Privacy Policy
The Sky Heist is built on a principle of minimal data. We collect as little as possible — only what we need to make a million strangers feel each other's presence.
What we collect
- An anonymous participant ID. When you first visit, your browser generates a random identifier (UUID) and stores it locally on your device. This ID is sent with each heartbeat so we can count unique simultaneous participants. It is not tied to your real identity.
- Local progress state. Your visit history within the 30-day arc is stored in your browser's localStorage. We do not send this to our servers.
- Payment information. When you pay the $1 entry, Stripe collects your card details, name, and (optionally) email. We do not see, store, or have access to your full card details. We can see the last four digits and your name as it appeared on the card.
- Technical information. Our hosting providers (Vercel and Cloudflare) automatically log IP addresses, browser types, and request times for security, rate-limiting, and abuse-prevention purposes. These logs are retained for a limited period and not used to profile individuals.
What we don't collect
- We don't ask for your name, email, age, or location to use the experience.
- We don't use tracking cookies.
- We don't use third-party analytics that build profiles of you.
- We don't sell or share your data with advertisers.
Why we collect what we do
- To count how many participants are present right now (the live counter)
- To process your $1 entry payment
- To prevent abuse, fraud, or attempts to manipulate the count
- To investigate technical errors and improve reliability
Who we share data with
We use a small number of third-party service providers strictly to operate the Service:
- Stripe — payment processing. stripe.com/privacy
- Upstash — Redis hosting for the live participant count. upstash.com/privacy
- Vercel — web hosting and edge functions. vercel.com/legal/privacy-policy
- Cloudflare — DNS and edge CDN. cloudflare.com/privacypolicy
We do not share data with anyone else.
How long we keep things
- Heartbeat presence data: automatically expires within a few minutes of your last activity.
- Payment records: retained by Stripe per their policy; we retain transaction metadata for tax and accounting purposes as required by law.
- Hosting logs: retained by our providers for a short period (typically 30 days) for security and operational purposes.
Your rights
Depending on where you live, you may have rights under data protection law (GDPR in the EU/UK, CCPA in California, similar regimes elsewhere) including:
- The right to know what data we hold about you
- The right to request deletion of your data
- The right to a copy of your data in portable form
- The right to object to certain processing
To exercise any of these, email [email protected]. We may ask you to verify your identity (typically via your Stripe payment record) before fulfilling the request.
Children
The Service is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe a child has used the Service, please contact us.
Cookies and local storage
We do not use tracking cookies. We use browser localStorage to remember your progress through the 30-day arc and your anonymous participant ID. You can clear this at any time using your browser's settings, and the Service will treat you as a new participant.
Changes to this policy
If we make material changes, we'll update the "Last updated" date above and, where appropriate, give notice through the Service.
Contact
Questions about privacy: [email protected]