Privacy Policy

Last updated: April 15, 2026

1. Introduction

StartupTribunal ("we," "our," or "us") is operated by Genesis Protocol. We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This policy complies with the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

1.1 Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

  • Contract Performance: Processing necessary to provide our services (account management, hackathon participation, payment processing, idea analysis)
  • Consent: Marketing communications, optional analytics cookies, newsletter subscriptions
  • Legitimate Interest: Fraud prevention, security monitoring, service improvement through anonymized analytics
  • Legal Obligation: Tax records, compliance with law enforcement requests, financial regulations

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, name, and authentication data (via Google OAuth)
  • Payment Information: Billing details processed through Stripe (we do not store credit card numbers)
  • User Content: URLs and content you submit for analysis
  • Communications: Messages you send us via LinkedIn or other contact methods

2.2 Automatically Collected Information

  • Usage Data: Pages viewed, features used, analysis history
  • Device Information: Hashed IP address (pseudonymized for GDPR compliance), browser type, operating system
  • Analytics Data: Session duration, interaction patterns, conversion events
  • Cookies: Authentication tokens (essential), analytics cookies (optional with consent)

IP Address Pseudonymization: We hash all IP addresses using SHA-256 before storage. Original IP addresses are never stored, making it technically impossible to identify individuals from our analytics data.

3. How We Use Your Information

We use collected information to:

  • Provide and maintain the Service
  • Process analyses and generate MVP code
  • Manage your account and subscription
  • Process payments and prevent fraud
  • Send service updates and billing notifications
  • Analyze usage patterns to improve the Service
  • Provide customer support
  • Comply with legal obligations
  • Enforce our Terms of Service

4. Data Storage and Security

4.1 Where We Store Data

We use a hybrid database architecture for optimal performance and reliability:

  • Google Cloud Firestore: Real-time user data, subscription status, usage limits
  • Google Cloud SQL (PostgreSQL): Analytics, audit logs, historical data
  • US-based servers: All data stored in United States data centers

4.2 Security Measures

  • Industry-standard encryption (TLS/SSL) for data in transit
  • Encrypted data at rest in Google Cloud
  • Secure authentication via Google OAuth
  • Payment processing through PCI-compliant Stripe
  • Regular security audits and monitoring
  • Access controls and authentication logging

While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

5.1 Service Providers & International Transfers

We work with trusted service providers who process data on our behalf. All processors are bound by Data Processing Agreements (DPAs) and comply with GDPR requirements:

  • Google Cloud Platform (US): Infrastructure and database services - Standard Contractual Clauses (SCCs)
  • Stripe (Global): Payment processing - Standard Contractual Clauses (SCCs), PCI-DSS certified
  • Flutterwave (Nigeria/Africa): Payment processing for African markets - Adequate safeguards under GDPR Article 49
  • VibeJudge (US/AWS): AI-powered code analysis for hackathons - Data Processing Agreement
  • Anthropic (US): AI processing (Claude API) - Data Processing Agreement
  • Vercel (US): Hosting and deployment - Standard Contractual Clauses (SCCs)

Cross-Border Transfers: By using our service, you acknowledge that your data may be transferred to and processed in the United States and other jurisdictions where our service providers operate. We ensure all transfers comply with GDPR Chapter V requirements through Standard Contractual Clauses approved by the European Commission.

5.2 Legal Requirements

We may disclose your information if required by law, court order, or to:

  • Comply with legal process
  • Protect our rights and property
  • Prevent fraud or security issues
  • Protect user safety

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. You will be notified of any such change.

6. Data Retention (GDPR Article 5(1)(e))

We retain personal data only as long as necessary for the purposes it was collected:

  • Account Data: Retained while your account is active + 90 days after deletion request
  • Analytics Events: Automatically deleted after 2 years (GDPR storage limitation)
  • Search History: Automatically deleted after 2 years
  • Billing Records: Retained for 7 years (legal requirement for tax compliance)
  • Audit Logs: Retained for 2 years for security and fraud prevention
  • Deleted Accounts: Personal data anonymized or deleted within 90 days (billing records retained per legal requirements)

Automated Deletion: Our system automatically deletes analytics data past retention periods. You can request early deletion at any time by contacting us.

7. Your Rights and Choices (GDPR Chapter III)

Under GDPR, you have the following rights regarding your personal data:

  • Access (Art. 15): Request a copy of your personal data
    Self-service: Visit your account settings or use our data export tool
  • Correction (Art. 16): Update inaccurate information
    Self-service: Edit your profile in account settings
  • Deletion (Art. 17): Request deletion of your data ("right to be forgotten")
    Self-service: Use the delete account option in settings (billing records retained 7 years per legal requirements)
  • Portability (Art. 20): Receive your data in machine-readable JSON format
    Self-service: Use our data export tool
  • Restrict Processing (Art. 18): Limit how we use your data
  • Object (Art. 21): Object to processing based on legitimate interest
  • Withdraw Consent: Withdraw consent for marketing and optional analytics at any time
  • Lodge Complaint: File a complaint with your local supervisory authority

Response Time: We respond to all data subject requests within 30 days (1 month as required by GDPR Article 12).

For requests not available via self-service, contact us via LinkedIn or email privacy@startuptribunal.com (if configured).

8. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential Cookies: Authentication, security, session management (required)
  • Analytics Cookies: Understanding usage patterns and improving the Service
  • Preference Cookies: Remembering your settings and preferences

You can control cookies through your browser settings. Disabling essential cookies may impact Service functionality.

9. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to review their privacy policies.

10. Children's Privacy

StartupTribunal is not intended for users under 18. We do not knowingly collect data from children. If we learn we have collected data from a child, we will delete it promptly.

11. International Users

If you access StartupTribunal from outside the United States, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer.

GDPR Compliance: If you are in the European Economic Area, you have additional rights under GDPR, including data portability and the right to lodge complaints with supervisory authorities.

CCPA Compliance: California residents have rights under the California Consumer Privacy Act, including the right to know what data is collected and the right to deletion.

12. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you within 72 hours via email and provide information about the breach, affected data, and steps we are taking.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified via email or Service notification at least 30 days before taking effect. Continued use after changes constitutes acceptance.

14. Contact Us

For questions about this Privacy Policy or to exercise your rights, contact us at: