Legal · public

Privacy Policy

How we collect, use, share, and protect your personal information. No third-party tracking cookies. No advertising networks. No selling of personal data — ever.

Version 1.0.0All legal documentsTerms of Service

Privacy Policy

Version 1.0.0 — Effective 2026-05-17

This Privacy Policy explains how Vladimir Dukelic and Silicon Youth LLC ("we", "us", "our") collect, use, share, and protect your personal information when you use the Pseudo project's public website at pseudo-lang.com, its documentation site at docs.pseudo-lang.com, and any associated services we operate from those domains (collectively, the "Services").

The Pseudo open-source project itself — the language, compiler, standard library, and source code — does not collect personal information; it runs locally on your machine. This Policy covers only the hosted Services.

We have written this Policy to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA / CPRA), and other applicable privacy laws. Where regional rights differ, the more protective standard applies.

1. The short version

  • We collect only what we need to operate the Services. No third-party tracking cookies. No advertising networks. No selling of personal data — ever.
  • The data we hold about you: an account record (if you signed up), a session cookie (so the site remembers you), a waitlist entry (if you joined), and submissions you sent us (feature requests, bug reports, comments). That is essentially all.
  • We use a small number of trusted infrastructure providers (Supabase for the database, Cloudflare for the CDN and bot protection, Vercel for hosting, Resend for transactional email, and Stripe — when paid tiers ship). They process data on our behalf under written contracts.
  • You can access, export, correct, or delete your data at any time from your account settings, or by emailing us.
  • Because we use only first-party functional cookies and no third-party tracking, we do not require a cookie consent banner under current EU guidance.

The rest of this Policy is the detailed version.

2. Information we collect

2.1 Information you give us

Account information. If you create an account, we collect the email address, display name, and password you provide. Passwords are never stored in plain text — they are hashed using a modern password-hashing algorithm (argon2id) per RFC 9106.

OAuth identifiers. If you sign up or sign in using a third-party provider (Google, GitHub, etc., when those become available), that provider sends us a stable identifier and the email address associated with your account at that provider. We do not receive your password from the provider.

Waitlist signups. If you join the v1.0 waitlist, we collect the email address you provide and a validation token from Cloudflare Turnstile (an anti-bot check). The token is short-lived and is discarded once validation completes.

Feature requests, bug reports, and other submissions. Anything you submit via a form on the Services — feature requests, bug reports, support tickets, comments — is associated with your account (if signed in) or with the email you provide. Treat submitted content as if it might become public; do not include sensitive personal data we do not need.

Terms-of-Service acceptance. When you accept these Terms (at signup, or on re-acceptance after a version bump), we record (a) the version of the Terms you accepted, (b) the IP address from which you accepted, (c) the user-agent string of the browser you used, and (d) the timestamp. This record is required for evidentiary purposes (proving that consent was obtained) and is retained for the duration permitted under applicable law even after account deletion.

Push notification subscriptions. If you opt into push notifications, your browser provides a push-subscription endpoint and a pair of cryptographic keys. We store those so we can deliver notifications you have asked to receive. You can revoke the subscription from your browser settings or from your account settings at any time.

2.2 Information we collect automatically

Session cookies. Once you sign in, we set a first-party, httpOnly, secure cookie named pseudo.session (or a similar name) with SameSite=Lax and an expiry of approximately 30 days. The cookie holds an opaque session identifier — not your email, name, or any other personal data. Its sole purpose is to keep you signed in across page loads.

CSP nonce. On each request, we generate a short, single-use cryptographic nonce that the page uses to authorize its own scripts under our Content-Security-Policy header. The nonce is not a cookie, is not persisted, and does not identify you.

Server-side log data. Our hosting provider (Vercel) and our edge / CDN provider (Cloudflare) record standard request metadata: IP address, user-agent string, request path, response status, request timestamp, and (for security-relevant events) Cloudflare bot-management signals. These logs are retained for a limited period (typically 30-90 days) and are used for security monitoring, abuse prevention, and operational debugging — not for advertising or analytics profiling.

Audit log. For administrative actions on your account (sign-in, sign-out, role changes if applicable, password reset, account deletion), we keep an entry in an internal audit log. The audit log is used for security and forensic purposes only.

2.3 What we do NOT collect

We do not collect or use:

  • precise location data
  • biometric data
  • third-party advertising identifiers
  • cross-site behavioral tracking via third-party cookies
  • analytics that combine your activity across unrelated websites
  • inferences for the purpose of building advertising profiles
  • data about children under 16 (the Services are not directed at children under 16; if you believe we have inadvertently collected such data, contact us and we will delete it)

3. How we use information

We use the information described above for the following purposes:

  • Operating the Services. Keeping you signed in, displaying your dashboard, processing your submissions, sending transactional email (sign-in confirmations, password resets, waitlist confirmations).
  • Security and abuse prevention. Detecting suspicious sign-in attempts, rate-limiting form submissions, blocking automated abuse, maintaining the audit log.
  • Communication. Replying to your support requests, notifying you about important changes to the Services (downtime, security incidents, Terms updates).
  • Improving the project. Reading your feature requests and bug reports to improve Pseudo. Submitted content may inform future RFCs, design decisions, or roadmap priorities — Vladimir reads them.
  • Legal compliance. Responding to lawful requests from authorities, exercising or defending our legal rights, complying with applicable law.

We do not use your information to build advertising profiles, sell to data brokers, or train third-party AI models without your explicit, separate consent.

4. Lawful bases under GDPR

For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following lawful bases (GDPR Article 6):

  • Performance of a contract (Art. 6(1)(b)) — for account creation, sign-in, processing your submissions, and delivering the Services you have requested.
  • Legitimate interests (Art. 6(1)(f)) — for security monitoring, abuse prevention, audit logging, and basic server-side request logs. Our legitimate interests are running a secure, reliable Service; we have assessed these against your privacy rights and concluded the processing is proportionate.
  • Consent (Art. 6(1)(a)) — for push notification subscriptions and any future feature that asks for separate opt-in (e.g., optional product-update emails). You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — for retention of Terms-of-Service acceptance records and responses to lawful authority requests.

Where we rely on legitimate interests, you may object — see Section 7.

5. Sharing — who else processes your data

We use a small number of third-party "processors" who handle data on our behalf under written contracts (Data Processing Agreements). They process data only for the purposes we specify; they do not use your data for their own purposes.

ProcessorPurposeData sharedRegion
SupabaseApplication database + authentication backendAll account data, submissions, audit logEU (Frankfurt)
CloudflareCDN, edge functions, bot protection (Turnstile), DNS, tunnelsIP, request metadata, Turnstile token, traffic patternsGlobal edge
VercelWeb hosting, edge runtime, server logs, optional analytics (privacy-preserving, no cookies)IP, request metadata, server logsGlobal edge
ResendTransactional email delivery (sign-in links, password resets, receipts)Recipient email address, email contentEU (primary), US (failover)
StripePayment processing (only if and when paid tiers ship — not active in v1.0 day 1)Name, email, billing address, card data (handled by Stripe directly — we never see the card number)Global
TavilyInternal — used by our development VMs for research workflows; not invoked on user requestsNone — internal infrastructure onlyUS

We do not share data with advertisers, data brokers, or analytics-for-advertising platforms.

We may disclose information when required by law (court order, subpoena, lawful authority request), when necessary to protect our rights or the safety of others, or in connection with a business transaction (merger, acquisition, asset sale) — in which case the acquiring party will be bound by terms at least as protective as this Policy.

6. International transfers

We are based in the European Union (Silicon Youth LLC) and in the Republic of Serbia (where Vladimir resides). Our database is hosted in the EU (Frankfurt region of Supabase). Some of our processors operate globally (Cloudflare, Vercel, Stripe), which means your data may be processed in countries outside your country of residence, including the United States.

For transfers from the EU/EEA/UK/Switzerland to other jurisdictions, we rely on:

  • EU Standard Contractual Clauses (the 2021 modules) where the recipient is in a third country without an adequacy decision
  • UK International Data Transfer Addendum for UK-originated transfers
  • Swiss-equivalent SCCs for Switzerland-originated transfers
  • Adequacy decisions where they apply (e.g., transfers within the EU/EEA)

We have selected processors who maintain robust security and compliance programs (SOC 2, ISO 27001, GDPR-aligned DPAs). Where additional supplementary measures are warranted, we apply them.

7. Your rights

Depending on where you live, you have some or all of the following rights:

7.1 Rights under GDPR (EU/EEA/UK/Switzerland)

  • Access — you can request a copy of the personal data we hold about you
  • Rectification — you can ask us to correct inaccurate data
  • Erasure (the "right to be forgotten") — you can ask us to delete your data, subject to limited exceptions (e.g., the Terms-of-Service acceptance record described in Section 2.1, retained for evidentiary purposes)
  • Portability — you can request your data in a structured, commonly-used, machine-readable format
  • Restriction of processing — you can ask us to limit how we process your data
  • Objection — you can object to processing based on legitimate interests
  • Withdrawal of consent — where we rely on consent, you can withdraw it at any time (this does not affect the lawfulness of processing before withdrawal)
  • Lodge a complaint with your local Data Protection Authority — though we hope you will contact us first so we can address your concern

7.2 Rights under CCPA / CPRA (California)

  • Right to know — what categories of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it
  • Right to access — a copy of the specific pieces of personal information we have collected
  • Right to delete — request deletion, subject to limited exceptions
  • Right to correct — inaccurate personal information
  • Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising; nevertheless, you have the right to a formal opt-out, which is implicit in our not engaging in those practices
  • Right to limit use of sensitive personal information — we do not collect sensitive personal information for purposes other than the operation of the Services
  • Right to non-discrimination — we will not deny service, charge differently, or provide a lesser experience because you exercised your privacy rights

7.3 How to exercise your rights

Email us at vladimir@pseudo-lang.com with the subject line "Privacy request" and describe what you would like us to do. For account-specific requests, send the email from the address associated with your account, or include sufficient information for us to verify your identity. We will respond within the period required by applicable law (typically 30 days under GDPR, 45 days under CCPA, extendable when justified).

Where applicable law gives you a right to use an authorized agent, you may do so; we may verify the agent's authority and your identity before proceeding.

8. Data retention

We retain personal information for as long as is necessary to provide the Services and to meet our legal obligations:

  • Account data: while your account is active. After account deletion: erased within 30 days, except where we have a legal obligation to retain longer (see Terms-of-Service acceptance below).
  • Sessions: 30 days of inactivity, then expired. Expired sessions are pruned on a rolling basis.
  • Waitlist entries: until v1.0 launch + 90 days, or until you ask us to delete, whichever comes first.
  • Feature requests and bug reports: indefinitely, since these may inform future work. You can ask us to dissociate your identity from a submission and retain the content anonymously.
  • Terms-of-Service acceptance records: for the duration permitted under applicable law (typically 6 years under EU consumer law; longer in some jurisdictions). This retention is necessary for evidentiary purposes and survives account deletion.
  • Audit logs: 2 years for security-relevant events; shorter for routine events.
  • Server / CDN logs: 30-90 days, then aggregated or deleted, per processor policy.
  • Email transactional records (sign-in confirmations, password resets, receipts): per Resend's policy, typically 60-90 days.

9. Security

We apply industry-standard security measures, including:

  • Argon2id password hashing with OWASP-exceeding parameters per RFC 9106
  • httpOnly, secure, SameSite cookies for session management
  • Content-Security-Policy with per-request nonces to mitigate XSS
  • HTTPS / TLS 1.3 everywhere
  • Defense-in-depth rate limiting at the edge (Cloudflare) and at the application layer
  • Cloudflare Turnstile anti-bot checks on public forms
  • Encrypted-at-rest database (Supabase managed Postgres)
  • Least-privilege access to production data (Vladimir + a small set of audited operators)
  • Audit logging for administrative actions
  • Regular dependency-update audits

No system is perfectly secure. If a breach occurs that is likely to result in a high risk to your rights, we will notify you and the relevant supervisory authorities within the timeframes required by GDPR and other applicable law (typically 72 hours).

10. Cookies and similar technologies

We use only first-party, functional cookies — there are NO third-party tracking cookies, advertising cookies, or cross-site analytics cookies on the Services.

Cookies we set:

NamePurposeTypeLifetime
pseudo.sessionKeeps you signed in across page loadsFirst-party, httpOnly, Secure, SameSite=Lax~30 days
(CSP nonce)Single-use cryptographic nonce delivered as a response header; not a cookien/aper request

Because we use only essential, first-party functional cookies, current EU guidance does not require a cookie consent banner for this site. If we ever add a non-essential cookie or a third-party tracking technology, we will publish an updated Policy and present a clear consent mechanism before any such cookie is set.

You can clear or block cookies in your browser settings; doing so will sign you out and may affect functionality.

11. Do Not Track and Global Privacy Control

We honor the Global Privacy Control (GPC) signal as a valid opt-out request under CCPA / CPRA. We do not engage in the kind of cross-context behavioral tracking that DNT was designed to opt out of, but we still treat a GPC signal as a clear expression of preference.

12. Children

The Services are not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided personal information to us, please contact us and we will delete it promptly.

13. Changes to this Policy

We may update this Policy from time to time. We will update the version number and effective date at the top of this page. For material changes, we will (a) post a notice on the Services and (b) where required by law, obtain renewed consent. A change log of all published versions is available at /legal. Prior versions remain available for reference.

14. Contact and data controller

The data controller (for GDPR purposes) and the "business" (for CCPA / CPRA purposes) is:

Vladimir Dukelic / Silicon Youth LLC

  • Email: vladimir@pseudo-lang.com
  • Postal: Silicon Youth LLC — contact via email for the current registered address

For privacy-specific questions, lawful-request submissions, or to exercise any of your rights described in Section 7, please email the address above with the subject line "Privacy request".

If you are in the EU/EEA/UK/Switzerland and you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. We would, however, appreciate the chance to address your concern first.

Privacy Policy v1.0.0 — Effective 2026-05-17. Published at https://pseudo-lang.com/privacy.