Privacy Policy

Strivle is operated by Sebastian Mattsson, an individual based in Sweden. We are the "controller" of your personal data under Regulation (EU) 2016/679 ("GDPR") — meaning we decide what data is collected and what it's used for.

For any privacy question, including to exercise the rights listed below, email privacy@strivle.com. We aim to respond within 14 days; the regulatory ceiling is one month with one possible two-month extension for complex requests (GDPR Art 12(3)).

We try to collect the minimum necessary for the product to work. Concretely, here is everything we currently store about you:

Account data

• Email address — required for sign-in, password reset, security notifications, and rare service-level emails. We do not use it for marketing without your explicit opt-in.
• Password (hashed with bcrypt by Supabase Auth, never stored in plaintext, never visible to us).
• OAuth identifier if you sign in with GitHub or Google — the provider tells us your account ID, email, and (for GitHub) public username. We do not request any additional permissions on those accounts.
• Approximate age signal — by signing up you confirm you are at least 13 (see "Children" below).

Profile data (public)

• Your username, display name, bio, avatar, banner, category, and project name — everything you fill in under Settings. These are visible to anyone, including logged-out visitors and search engines (we ship a sitemap that indexes profile URLs).

Content you create

• Posts, replies, reposts, hashtags, and any uploaded images or videos. Public by default and indexable by search engines.
• Direct messages and room messages, including any attached images and emoji reactions. Visible to the other participants (DMs) or to people currently in the room (room chat) and to us — we can read them if necessary for abuse investigation, but we don't do so routinely.
• Likes, bookmarks, follows, mentions, and notifications generated by your activity.
• Room participation history — when you joined, when you left, mute/read state.

Behavioral data

• Post views and impressions — when you scroll past a post in the feed we record one impression per (post, viewer) pair. Used to compute view counts and rank distribution; never sold or shared.
• Last-seen timestamp — bumped at most once every five minutes while you are logged in. Used only to compute DAU/MAU on a founder-private dashboard. Never shown to other users.
• Anonymous traffic analytics via Vercel Analytics and Vercel Speed Insights — page-level visit counts, geography down to country level, referrer, browser, and rough performance metrics. Aggregated and not tied to your account.

Stripe / verified revenue (only if you connect)

• If you connect Stripe to verify revenue, we store an encrypted restricted Stripe API key and your Stripe-reported business name and monthly recurring revenue figure. The business name and MRR are shown publicly next to your handle on the leaderboard and profile — connecting Stripe is opt-in precisely because of this public disclosure.
• We never see, store, or transmit your customers' payment details. Stripe's own privacy policy governs how Stripe processes the underlying data (linked below).

Technical data

• Server logs from Vercel and Supabase containing IP address, timestamp, requested URL, and user agent. Used for debugging, abuse defense, and security. Retained briefly (see "How long we keep your data").
• Cookies — listed in detail in our Cookie Policy.

Under Article 6 GDPR, each piece of processing needs a legal basis. Ours, by category:

• Performance of contract (Art 6(1)(b)) — for anything you need us to do to give you the product: storing your account, displaying your posts to other users, delivering DMs, computing the leaderboard.
• Legitimate interest (Art 6(1)(f)) — for abuse defense, security logging, fraud prevention, the anonymous traffic analytics, and the internal DAU/MAU dashboard. We've weighed our interest in running a functional, safe product against the limited intrusion of counting requests, and concluded it's proportionate. You can object — see "Your rights" below.
• Consent (Art 6(1)(a)) — for any future opt-in marketing emails (we don't send these today). You can withdraw consent at any time.
• Legal obligation (Art 6(1)(c)) — for responses to valid Swedish or EU legal process.

We use the following third parties to run Strivle. Each is contractually bound to handle your data only on our instructions:

We do not sell your personal data. We do not use it to train any AI model, ours or anyone else's.

Some of our subprocessors are based in the United States. Personal data may therefore be transferred outside the EU/EEA. Where this happens, the transfer is covered by the European Commission's Standard Contractual Clauses (SCCs) and / or, in the case of US recipients, the EU-US Data Privacy Framework where applicable. You can request a copy of the relevant safeguards by emailing privacy@strivle.com.

• While your account is active: indefinitely, as needed to keep your profile and content accessible.
• After you delete your account: profile, posts, DMs, and reactions are removed from active databases within 30 days. They may persist in encrypted, time-limited backups for up to 60 additional days, after which backups roll over.
• Direct messages you sent to others: copies held by those recipients are not removed when you delete your account, because they belong to the other participant too. The same applies to room messages other people read or reacted to.
• Server logs: 30 days for routine logs, longer if needed for an active security investigation.
• Stripe verification metadata: removed within 7 days of disconnecting Stripe.

We take reasonable, industry-standard precautions to protect your data — but no online service can promise zero risk, and anyone who tells you otherwise is lying.

• All traffic to and from Strivle uses HTTPS (TLS 1.2+).
• Passwords are bcrypt-hashed by Supabase Auth and never stored or transmitted in plaintext.
• Database data at rest is encrypted via Supabase / AWS-managed encryption.
• Stripe API keys are stored encrypted at the application level — even a full database leak does not expose them in plaintext.
• Row-level security is enforced on every table that holds user data, so a viewer can only read rows they're explicitly entitled to.

If you discover a security issue, please email privacy@strivle.com — we'll acknowledge within 72 hours.

Under GDPR, you have the following rights at any time:

• Access — get a copy of the personal data we hold about you.
• Rectification — correct anything that's wrong. (For most fields you can do this yourself under Settings.)
• Erasure ("right to be forgotten") — delete your account and the data we hold about you. Subject to the retention notes above.
• Portability — get your data in a machine- readable format you can take elsewhere.
• Object to processing based on legitimate interest (e.g. the internal DAU dashboard).
• Restriction of processing in certain circumstances.
• Withdraw consent at any time, for processing we do based on consent (currently none required).

To exercise any of these, email privacy@strivle.com. We'll respond within 14 days and never charge for it.

You also have the right to lodge a complaint with the Swedish data protection authority, Integritetsskyddsmyndigheten (IMY), or with the supervisory authority in your country of residence.

Strivle is not directed at children under 13. We do not knowingly collect data from anyone under 13, and accounts believed to belong to under-13s will be removed. If you are a parent or guardian and believe your child has signed up, email privacy@strivle.com and we will delete the account.

See our separate Cookie Policy for the full list of cookies we use, why, and how long they last.

If we make material changes to how we handle your data, we'll update this page and bump the "last updated" date at the top. For changes that legally require it — like adding a new subprocessor that gets your data — we'll notify you by email or an in-app banner before the change takes effect.

Privacy questions, GDPR requests, security disclosures — all go to privacy@strivle.com.