15 days' notice before any changes take effect, as noted in our 'Last updated' and 'Effective' dates at the top of this document. +

+
    +
  • + For significant changes, this is defined as adding, updating, or deleting entire parts of the policy, or changes that would affect more than 5% of the population. We will notify you by email or via a pop-up notification within Hackatime. +
    • +
  • + For minor changes, such as small grammatical corrections or clarifying wording, we will update the links on the site to reflect the latest updates. +
    • +
+

+ For all changes, we will clearly document what changed in a changelog. We recommend checking back regularly for any changes or using a tool like the Wayback Machine to compare different versions of the content. Your continued use of Hackatime after the effective date of any subsequent version of this Privacy Policy constitutes your acceptance of this Privacy Policy. +

+ +

Contact

+

+ That was a lot! If you have any questions or concerns, please email us at hackatime@hackclub.com. +

+

+ If you would like to file a formal data request for just Hackatime, please use the same email address as before. If you would like to make a GDPR request for all of your data across Hack Club, please email team@hackclub.com. +

+

+ We also accept mail! You can send us physical letters at 15 Falls Rd, Shelburne, VT 05482, USA. Please address your mail to “Hackatime Privacy” so we can make sure it goes to the right person. +

+
+
+
diff --git a/config/routes.rb b/config/routes.rb index d2f9d46ee..f4ab83857 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -68,6 +68,7 @@ def matches?(request) end end + get "/privacy", to: "static_pages#privacy" get "/minimal_login", to: "static_pages#minimal_login", as: :minimal_login get "/what-is-hackatime", to: "static_pages#what_is_hackatime" From b50803a2f2bf9e48269f01d1dd5802109b94e49f Mon Sep 17 00:00:00 2001 From: Echo Date: Mon, 17 Nov 2025 10:18:42 -0500 Subject: [PATCH 2/2] link the privacy policy --- app/views/layouts/application.html.erb | 3 +++ app/views/static_pages/index.html.erb | 10 +++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb index bfaeb3cbe..e8f8a25de 100644 --- a/app/views/layouts/application.html.erb +++ b/app/views/layouts/application.html.erb @@ -195,6 +195,9 @@
<%= yield %>