Privacy

If you only read the site

The public surfaces (the directory, weekly digests, deep dives, founder profiles, events) do not require a sign-in and do not collect a name or email from anonymous visitors. Server logs record the IP address of incoming requests for rate-limiting and abuse-prevention. When the platform sends an analytics event tied to an anonymous request, the IP is hashed with a server-side salt before it leaves the request boundary; the raw IP never reaches a third party.

If you request beta access

The beta-access form at /beta collects your name, email, role (founder, operator, investor, student, other), optionally your company name, and how you heard about Triangle Startups. The platform stores those values in a queue so the founder can review and approve invitations. If approved, the email is used to send a one-time sign-in link from Supabase. The landing URL and user-agent string of the request are stored alongside the row for context. The IP address is stored as a hash, not raw.

If you sign in

Triangle Startups uses Supabase Auth for sign-in. Three methods are supported: email-and-password, one-time email codes, and social sign-in (Google, LinkedIn, GitHub when enabled). For email-and-password, the platform stores your email address and a salted hash of your password (Supabase handles the hashing; the platform never sees the plain password). For social sign-in, the provider returns your email, your full name, and a profile picture URL; the platform stores those in your authentication record. Job title, current company, education, and the URL of your LinkedIn profile are not requested or stored.

Once signed in, the features available to you (a watchlist of companies, private notes against company profiles, weekly-digest preferences) save additional structured data tied to your account. That data is visible only to you and the founder.

Who else sees the data

• Supabase hosts the database and authentication layer. Your account record, beta signup row, watchlist, and notes live in Supabase Postgres.
• Vercel hosts the application code and serves requests. Vercel sees request-level logs (URL, response code, latency) but does not see structured user data beyond what Supabase returns.
• PostHog receives product-analytics events (page views, button clicks, search submissions, sign-in attempts). Anonymous events use a hashed IP as the identifier; signed-in events use a hashed email. The browser sends these through a same-origin reverse proxy so the events are not blocked by ad-blockers that match the PostHog domain. PostHog never receives raw IPs or raw email addresses.
• Google / LinkedIn / GitHub see only the fact that you initiated an OAuth sign-in. They do not receive a list of who else uses Triangle Startups.
• Email providers(Supabase's default SMTP or a future Resend / Postmark integration) handle the actual delivery of invitation, magic-link, and notification emails. They see the recipient address and the email body.

The platform does not sell, license, or otherwise share user data with third parties beyond the infrastructure vendors named above.

Cookies and similar

The site uses one functional cookie: a Supabase session token that keeps you signed in. PostHog sets a first-party `distinct_id` cookie for the same-origin analytics proxy. There are no advertising cookies, no third-party tracking pixels, and no remarketing tags. The site does not load Facebook Pixel, Google Ads, or similar.

Your rights

• Access: email trianglestartups@gmail.com from your account email and the platform will reply with the data on file.
• Correction: same address. Send what is wrong and what it should be.
• Deletion: same address. Account, beta-signup row, watchlist, notes, and analytics events tied to your hashed identifier are removed within seven days. Aggregated counts (the “25,000 visitors this week” type) are not reversible because they are not tied to individual records.
• Export: a CSV of your watchlist and notes is available on request.

Retention

Account data is retained while your account exists. Analytics events older than 24 months are aggregated and the per-event records are deleted. Beta-signup rows that are explicitly declined are retained for 90 days for audit purposes, then deleted. The IP-hash salt is rotated on a schedule consistent with security best practice; raw IPs are never persisted to a long-term store.

Children

Triangle Startups is intended for founders, operators, investors, students, and reporters working in or covering the Triangle startup landscape. The platform is not directed at children under 13 and does not knowingly collect data from children under 13. If you believe a record on the platform describes someone under 13, email trianglestartups@gmail.com and the record will be removed.

Changes

This policy can change. Material changes show on this page; the date at the top tracks the last edit. Significant changes that affect signed-in users will also surface as an in-app notice on your next sign-in.