Privacy Policy

1. Introduction

Blacksmith.Works ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what we collect, why, how we use and share it, how long we keep it, and the rights you have. It applies to our website, applications, and services (the "Service") and should be read together with our Terms of Service.

2. Data Controller

The controller responsible for your personal data is [LEGAL ENTITY NAME], registered in the Republic of North Macedonia under company number [COMPANY REG. NO.], with its registered office at [REGISTERED ADDRESS]. For any privacy matter, contact us at privacy@blacksmith.works.

3. Information We Collect

Account information

Full name and email address;
Phone number and country of residence;
Education level and current status, and developer role preferences;
Account role (Client, Mentor, Company, or Admin).

Profile content you provide

Profile photo / avatar and, for applicable roles, an uploaded CV or résumé;
LinkedIn and GitHub profile links (optional);
For Mentors: bio, skills, years of experience, portfolio links, and rates.

Authentication & security data

A securely hashed password (we never store it in plain text);
Two-factor authentication settings, including a TOTP secret and recovery codes, if you enable 2FA;
Session and refresh-token records used to keep you signed in and to let you review active sessions.

Activity on the Service

Mentoring sessions you book, attend, or deliver, including timestamp proofs uploaded by Mentors;
Code review requests and their content, links, status, and your ratings and written feedback;
Project applications, assignments, credits, and slot usage;
Messages you send to other users and support requests you raise;
Notifications and your notification preferences.

Payment information

Payments are processed by third-party payment processors. We do not store full card numbers on our servers; we receive limited transaction details (such as a processor reference, amount, status, and the last digits or card brand) needed to manage your purchases, refunds, and our records.

Technical & usage information

Log and device data such as IP address, browser type, and pages visited;
Diagnostic and error data captured by our error-monitoring provider when something goes wrong;
Cookies and similar local-storage technologies (see the next section).

4. Cookies & Local Storage

We use a small number of strictly necessary cookies and browser local-storage entries to operate the Service. We keep this deliberately minimal:

Essential cookies — bw_session (signals that you are signed in) and bw_role (your role, so the app can route you correctly). These are required for the Service to function and are not used for advertising.
Local storage — your access token, refresh token, cached profile, and session expiry are stored in your browser to keep you signed in. They remain on your device until you sign out or they expire.
Analytics — we use privacy-conscious, aggregated usage analytics to understand how the Service is used and improve it.

You can clear or block cookies and local storage through your browser settings, but doing so may prevent you from staying signed in or using parts of the Service.

5. How We Use Your Information

Create and manage your account and authenticate you securely;
Provide the Service — match Clients with projects and Mentors, run sessions and code reviews, and enable messaging;
Process payments, credits, refunds, and (where applicable) Mentor payouts;
Send service communications such as confirmations, reminders, and security alerts;
Provide support and respond to your requests;
Maintain security, prevent fraud and abuse, and enforce our Terms;
Understand usage and improve the Service;
Comply with legal, tax, and accounting obligations;
Send marketing messages where you have opted in — you can opt out at any time.

6. Legal Bases for Processing

Where the EU/EEA General Data Protection Regulation (GDPR) or North Macedonia's Law on Personal Data Protection applies, we rely on the following legal bases:

Performance of a contract — to create your account and provide the Service you request;
Legitimate interests — to secure the Service, prevent fraud, monitor and fix errors, and improve our product (balanced against your rights);
Consent — for optional features, marketing communications, and any non-essential cookies, which you can withdraw at any time;
Legal obligation — to meet tax, accounting, and other legal requirements, and to respond to lawful requests.

We share personal data only as needed and never sell it. Recipients may include:

Partner Companies, limited to the information relevant to a project you are involved in;
Mentors assigned to your sessions or reviews, and Clients you mentor;
Service providers (subprocessors) who process data on our behalf under contract — see the next section;
Professional advisers, or parties involved in a merger, acquisition, or asset sale, subject to confidentiality;
Authorities or third parties where required by law or to protect our rights, users, or the public.

Some profile information (for example, an approved Mentor's public profile page) is intentionally public so it can be discovered and shared. We make this clear in the relevant part of the Service.

8. Subprocessors & Providers

We use the following categories of providers to run the Service. Each processes personal data only on our instructions and under appropriate data-protection terms:

Vercel — hosting and delivery of our web front end, plus aggregated usage analytics;
Fly.io — hosting of our application backend and database;
Sentry — error and performance monitoring (diagnostic data when something goes wrong);
Resend — delivery of transactional and notification emails;
Our content delivery network (cdn.blacksmith.works) — serving images and uploaded files such as avatars and CVs;
Payment processor(s) — securely processing payments and refunds (named here once payments are enabled).

We keep this list current. If you would like the specific identities and locations of our providers at any time, contact privacy@blacksmith.works.

9. International Data Transfers

Some of our providers process data outside North Macedonia or the EU/EEA. Where we transfer personal data internationally, we put appropriate safeguards in place — such as the European Commission's Standard Contractual Clauses or a finding of adequacy — so that your data remains protected. You may request a copy of the relevant safeguards by contacting us.

10. Data Retention

We keep personal data only as long as necessary for the purposes described above:

Account & profile data — for as long as your account is active, and for a limited period after closure to handle disputes and obligations;
Session, review & feedback records — for the period needed to support the working relationship and any dispute window;
Payment & invoicing records — for the period required by tax and accounting law;
Diagnostic logs — for a short period (typically up to 90 days) before deletion or anonymisation;
Marketing preferences — until you withdraw consent or object.

When data is no longer needed, we delete or anonymise it. Some information may be retained longer where the law requires it.

11. Your Rights

Subject to applicable law, you have the right to:

Access the personal data we hold about you;
Correct inaccurate or incomplete data;
Request deletion of your data (the "right to be forgotten");
Restrict or object to certain processing;
Receive your data in a portable, machine-readable format;
Withdraw consent at any time, without affecting prior processing;
Opt out of marketing communications.

To exercise any of these rights, email privacy@blacksmith.works. We will respond within one month, as required by law (this period may be extended for complex requests, in which case we will tell you). We may need to verify your identity first.

12. Data Security

We use technical and organisational measures appropriate to the risk, including:

Encryption of data in transit (HTTPS/TLS);
Hashed passwords and optional two-factor authentication;
Role-based access controls and monitoring;
Reputable, security-conscious hosting and infrastructure providers.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If a breach affects your data and the law requires it, we will notify you and the relevant authority without undue delay.

13. Children's Privacy

The Service is not intended for anyone under 16 years of age, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

14. Automated Decision-Making

We may use automated tools to suggest projects or Mentors that fit your profile. These recommendations are aids, not binding decisions with legal or similarly significant effects, and a human remains involved in account, payment, and moderation outcomes. If this changes, we will update this policy and, where required, seek your consent.

15. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will update the "Last updated" date above and, where appropriate, notify you by email or through the Service. We encourage you to review this page periodically.

16. Contact & Complaints

For privacy questions or to exercise your rights, contact us at privacy@blacksmith.works or by post at [LEGAL ENTITY NAME], [REGISTERED ADDRESS].

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority — in North Macedonia, the Agency for Protection of Personal Data (Агенција за заштита на личните податоци), and if you are in the EU/EEA, your local data-protection authority.