HomeLegal

Last updated: 25 May 2026

Privacy Policy

This Privacy Policy explains how Interstellar Express ("we", "us", "our"), operator of interstellarxp.com, collects, uses, and protects your personal data. We are committed to full compliance with the EU General Data Protection Regulation (GDPR) and the ePrivacy Directive.

Data controller: Interstellar Express · privacy@interstellarxp.com

1. Data We Collect

Account data

  • Email address — collected when you create an account. Required to authenticate and contact you about your wagons and submissions.
  • Password hash — stored securely via Supabase Auth; we never store your plain-text password.

Content you submit

  • Pixel art (wagons) — stored as a JSON colour array and displayed on the public train.
  • Audio tracks (Galaxy FM) — uploaded to Supabase Storage and played publicly once approved.
  • Competition entries — associated pixel art and any metadata you provide during submission.
  • Feedback — text you submit via the feedback form.

Payment data

Payments are processed by Stripe, Inc.We do not store full card numbers or bank details. We store: the Stripe session ID, payment amount, payment type (wagon / Galaxy FM track / donation), and fulfilment status. See Stripe's privacy policy at stripe.com/privacy.

Technical / log data

Standard server logs (IP address, browser type, pages accessed) retained for up to 30 days for security and debugging. We use no third-party analytics trackers.

2. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) — account registration, wagon/track publication, payment processing.
  • Legitimate interests (Art. 6(1)(f)) — fraud prevention, security logging, content moderation.
  • Legal obligation (Art. 6(1)(c)) — retaining payment records as required by EU tax law (typically 7 years).
  • Consent (Art. 6(1)(a)) — optional cookies (none currently set beyond authentication).

3. How We Use Your Data

  • Operate your account and authenticate your sessions.
  • Display your pixel art and audio tracks on the public platform.
  • Process and confirm payments via Stripe.
  • Send transactional emails (account confirmation, wagon approval/rejection, competition results) via Resend.
  • Moderate user-generated content for compliance with our Community Guidelines.
  • Respond to support requests and legal notices.

4. Who We Share Data With

We do not sell your data. We share data only with the following processors under data processing agreements (DPAs):

  • Supabase, Inc. (US) — database and file storage. Data transferred under EU Standard Contractual Clauses (SCCs). Privacy policy.
  • Stripe, Inc. (US) — payment processing. Covered by EU–US Data Privacy Framework adequacy decision. Privacy policy.
  • Resend, Inc. (US) — transactional email delivery. Data transferred under SCCs. Privacy policy.
  • Vercel, Inc. (US) — hosting and CDN. Data transferred under SCCs. Privacy policy.

We may disclose data when required by law, court order, or to protect the rights and safety of users or the public.

5. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Pixel art & audio: Retained while your account is active. Deleted on account deletion.
  • Payment records: Retained for 7 years as required by EU tax law.
  • Server logs: 30 days maximum.

6. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the right to:

  • Access — receive a copy of the personal data we hold about you (Art. 15).
  • Rectification — correct inaccurate or incomplete data (Art. 16).
  • Erasure — request deletion of your data ("right to be forgotten") (Art. 17).
  • Restriction — restrict processing of your data in certain circumstances (Art. 18).
  • Portability — receive your data in a structured, machine-readable format (Art. 20).
  • Objection — object to processing based on legitimate interests (Art. 21).
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting past processing.

To exercise any right, email privacy@interstellarxp.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (e.g. Data Protection Commission in Ireland).

7. Cookies

We use only one first-party cookie: the Supabase authentication session cookie, which is strictly necessary to keep you logged in. No third-party advertising or tracking cookies are set. No cookie banner is required because we do not use consent-based cookies.

8. Children's Privacy

The platform is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email for material changes. The "last updated" date at the top of this page reflects the current version. Continued use of the platform after changes constitutes acceptance.

10. Contact

Privacy enquiries: privacy@interstellarxp.com

General contact: sparks@interstellarxp.com