How we handle your data.

cowbar is a curated directory of AI developers ("vibecoders") operated by the cowbar.dev team. For privacy questions or data requests, write to privacy@cowbar.dev.

Two paths put data in our system:

• Waitlist: your email address only.
• Application form (/apply): first name, last name, email, age, username, location (optional), timezone (optional), short bio, stack and project-type selections, ship-speed estimate, shipped-project count, portfolio links, starting price, hourly rate (optional), social handles for X / TikTok / GitHub (optional), personal site URL (optional), and a short "why cowbar" note. We also briefly store a hashed, short-lived email verification code (15-minute lifetime).

We don't use cookies for tracking, run analytics, or load third-party scripts. The only cookie-like storage today is a small consent record in your browser's localStorage so we don't re-prompt you.

• Waitlist email — consent (GDPR Art. 6(1)(a)). You give it to us so we can tell you when the directory launches. Unsubscribe at any time by replying to any cowbar email or writing to privacy@cowbar.dev.
• Application data — consent + legitimate interest (Art. 6(1)(a) and (f)). Consent for processing the form you submit, legitimate interest for reviewing it and contacting you about your application.
• Verification code — legitimate interest. Confirms the email belongs to the applicant. Hashed, expires after 15 minutes.

We use a small set of processors:

• Supabase (database / Postgres, EU region) — stores waitlist and application records.
• Resend (transactional email) — delivers the verification code, application confirmations, and approval / rejection emails. Acts as a sub-processor under GDPR Art. 28.
• Vercel (hosting) — runs the site and its server functions.

We do not sell your data. We do not share it with advertisers, brokers, or marketing networks.

Email sending and delivery are handled by Resend, which stores email metadata, API logs, and analytics in the United States. The transfer is lawful under the EU-U.S. Data Privacy Framework, to which Resend is certified. The DPF is the European Commission’s adequacy decision adopted on 10 July 2023, which replaced the Privacy Shield framework invalidated by the Schrems II ruling.

Resend’s data-processing agreement is at resend.com/legal/dpa and the current sub-processor list at resend.com/legal/subprocessors. Resend’s GDPR posture is documented at resend.com/security/gdpr.

Supabase data stays in the EU region we configured. Vercel may serve static assets from edge locations worldwide, but no personal data is stored on Vercel — runtime compute reads from the EU Supabase instance.

• Waitlist email: until you ask us to remove it, or until the launch announcement is sent and you don't opt in to anything further.
• Application records: kept until you ask us to delete them. Rejected applications can be re-submitted after 3 months; applications removed for cause stay flagged to prevent re-submission.
• Verification codes: 15 minutes (then expired and cleared).

Under GDPR you can:

• Ask for a copy of the data we hold about you (access).
• Correct it if it’s wrong (rectification).
• Have it deleted (erasure / "right to be forgotten").
• Object to processing or restrict it.
• Lodge a complaint with your national supervisory authority.

To exercise any of these, email privacy@cowbar.dev from the address on file. We aim to respond within 30 days.

cowbar currently sets only essential cookies — meaning items required to serve the page you asked for. The /admin route uses HTTP Basic Auth, which browsers cache for the session. The cookie-consent banner stores your choice (accepted / rejected) in your browser's localStorage so we don't re-prompt for 12 months.

We don't run analytics or load third-party scripts today. If we add them later (e.g. privacy-respecting analytics), this page will be updated and the banner will ask before any non-essential storage happens.

If we make material changes to how we handle your data, we'll update this page and note the date. Minor copy edits won't bump the date.