Privacy Policy

1. What We Collect

We collect the minimum data necessary to operate the service:

• Account data: Email address and GitHub profile information used to sign up
• API keys: Hashed and stored encrypted (Argon2id + SQLCipher)
• Usage data: Session count, session-minutes consumed, timestamps
• Billing data: Processed by Stripe — we do not store card numbers
• Request logs: API endpoint, timestamp, response code, duration (retained 90 days)

2. What We Do NOT Collect

• We do not log URLs you visit during sessions
• We do not store page content, screenshots, or browsing history
• We do not retain browser fingerprints after session termination
• We do not track mouse movements, keystrokes, or behavioral data from your sessions
• We do not sell, share, or trade any user data
• We do not use tracking cookies, analytics scripts, or third-party trackers on our website

3. Session Data

Browser sessions are fully ephemeral by default. When a session ends — either by disconnection, timeout, or explicit deletion — the browser instance, assigned fingerprint, proxy binding, and all associated data are permanently destroyed.

Persistent profiles: When you explicitly save a browser profile (cookies, localStorage), this data is stored encrypted on our servers and associated with your API key. Saved profiles are automatically deleted after 30 days of inactivity. You can delete profiles at any time via the API.

4. Data Security

We take security seriously:

• API keys are hashed with Argon2id (OWASP 2025 parameters)
• Database encrypted with SQLCipher (AES-256)
• All API traffic over TLS 1.3
• Key validation uses constant-time comparison
• Audit logging for all API access
• Rate limiting per API key and per IP address
• Session isolation — sessions cannot access each other's data

5. Third Parties

We use the following third-party services:

• Stripe: Payment processing (PCI DSS compliant)
• Hetzner: Server infrastructure (Falkenstein, Germany)
• Vercel: Website hosting
• GitHub: OAuth authentication

We do not share user data with any of these providers beyond what is necessary for their service.

6. Data Retention

• Account data: retained while your account is active
• Usage logs: retained for 90 days for billing and debugging
• Saved browser profiles: deleted after 30 days of inactivity
• Session data: destroyed immediately upon session termination

You can request account deletion at any time. All associated data will be permanently removed within 30 days.

7. GDPR (EU Users)

If you are located in the European Economic Area, you have the right to access, correct, delete, or port your personal data. Our servers are located in Germany (Hetzner, Falkenstein). We process data under the legal basis of contract performance (providing the service you signed up for). To exercise your rights, contact us at the address below.

8. CCPA (California Users)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at the address below.

9. Law Enforcement

We may disclose user data in response to valid legal process, including subpoenas, court orders, or government requests. We will notify you of such requests unless legally prohibited from doing so.

10. Data Processing Agreement

Enterprise customers who require a Data Processing Agreement (DPA) for GDPR or other compliance purposes may request one by contacting us.

11. Children

Shadey is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children.

12. Your Rights

Regardless of your location, you can request access to, correction of, or deletion of your data at any time. Contact us and we will respond within 30 days.

13. Changes

We may update this policy. Material changes will be communicated via email with at least 14 days notice. Continued use after changes take effect constitutes acceptance.

14. Contact

Privacy questions: contact@shadey.dev