SQLMaxx
Sign in Start free
Dashboard

Privacy Policy

Last updated: June 15, 2026

This Privacy Policy explains how SQLMaxx, a sole proprietorship operated by Owen Middleton (“SQLMaxx,” “we,” “us,” or “our”), collects, uses, shares, and protects information when you visit sqlmaxx.com or use our learning platform (collectively, the “Service”). By using the Service, you agree to the practices described here. If you do not agree, please do not use the Service. This Policy is part of, and should be read together with, our Terms of Service.

1. Information we collect

Information you provide directly.

  • Account information — your email address and, optionally, a display name. Your password is handled by our authentication provider (Supabase) and is stored only in a salted, hashed form; we never see or store your plain-text password.
  • Payment information — if you subscribe to SQLMaxx Pro, your payment card details are collected and processed directly by Stripe, our payment processor. We do not receive or store your full card number. We store a Stripe customer identifier and your subscription status and plan so we can grant access.
  • Communications — if you email us (for example, for support or to request deletion), we receive your message and contact details.

Information generated through your use of the Service.

  • Learning and progress data — your problem attempts and outcomes, mastery and memory-scheduling estimates, review activity, onboarding progress, and similar signals that the learning engine uses to personalize your practice.
  • Product analytics events — anonymous and account-linked events about how you interact with the Service (for example, that a lecture was run or a problem was submitted), used to operate and improve the product. Some of these events are processed by our analytics provider (PostHog), subject to your consent choice — see Sections 4 and 5.
  • Technical and log data — your IP address, browser type, device and operating system information, and similar diagnostic data, processed in part by our hosting and security provider (Cloudflare) to deliver and protect the Service.

Guest use. You may try parts of the Service without an account. In guest mode we store your progress locally in your browser and may record anonymized activity tied to a randomly generated guest session identifier that is not linked to any personal identity. If you later create an account, we may associate that progress with your new account.

2. The SQL you write, and the Maxx AI grader

The SQL you write and run in practice problems executes entirely inside your own browser (using an in-browser database engine). In ordinary use, the SQL you run is not transmitted to our servers.

There is one important exception. If you choose to request AI feedback on an answer (the “Ask Maxx” feature), the SQL you submitted, together with limited problem context, is sent to our server and then to OpenRouter, a third-party AI model provider, so it can generate feedback. We retain limited records of these requests (such as the problem, an outcome, and operational metrics) to provide the feature, control costs, and prevent abuse. Please do not enter personal, confidential, or sensitive information into the SQL editor.

3. How we use your information

  • To provide, operate, and maintain the Service, including your account and access.
  • To personalize your learning — track mastery, schedule spaced reviews, and select problems.
  • To process subscriptions, payments, renewals, and cancellations through Stripe.
  • To send you transactional and account emails (for example, email confirmation and password resets).
  • To monitor, secure, debug, and improve the Service, and to measure aggregate usage.
  • To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms.
  • To comply with legal obligations and enforce our agreements.

We do not sell your personal information, and we do not use it for third-party advertising or to build cross-site advertising profiles.

4. How we share your information

We share information only as described below. We do not sell or rent your personal information.

  • Service providers (sub-processors) that operate the Service on our behalf, under contractual confidentiality and data-protection obligations:
    • Supabase — authentication and database hosting (your account and learning data).
    • Stripe — payment processing and subscription billing.
    • OpenRouter — AI model access used only when you request Ask Maxx feedback.
    • Resend — delivery of transactional and authentication emails.
    • Cloudflare — website hosting, content delivery, and security (including bot/abuse protection).
    • PostHog — product analytics, hosted in the EU region, used to measure and improve how the Service is used. PostHog runs only in accordance with your consent choice (see Section 5).
  • Legal and safety — when we believe in good faith that disclosure is required by law, legal process, or to protect the rights, property, or safety of SQLMaxx, our users, or others.
  • Business transfers — in connection with a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to this Policy.

Each third-party provider processes data under its own privacy policy. We encourage you to review the policies of Supabase, Stripe, OpenRouter, Resend, Cloudflare, and PostHog.

5. Cookies, local storage, and analytics consent

We use cookies and browser storage that are necessary to operate the Service — authentication and session tokens that keep you signed in, and local/session storage used to remember in-progress work (such as draft queries and onboarding state). Our security provider (Cloudflare) may set strictly necessary cookies to protect the Service against abuse. We do not use advertising or cross-site tracking cookies.

We also use PostHog for product analytics, which stores a first-party identifier on your device to measure how the Service is used. This analytics storage is not strictly necessary, so we handle it based on your location and choice:

  • EU, UK, and EEA visitors — analytics stays off until you opt in. We show a consent banner on your first visit, and PostHog does not run unless you choose “Accept.”
  • Visitors elsewhere — analytics is on by default, and you can opt out at any time.

You can change your choice at any time from the Privacy section of your Account settings. You can also control cookies through your browser settings, though disabling essential cookies may break sign-in and core features.

6. Data retention

We retain your account and learning data for as long as your account is active, and as needed to provide the Service. We retain billing and transaction records for as long as required to meet legal, tax, and accounting obligations. When you delete your account (see Section 8), we delete or anonymize your personal data within a reasonable period, except where we are required or permitted by law to retain certain records. Aggregated or de-identified data that cannot reasonably be linked to you may be retained for analytics and product improvement.

7. Data security

We use reasonable technical and organizational measures to protect your information, including encryption in transit (HTTPS/TLS), encryption at rest at our database provider, and row-level security controls so that you can access only your own data. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your login credentials confidential and for any activity under your account.

8. Your privacy rights and choices

Subject to applicable law, you may request to access, correct, export, or delete your personal information, and you may object to or restrict certain processing. To exercise these rights, or to request deletion of your account and associated personal data, email us at [email protected]. We will respond within the time required by applicable law (and in any event aim to act on deletion requests within 30 days). We may need to verify your identity before acting on a request.

California residents. We do not sell or “share” personal information as those terms are defined under California law, and we will not discriminate against you for exercising your privacy rights. You may exercise the access and deletion rights described above by contacting us at the address above.

9. Children’s privacy

The Service is intended for users who are at least the age of majority in their jurisdiction (and in no case under 16). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

10. International users and data location

SQLMaxx is operated from the United States, and the information we collect is processed and stored in the United States and in other countries where our service providers operate. If you access the Service from outside the United States, you understand that your information may be transferred to, stored in, and processed in the United States, where data-protection laws may differ from those in your country.

11. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you by email or through the Service. Your continued use of the Service after an update takes effect constitutes acceptance of the revised Policy.

12. Contact us

If you have questions or requests regarding this Privacy Policy or your personal information, contact us at [email protected]. This Policy is governed by the laws of the State of New York, United States, as further described in our Terms of Service.

See also: Terms of Service