fivenines

Privacy Policy

Last updated: June 20, 2026

1. Who we are

fivenines is operated by Firebrick Labs, the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR).

Firebrick Labs
UIC / BULSTAT: 208431638
31 Alexander Malinov Blvd., Mladost 1A
Mladost District, Sofia 1729, Bulgaria

If you have any questions about this policy or your data, contact us at team@firebricklabs.com.

2. What data we collect

We collect the following categories of data:

  • Account data — your email address, display name, avatar URL, Google account ID, subscription tier, and account creation date. Your email, name, avatar, and Google account ID are provided via Google OAuth when you sign in; subscription tier and account creation date are generated by fivenines.
  • Learning progress — tutorial completion status, practice results, D2 review attempts, and problem progress. Stored in our database to track your progress.
  • User-generated content — D2 diagrams and workspace drafts you create while using the product.
  • Preferences — theme selection, cookie consent choices, and your account-level tutorial release email preference. Stored locally and in our database, depending on the preference.
  • Billing and subscription data — if you upgrade, we store the Stripe customer, subscription, product, and price identifiers needed to manage Pro access, your plan, subscription status, renewal/cancellation/trial dates, and billing webhook payloads needed for payment reconciliation. Stripe collects payment details directly; we do not store full payment card numbers.
  • Newsletter subscription data — if you subscribe to our newsletter or product updates via the landing page, we collect your email address and the date you subscribed. No account is required. If you opt in to tutorial release emails from your account, we store that consent choice in your profile preferences.
  • Behavioral analytics (optional, consent-based) — if you accept analytics cookies, we use Mixpanel to record events such as page views, feature usage, track usage, tutorial progress, quiz completions, upgrade interactions, checkout milestones, and subscription conversion status. This data is linked to your user ID, email, and display name within Mixpanel, but we do not send payment card details or raw Stripe payloads to Mixpanel.
  • Marketing & advertising data (optional, consent-based) — if you accept marketing cookies, Meta Pixel tracks page views and sign-up conversions. Your user ID may be shared with Meta as an external identifier for conversion attribution. This data is used to measure ad performance and, where enabled, build audiences on Meta platforms (Facebook, Instagram).

3. Legal basis for processing

  • Account data & learning progress — processed on the basis of contractual necessity (Art. 6(1)(b) GDPR). We cannot provide the service without it.
  • User-generated content — processed on the basis of contractual necessity when you create D2 diagrams or submit them for review.
  • Billing and subscription records — processed to perform our contract with you, comply with tax and accounting obligations, and protect our legitimate interests in payment reconciliation, fraud prevention, and dispute handling.
  • Behavioral analytics — processed only with your explicit consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time from Settings › Privacy & Data or via the cookie banner.
  • Marketing & advertising data — processed only with your explicit consent (Art. 6(1)(a) GDPR). Consent can be withdrawn at any time from the cookie banner or Settings.
  • Newsletter & marketing communications — processed only with your explicit consent (Art. 6(1)(a) GDPR), given when you voluntarily submit your email address via our newsletter signup form or enable tutorial release emails from your account. You may unsubscribe at any time by contacting us or by disabling tutorial release emails in Settings. Essential transactional emails (like billing receipts) are processed under contractual necessity.

4. How we use your data

  • To provide and operate the fivenines learning platform.
  • To track your progress across tutorials and challenges.
  • To evaluate your D2 diagrams using AI and provide feedback.
  • To process Pro subscriptions, activate paid access, and reconcile billing events.
  • To understand how the product is used and improve features (analytics, consent required).
  • To measure the effectiveness of advertising campaigns and attribute sign-ups on Meta platforms (marketing, consent required).
  • To send essential transactional emails related to your account.
  • To send product updates, new problem announcements, and other newsletter content to subscribers who have opted in via the newsletter signup form or account-level tutorial release email preference.

We never sell your personal data to third parties.

5. Third-party processors & AI usage

We use the following third-party service providers and platform providers to operate fivenines:

  • Supabase — database hosting and authentication. Stores your account data, learning progress, and user-generated content.
  • Google — OAuth authentication provider. Receives your authentication request when you sign in. Note: Our typography uses Next.js self-hosted fonts, meaning your IP address is not sent to Google for web fonts.
  • Stripe — managed payments, checkout, subscription billing, tax handling, receipts, refunds/chargebacks, fraud prevention, and Link account management where available. Stripe receives the payment, transaction, and order information needed to provide those services. See Stripe's Privacy Policy.
  • Mixpanel — behavioral analytics. Only receives data if you have given explicit analytics consent. Checkout and subscription conversion milestones may be sent after payment processing confirms the event, but payment details and raw Stripe payloads are not sent to Mixpanel.
  • Meta (Facebook) — advertising and conversion tracking via Meta Pixel. Only activated if you have given explicit marketing consent. Receives page view events, sign-up conversion events, and your user ID as an external identifier for conversion attribution. Data is processed under Meta's Privacy Policy.
  • Cloudflare Workers AI — AI model inference. Your D2 workspace files and problem specifications are sent to Cloudflare Workers AI for evaluation and scoring. We do not use your data to train AI. Cloudflare states that Workers AI customer content is not used to train models or improve Cloudflare or third-party services without explicit consent. See Cloudflare's Workers AI data usage documentation.
  • Resend — email delivery. Receives your email address and display name when we send essential account emails or tutorial release emails you have opted in to receive.

6. Google user data

fivenines uses Google OAuth solely for sign-in and account creation. We do not access any Google APIs beyond the standard OpenID Connect sign-in flow. The following describes precisely what Google user data we receive and how it is used.

Data accessed

  • Email address (email scope) — the primary email address associated with your Google account.
  • Full name (profile scope) — the display name on your Google account.
  • Profile picture URL (profile scope) — the URL of your Google account avatar.
  • Google account ID (openid scope) — a stable, Google-issued identifier for your account.

Data usage

  • Email address — used to create your fivenines account, identify you on sign-in, and send essential account emails.
  • Full name & profile picture URL — used to populate your in-product display name and avatar.
  • Google account ID — used solely to reliably match your Google identity to your existing fivenines account on subsequent sign-ins. It is never exposed publicly.

None of the above Google user data is used for advertising or profiling by us, and none of it is sold. It is shared only as described in Section 5, for example with Supabase to operate your account, Resend to deliver account emails, and Stripe if you choose to upgrade. No additional Google APIs or user data are accessed beyond the sign-in flow described here. This data is stored as part of your account and is deleted when you delete your account, except where limited records must be retained for legal, security, billing, or dispute-resolution purposes.

fivenines' use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

7. Data security

We rely on Supabase for our database and authentication infrastructure. To protect your data, all traffic is encrypted in transit using industry-standard TLS (HTTPS). In the database, your data is encrypted at rest using AES-256 encryption. We strictly enforce data isolation using Row Level Security (RLS) policies to ensure users can only access their own private data. Because we use Google OAuth for authentication, we never see, process, or store passwords.

8. International data transfers

Some of our third-party processors are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the processor's participation in recognized data protection frameworks like the EU-US Data Privacy Framework.

9. Data retention

  • Account data & learning progress — retained for as long as your account is active. When you delete your account, profile-linked app records such as progress, drafts, evaluations, AI deploy events, and subscription rows are removed from our app database.
  • User-generated content — retained for as long as your account exists. Deleting your account removes all associated content.
  • Mixpanel analytics data — retained for 12 months and purged automatically. Withdrawing consent stops future data collection but does not automatically delete previously collected analytics. To request deletion of existing analytics data, contact us at team@firebricklabs.com.
  • Meta Pixel data — retained by Meta in accordance with their data retention policies. Withdrawing marketing consent stops future data transmission to Meta but does not delete data already collected by Meta.
  • Billing and payment records — subscription rows are retained while your account is active. Stripe retains payment and transaction data in accordance with its own policy. We may retain billing event records for as long as needed for tax, accounting, chargeback, fraud-prevention, payment reconciliation, and legal purposes, including after account deletion where required.
  • Newsletter subscription data — your email address is retained until you unsubscribe. Upon unsubscribing, we mark your record as unsubscribed and stop sending emails. You may request full deletion by contacting us.
  • Tutorial release email preferences — retained in your profile preferences while your account is active, including the latest consent choice, source, version, and timestamp. Disabling tutorial release emails updates that preference and stops future tutorial release emails.
  • Consent records — kept for as long as needed to demonstrate your consent choices and defend compliance decisions. Our current implementation retains these logs indefinitely unless and until they can be safely deleted or aggregated.
  • AI review data — D2 workspace files are processed by Cloudflare Workers AI for evaluation. Review results are stored securely in our database as part of your problem progress.

10. Your rights

Under the GDPR, you have the following rights regarding your data:

  • Access & Portability — download a structured JSON export of your profile, problem progress, drafts, and evaluations from Settings › Privacy & Data. Contact us for records not included in the self-serve export, such as billing, consent, newsletter, or support records.
  • Erasure (Right to be forgotten) — delete your account and profile-linked app data from Settings › Privacy & Data. Some records may be retained where required or permitted for billing, tax, accounting, security, legal, or consent-demonstrability purposes.
  • Rectification — update your display name and avatar from Settings; contact us to correct other data.
  • Withdrawal of consent — disable analytics or marketing consent at any time from Settings › Privacy & Data or via the cookie banner. You can disable tutorial release emails from Settings › Preferences. Withdrawal does not affect the lawfulness of prior processing.
  • Restriction & objection — you may request that we restrict or stop processing your personal data in certain circumstances.
  • Complaint — you have the right to lodge a complaint with your national supervisory authority or with Bulgaria's Commission for Personal Data Protection regarding our processing of your personal data.

To exercise any of these rights outside of the self-serve dashboard, contact us at team@firebricklabs.com.

11. Cookies & local storage

We use browser localStorage to store your consent choices and optional analytics identifiers, and Supabase authentication cookies to keep you signed in. If you accept marketing, Meta Pixel may set cookies (e.g. _fbp) for conversion tracking and ad attribution. No optional analytics or marketing tracking is activated before you give explicit consent.

We self-host our site fonts, so page loads do not send runtime font requests to Google Fonts or another external font provider.

For full details on what is stored and how to manage your preferences, see our Cookie Policy.

12. Children's privacy

fivenines is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child under 16, please contact us at team@firebricklabs.com and we will promptly delete it.

13. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. The “last updated” date at the top reflects the most recent revision.