Privacy Policy

Last updated: March 2, 2026

1. Who we are

fivenines is operated by Firebrick Labs, the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR).

Firebrick Labs
UIC / BULSTAT: 208431638
31 Alexander Malinov Blvd., Mladost 1A
Mladost District, Sofia 1729, Bulgaria

If you have any questions about this policy or your data, contact us at team@firebricklabs.com.

2. What data we collect

We collect the following categories of data:

  • Account data — your email address, display name, avatar URL, subscription tier, XP, and account creation date. This data is provided via Google OAuth when you sign in and is necessary to provide the service.
  • Learning progress — tutorial completion status, quiz results, coding challenge attempts, and XP earned. Stored in our database to track your progress.
  • User-generated content — architecture diagrams you create, solutions you publish to the community, comments on other users' solutions, and ratings you give. Published solutions, comments, and ratings are visible to other users.
  • Preferences — theme selection, email notification preferences, and cookie consent choices. Stored locally and in our database.
  • Behavioral analytics (optional, consent-based) — if you accept analytics cookies, we use Mixpanel to record events such as page views, feature usage, tutorial progress, quiz completions, and upgrade interactions. This data is linked to your user ID, email, and display name within Mixpanel.

3. Legal basis for processing

  • Account data & learning progress — processed on the basis of contractual necessity (Art. 6(1)(b) GDPR). We cannot provide the service without it.
  • User-generated content — processed on the basis of contractual necessity when you choose to publish solutions or post comments.
  • Behavioral analytics — processed only with your explicit consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time from Settings › Privacy & Data or via the cookie banner.
  • Marketing & transactional communications — marketing is processed only with your explicit consent (Art. 6(1)(a) GDPR). Essential transactional emails (like billing receipts) are processed under contractual necessity.

4. How we use your data

  • To provide and operate the fivenines learning platform.
  • To track your progress across tutorials and challenges.
  • To evaluate your architecture diagrams using AI and provide feedback.
  • To execute and test your code submissions.
  • To display your published solutions, comments, and ratings to the community.
  • To understand how the product is used and improve features (analytics, consent required).
  • To send transactional emails such as welcome messages, comment reply notifications, and solution rating notifications (if you have enabled them in settings).

We never sell your personal data to third parties.

5. Third-party processors & AI Usage

We share data with the following third-party service providers who process data on our behalf:

  • Supabase — database hosting and authentication. Stores your account data, learning progress, and user-generated content.
  • Google — OAuth authentication provider. Receives your authentication request when you sign in. Note: Our typography uses Next.js self-hosted fonts, meaning your IP address is not sent to Google for web fonts.
  • Mixpanel — behavioral analytics. Only receives data if you have given explicit consent.
  • Replicate & Anthropic (Claude) — AI model hosting. Your architecture diagrams and problem specifications are sent to Replicate for AI-powered evaluation and scoring. We do not use your data to train AI. Your code and architectures are processed transiently via enterprise APIs and are strictly prohibited from being used for public model training.
  • Judge0 — code execution service. Your source code and test code are sent to Judge0 for compilation and execution. This data is processed transiently.
  • Resend — transactional email delivery. Receives your email address when we send you notifications or welcome emails.

6. Google user data

fivenines uses Google OAuth solely for sign-in and account creation. We do not access any Google APIs beyond the standard OpenID Connect sign-in flow. The following describes precisely what Google user data we receive and how it is used.

Data accessed

  • Email address (email scope) — the primary email address associated with your Google account.
  • Full name (profile scope) — the display name on your Google account.
  • Profile picture URL (profile scope) — the URL of your Google account avatar.
  • Google account ID (openid scope) — a stable, Google-issued identifier for your account.

Data usage

  • Email address — used to create your fivenines account, identify you on sign-in, and send transactional emails (e.g. welcome message, notification emails if you have enabled them).
  • Full name & profile picture URL — used to populate your in-product display name and avatar, which are shown to you and, where you have published content, visible to other users in community features.
  • Google account ID — used solely to reliably match your Google identity to your existing fivenines account on subsequent sign-ins. It is never exposed publicly.

None of the above Google user data is used for advertising or profiling, and none of it is sold or shared with third parties except as described in Section 5 (e.g. your email address is shared with Resend solely to deliver emails you have requested). No additional Google APIs or user data are accessed beyond the sign-in flow described here. This data is stored as part of your account and is deleted when you delete your account.

fivenines' use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

7. Data security

We rely on Supabase for our database and authentication infrastructure. To protect your data, all traffic is encrypted in transit using industry-standard TLS (HTTPS). In the database, your data is encrypted at rest using AES-256 encryption. We strictly enforce data isolation using Row Level Security (RLS) policies to ensure users can only access their own private data. Because we use Google OAuth for authentication, we never see, process, or store passwords.

8. International data transfers

Some of our third-party processors are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the processor's participation in recognized data protection frameworks like the EU-US Data Privacy Framework.

9. Data retention

  • Account data & learning progress — retained for as long as your account is active. When you delete your account, all account data and associated records are permanently removed.
  • User-generated content — published solutions, comments, and ratings are retained for as long as your account exists. Deleting your account removes all associated content.
  • Mixpanel analytics data — retained for 12 months and purged automatically. Withdrawing consent stops future data collection but does not automatically delete previously collected analytics. To request deletion of existing analytics data, contact us at team@firebricklabs.com.
  • Consent records — kept indefinitely as required for regulatory demonstrability (Art. 7(1) GDPR).
  • AI evaluation & code execution data — processed transiently by Replicate and Judge0. Not stored by these services beyond the duration of the request. Evaluation results are stored securely in our database as part of your solutions.

10. Your rights

Under the GDPR, you have the following rights regarding your data:

  • Access & Portability — download a structured JSON export of all your data from Settings › Privacy & Data.
  • Erasure (Right to be forgotten) — permanently delete your account and all associated data from Settings › Privacy & Data.
  • Rectification — update your display name and avatar from Settings; contact us to correct other data.
  • Withdrawal of consent — disable analytics or marketing consent at any time from Settings › Privacy & Data or via the cookie banner. Withdrawal does not affect the lawfulness of prior processing.
  • Restriction & objection — you may request that we restrict or stop processing your personal data in certain circumstances.
  • Complaint — you have the right to lodge a complaint with your national supervisory authority regarding our processing of your personal data.

To exercise any of these rights outside of the self-serve dashboard, contact us at team@firebricklabs.com.

11. Cookies & local storage

We primarily use browser localStorage rather than HTTP cookies to store your consent choices and session state. If you accept analytics, Mixpanel may also set browser cookies. No tracking technologies are activated before you give explicit consent.

For full details on what is stored and how to manage your preferences, see our Cookie Policy.

12. Children's privacy

fivenines is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child under 16, please contact us at team@firebricklabs.com and we will promptly delete it.

13. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. The “last updated” date at the top reflects the most recent revision.