Privacy Policy

HackSanta is a parent-operated family entertainment service. Parents and guardians create accounts, add children to private family lists, and decide whether children may view the Santa portal using parent-controlled access details.

We do not want children under 13 to create accounts or submit personal information directly to us. If you believe a child has provided personal information without a parent or guardian, contact us and we will review and delete it as appropriate.

Account information: parent or guardian email address, authentication details handled by Supabase, username, profile image if uploaded, membership status, and Stripe customer or subscription identifiers.

Child information provided by parents: child name or nickname, optional birth year, list status, uploaded child photo or selected avatar, toy name, toy image, list entries, Santa portal play code, and Santa letter or certificate details.

Friend invite information: a parent may enter a friend's email address and an optional message so HackSanta can send an invitation.

Operational information: security logs, parent-side analytics events, checkout events, email delivery status, and abuse-prevention/rate-limit data. Parent-side analytics may include page URL, referrer, device type, browser, operating system, source/campaign details, anonymous/session identifiers, and logged-in user ID when applicable.

HackSanta is designed so parents control the family account and child data. Children should use the portal only with parent permission and should not create their own accounts.

We use child information only to provide the family experience: Santa lists, the portal, toy details, letters, certificates, and related account features.

Parents may create a Santa portal play code for children to guess as part of the entertainment experience. This play code is not the parent's account password and is not intended to secure the parent account or private account data.

We do not sell children's personal information, use it for targeted advertising, or knowingly allow third-party advertising networks to track children through the portal.

Parents may review, edit, or delete child profiles, photos, toy details, list entries, and related account content from the dashboard. Parents may also contact us to request deletion or assistance.

Parents can also use My Account > Privacy & Data to download account and child data, delete individual child records, submit access, correction, deletion, or appeal requests, and permanently delete their HackSanta account.

Child and toy uploads are stored in private app storage and served through authenticated access controls. Uploaded images are not intended to be public website content.

HackSanta attempts to remove common image metadata, including EXIF, GPS, XMP, text, comment, and color-profile metadata, from supported JPG, PNG, and WEBP uploads before storage. GIF uploads are not accepted because metadata stripping is not reliable for that format.

When a parent removes or replaces a child or toy photo, HackSanta attempts to delete the prior uploaded file promptly from active storage. Some copies may persist temporarily in backups, logs, caches, or provider systems where immediate deletion is not technically available.

Parents should only upload photos they have the right to use and should avoid images containing sensitive details such as addresses, school IDs, medical information, or location metadata.

We use information to provide and secure HackSanta, authenticate accounts, process subscriptions, send transactional emails, support friend invitations, maintain parent-controlled family content, prevent abuse, troubleshoot errors, and improve parent-facing product flows.

We have disabled child-side portal analytics. We do not track portal page views, Santa list views, tracker views, workshop camera views, or child portal login attempts for analytics reporting.

We use trusted providers to operate the service, including Supabase for authentication, database, and storage; Stripe for payments and subscriptions; Resend for transactional email; and Vercel or similar hosting/analytics infrastructure for deployment and performance.

These providers process information for HackSanta's operational purposes and are not authorized by us to use child information for their own advertising.

Stripe processes payment details. HackSanta does not collect or store full card numbers. We receive limited payment and subscription records such as Stripe customer ID, subscription ID, payment or subscription status, amount, and limited billing or contact details needed for account, support, tax, fraud-prevention, and recordkeeping purposes.

HackSanta does not sell personal information, share personal information for cross-context behavioral advertising, or use personal information for targeted advertising.

If our practices change in the future, we will update this policy and provide any choices or notices required by law before using personal information in those ways.

HackSanta uses authentication cookies and local storage to keep parents signed in, maintain secure portal access, remember app state, and protect accounts.

On non-portal pages, HackSanta uses first-party local storage keys such as hs_anonymous_id, hs_session_id, and hs_attribution for parent-side operational analytics, session continuity, attribution/source reporting, debugging, and product improvement.

These first-party analytics identifiers are not used on child portal pages, are not sold or shared for cross-context behavioral advertising, and are not used for targeted advertising.

You can clear these local storage identifiers through your browser's site-data controls. Clearing them may reset analytics/session continuity but does not prevent you from using your parent account.

We keep account and child information until the parent deletes it, closes the account, or requests deletion, subject to legal, security, billing, fraud-prevention, and recordkeeping obligations.

Parent-side analytics are retained until they are no longer needed for business, product, security, or compliance purposes.

Friend invite recipient emails and invite messages are retained for up to 90 days unless a longer period is needed for abuse prevention, support, security, legal, or compliance reasons. Invite recipients may contact us to request deletion or suppression of their email address.

Parents can delete child records from the dashboard or from My Account > Privacy & Data. Parents may also permanently delete their HackSanta account from My Account > Privacy & Data, which removes active HackSanta account records, family data, child records, list entries, invite records, drafts, and uploaded images from HackSanta unless limited retention is required for legal, security, billing, or fraud-prevention purposes.

We use access controls, row-level security, private storage for uploads, rate limiting, HTTPS-capable hosting, and provider security features to protect account and child information.

The child-facing Santa portal play code is stored so parents can view, manage, and share it with their child for the pretend portal experience. Actual account access is protected separately by parent authentication, account-scoped access controls, and portal session/login-key checks.

No online service can guarantee perfect security. Parents should use strong account passwords and should not share parent account credentials with children or others.

Parents may request access, correction, deletion, export, or help limiting future use of their child's information from My Account > Privacy & Data or by contacting hacksanta@proton.me.

Depending on where you live, you may also have rights to access, correct, delete, or receive a copy of personal information, and to ask questions about opt-out rights. HackSanta does not sell or share personal information for targeted advertising, but you may still contact us about privacy choices or requests.

Please include the parent account email and enough detail for us to locate the relevant family account. We may need to verify that you control the account before acting on the request.

If we deny a privacy request, you may appeal by replying to our decision email or contacting hacksanta@proton.me with "Privacy Appeal" in the subject line.

HackSanta.com is operated by HackSanta LLC.

Privacy and parent requests may be sent to hacksanta@proton.me.

We are not listing a mailing address at this time. If a law requires a mailing address for a specific notice or request, contact us by email and we will provide the appropriate contact information.

We may update this Privacy Policy as HackSanta changes. If changes materially affect children's information practices, we will provide notice appropriate to the change and, when required, seek updated parental consent.