Private beta
Get early access →
BlogManifestoContactGet early access →
Privacy Policy

Your data, and what we do with it.

Last updated: 5 July 2026

LabCraft is an interactive learning platform for Nix, NixOS, and systems technologies. This policy explains what personal data we collect when you use the platform, why we collect it, how long we keep it, who we share it with, and the rights you have over it.

LabCraft is operated by Anand Suresh as an individual, who is the data controller responsible for your personal data. If you have any question about this policy or want to exercise your rights, contact privacy@labcraft.dev.

The short version

Who we are and where your data lives

LabCraft runs on a single server hosted by Hetzner Online GmbH in Nuremberg, Germany. Your account data, learning progress, and analytics are stored there — inside the European Union. We do not use any other cloud provider, CDN, or third-party database.

What we collect

We group the data we collect into a few broad categories. As the platform grows, the specific details within a category may change, but they stay within the categories described here:

Account information

What you provide, or your sign-in provider shares, when you create and manage an account — such as your name, email address, and profile image.

Authentication

You sign in with Google, GitHub, or an email link. When you use Google or GitHub, they share basic profile information (such as your name, email, and avatar) with us. We never see or store your password.

Learning activity

Information about how you use the courses and labs — such as your progress and your activity within the lab environments, including the commands you run there. We use this to run the lessons, track your progress, and power the in-lab coach.

Technical data

Information collected automatically as you use the site — such as cookies and session identifiers, aggregate usage analytics, and standard server logs (which may include IP addresses). See Cookies below.

Communications

If you use our contact form or otherwise get in touch, the information you include in your message. We email contact submissions to ourselves rather than storing them in a database.

Why we use it, and our legal basis

Under the EU General Data Protection Regulation (GDPR) we rely on the following legal bases:

PurposeLegal basis
Provide, maintain, and secure your account and the platformPerformance of a contract (Art. 6(1)(b))
Deliver courses and track your learning progressPerformance of a contract (Art. 6(1)(b))
Communicate with you — sign-in links, service messages, and replies to your enquiriesPerformance of a contract, or our legitimate interest in responding to you (Art. 6(1)(b) / (f))
Understand and improve how the platform is usedLegitimate interest in improving the platform (Art. 6(1)(f))
Keep the service running, secure, and abuse-freeLegitimate interest in security and reliability (Art. 6(1)(f))

Cookies

We use only first-party cookies, no third-party advertising or tracking cookies:

Our analytics do not require cookies to identify you.

Who we share it with

We do not sell your personal data and do not share it for advertising. We rely on a small set of processors to run the service:

When you sign in with Google or GitHub, or when we email you, your data is processed by those companies under their own privacy policies. Google and GitHub are based in the United States; any transfer of your data to them occurs under their standard data-protection safeguards. We may also disclose data if required by law.

How long we keep it

We keep your account information and learning activity for as long as your account is active. When you delete your account or ask us to delete your data, we remove it. Server logs and analytics are retained only as long as needed to operate and secure the platform. Contact-form emails are kept in our inbox subject to normal email retention.

Your rights

If you are in the EU/EEA or UK, you have the right to access your data, correct it, delete it, restrict or object to its processing, receive a portable copy, and withdraw consent where processing is based on consent. You may also lodge a complaint with your local data protection authority.

If you are a California resident, you have the right to know what personal information we collect and why, to request its deletion or correction, and to not be discriminated against for exercising these rights. We do not sell or “share” your personal information as those terms are defined under California law, and we do not use it for cross-context behavioral advertising.

To exercise any of these rights, email privacy@labcraft.dev. We will respond within the timeframes required by law. We may need to verify your identity before acting on a request.

Security

Your data is stored on infrastructure we operate directly in the EU. Communication between our internal services is encrypted with mutual TLS, secrets are held in a dedicated secrets manager, and access to operational dashboards is gated behind SSH. No system is perfectly secure, but we design for a strong isolation boundary — course labs run in isolated virtual machines, and we do not store passwords.

Children

LabCraft is not directed at children. You must be at least 16 years old to create an account. If you believe a child has given us personal data, contact us and we will delete it.

Changes to this policy

We may update this policy as the platform evolves. When we do, we'll change the “Last updated” date above, and for material changes we'll provide a more prominent notice.

Contact

Questions, requests, or complaints: privacy@labcraft.dev.

LabCraft · Private beta · 2026Privacy
labcraft.dev