Privacy Policy
Last updated: 1 June 2026 (revised to cover account signup + Supabase) · Effective for the pre-launch website at stableark.io
StableARK is operated by Nova Skill Edge Limited, a company incorporated in England & Wales with its registered office at 128 City Road, London, EC1V 2NX, United Kingdom (in this Policy, "StableARK", "we", "us", "our"). We are the data controller for personal data collected through this website.
We are committed to protecting your privacy and complying with the UK GDPR and the Data Protection Act 2018, the PECR, and, where applicable to visitors from those regions, the EU GDPR, Brazil's LGPD, and the CCPA / CPRA.
1. Scope of this Policy
This Policy applies to personal data we collect from visitors through the StableARK website at stableark.io while the service is in pre-launch. It does not yet cover the production freelancer-payments wallet or any future onboarding flow that connects to Upwork, Fiverr, Deel, freelancer.com, banking, or crypto rails — a separate, more detailed Privacy Policy will be issued before any production transactions are processed and will supersede this Policy in respect of those services.
2. Personal data we collect
During the pre-launch period we collect a deliberately minimal set of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, full name, country of residence, account password (one-way hashed by Supabase Auth — we never see your plaintext password) | Provided by you at signup |
| Authentication data | Session tokens stored in your browser's localStorage while you are logged in; email-verification tokens sent to your inbox | Generated by Supabase Auth |
| Communications | Emails you send to hello@, privacy@, or security@stableark.io and our replies | Provided by you |
| Technical data | IP address, browser user-agent, request timestamps, referring URL — logged by our hosting and authentication providers for security and abuse prevention | Automatic |
We do not collect phone numbers, postal addresses, financial account information, freelance-platform credentials, identity-document data, or biometric data through this website. We do not run third-party advertising trackers and we do not build behavioural profiles. Production wallet services (once launched) will require additional data — including ID verification under UK anti-money-laundering rules — and will be covered by a separate Production Privacy Policy.
3. How we collect it
- Directly from you — when you create an account, update your profile, or email us.
- Automatically — server logs at our hosting provider record technical data on each request as part of standard web operations.
4. Purposes & legal bases
We use your personal data only for these purposes:
- To create and operate your account, including authenticating you when you log in, displaying your profile and member number on your dashboard, and verifying your email address. Legal basis: steps taken at your request prior to entering into a contract (UK GDPR Art. 6(1)(b)).
- To notify you when new product features and payment corridors launch in your country and to provide product updates you have asked for. Legal basis: your consent (UK GDPR Art. 6(1)(a); PECR reg. 22).
- To prioritise which payment corridors we launch first, using country-of-residence data in aggregate. Legal basis: legitimate interest in efficient product development (UK GDPR Art. 6(1)(f)).
- To respond to your enquiries. Legal basis: steps taken at your request prior to entering into a contract (UK GDPR Art. 6(1)(b)) and legitimate interest (UK GDPR Art. 6(1)(f)).
- To secure the website and authentication system, prevent abuse, and meet legal obligations. Legal basis: legitimate interest (UK GDPR Art. 6(1)(f)) and legal obligation (UK GDPR Art. 6(1)(c)).
We will not use your personal data for any other purpose without your prior consent or a separate lawful basis.
5. Disclosure to third parties & subprocessors
We do not sell personal data. We do not share personal data with third parties for their own marketing. We share personal data only with the following categories of trusted service providers acting as our processors on our instructions:
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Authentication, account database, session management for the signup, login, and dashboard pages. Stores email, name, country, hashed password, session tokens, IP address at signup. | USA / region you select at project creation (data stored in the region you choose for your Supabase project) |
| Netlify, Inc. | Website hosting, content delivery, request logging | USA / global edge |
| Google LLC (Google Workspace) | Email infrastructure for the stableark.io domain | USA / global |
We may also disclose personal data when required by law, court order, or a valid request from a competent authority, or where necessary to protect our rights, property, or safety, or that of our users or the public.
6. International transfers
Because our subprocessors operate global infrastructure, your personal data may be processed outside the United Kingdom and the European Economic Area, including in the United States. Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards required by UK GDPR Article 46, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the European Commission's Standard Contractual Clauses, or the EU SCCs as appropriate, supported by a transfer-impact assessment.
7. Retention
- Account data (email, name, country, password hash) — kept while your account is active, plus 12 months after the last login. You can request deletion at any time by emailing privacy@stableark.io.
- Session tokens — stored in your browser's
localStoragewhile logged in; revoked when you click "Sign out" or when the session expires (default 1 hour, refresh token 1 week). - Email correspondence — kept for up to 24 months unless a longer retention is required for legal or accounting purposes.
- Server logs — kept for up to 90 days by our hosting and authentication providers for security and abuse prevention, then automatically deleted or anonymised.
8. Your rights
Under the UK GDPR you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your data ("right to be forgotten"), subject to legal retention requirements.
- Restriction — ask us to restrict certain processing.
- Objection — object to processing based on legitimate interests, including direct marketing.
- Portability — receive your data in a structured, commonly used, machine-readable format.
- Withdraw consent — at any time, without affecting the lawfulness of prior processing.
- Lodge a complaint — with the ICO at ico.org.uk or your local supervisory authority.
To exercise any of these rights, email privacy@stableark.io. We will respond within one calendar month as required by UK GDPR Article 12(3), and may need to verify your identity before acting on a request.
9. Security measures
We follow OWASP best practices and apply technical and organisational measures appropriate to the risk, including: HSTS-enforced HTTPS across the entire site, a strict Content Security Policy, X-Frame-Options: DENY against clickjacking, MIME-sniff blocking, no third-party tracking, principle-of-least-privilege access to data, and incident-response procedures. See our Security Policy for more.
10. Cookies & tracking
The StableARK website does not set tracking cookies. We use localStorage for two purposes only:
- Preferences — your chosen theme (light/dark) and your chosen language. These stay on your device and are not sent to us.
- Authentication session — when you are logged in, Supabase Auth stores your access and refresh tokens in
localStorageso you don't have to log in again on every page. These are strictly necessary to the service you have requested (your account). They are cleared when you click "Sign out".
We do not use Google Analytics or any third-party advertising network. PECR consent therefore does not apply to these strictly-necessary preferences and authentication tokens.
11. Children
StableARK is intended for adult freelancers, contractors, and the businesses that pay them. We do not knowingly collect personal data from children under 18. If you believe we have inadvertently collected such data, please contact us at privacy@stableark.io and we will delete it.
12. Changes to this Policy
We may update this Policy from time to time to reflect changes in law or our practices. We will revise the "Last updated" date and, for material changes, notify account holders by email. The current version is always available at stableark.io/privacy.html.
13. Contact & complaints
For any privacy question, request, or complaint, please contact:
Nova Skill Edge Limited — Privacy
128 City Road, London, EC1V 2NX, United Kingdom
Email: privacy@stableark.io
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO), or to your local supervisory authority in the EU/EEA, Brazil's ANPD, or another applicable regulator.