Privacy Policy
Econito (“we”, “us”, or “our”) is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, and your rights in relation to it. It applies to users of econito.co.uk and any associated subdomains.
Econito is operated as a personal project. If you have any questions about this policy, you can contact us at champion.hdan@gmail.com.
1. What Data We Collect
We collect only the minimum personal data required to provide the Econito service.
Account Data
When you create an account, we collect:
- First name and last name — used to personalise your experience
- Email address — used for authentication and account communication
- Membership type — whether your account is on the free or premium plan
- Account creation date, last updated date, and last login date
If you sign up via Google OAuth, your name and email address are retrieved from your Google account. No other Google data is accessed.
Payment Data
If you subscribe to the Premium plan, payments are processed by Stripe. We store a Stripe Customer ID to link your account to your subscription. We do not store your card number, CVV, or any other payment card details — these are handled exclusively by Stripe and never transmitted to our servers.
Usage Data
We use Vercel Analytics to collect anonymised, aggregated usage statistics (e.g. page views, browser type, country). This data cannot be used to identify you individually.
2. How We Use Your Data
- To create and manage your account
- To authenticate you when you sign in
- To provide access to content appropriate to your membership tier
- To process and manage your subscription through Stripe
- To send essential account emails (e.g. password reset links)
- To improve and maintain the platform using anonymised analytics
We do not sell your data to third parties. We do not use your data for advertising purposes.
3. Legal Basis for Processing (UK GDPR)
We process your data under the following legal bases:
- Contract performance — processing your name, email, and payment data is necessary to provide the service you signed up for.
- Legitimate interests — we use anonymised analytics to understand how the platform is used and to improve it.
- Legal obligation — we may retain transaction records to comply with financial regulations.
4. Cookies
We use only strictly necessary cookies to keep you signed in. We do not use advertising or tracking cookies.
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
access_token | Authenticates your session on each request | 7 days | HttpOnly, Secure |
refresh_token | Silently renews your session without requiring re-login | 30 days | HttpOnly, Secure |
Both cookies are set with the HttpOnly and Secure flags, meaning they cannot be accessed by JavaScript and are only transmitted over HTTPS. They are automatically deleted when they expire or when you log out.
Because these cookies are strictly necessary to provide the service, we do not require your explicit consent to set them. No cookie consent banner is required under UK GDPR for this category. If you disable cookies entirely, you will not be able to log in.
5. Third-Party Services
We use the following third-party services to operate Econito:
Supabase
We use Supabase for authentication and database hosting. Your account data is stored on Supabase's infrastructure. Supabase processes data in accordance with GDPR. For more information, see the Supabase Privacy Policy.
Stripe
Stripe processes all subscription payments. Your payment card details are entered directly into Stripe's secure form and are never transmitted to, or stored by, Econito. Stripe is certified to PCI Service Provider Level 1. See the Stripe Privacy Policy.
Google OAuth
If you choose to sign in with Google, Google will share your name and email address with us. No other Google data is accessed. See Google's Privacy Policy.
Vercel
Econito is hosted on Vercel. Vercel may collect standard server logs (IP addresses, request paths) for operational purposes. See the Vercel Privacy Policy.
6. Data Retention
- Account data is retained for as long as your account is active. If you delete your account, your personal data will be removed from our systems within 30 days, except where we are required to retain it by law (e.g. transaction records for financial compliance).
- Session cookies expire automatically after 7 days (access token) and 30 days (refresh token), or immediately upon logout.
7. Your Rights (UK GDPR)
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your personal data
- Right to restriction — request that we limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
To exercise any of these rights, contact us at champion.hdan@gmail.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
8. Data Security
We take reasonable technical measures to protect your data, including:
- HTTPS encryption on all pages and API requests
- HttpOnly and Secure flags on all session cookies
- Passwords hashed and managed by Supabase Auth — we never store plaintext passwords
- Payment data handled exclusively by Stripe's PCI-compliant infrastructure
9. Children's Privacy
Econito is intended for economics students, which may include users under 18. We do not knowingly collect additional data from minors beyond what is described in this policy. If you are under 13, you should have parental consent before creating an account.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the “last updated” date at the top of this page. Continued use of the service after changes constitutes acceptance.
11. Contact
For any privacy-related questions or requests, contact us at: champion.hdan@gmail.com