Privacy Policy

1. Introduction

ShipDeck (“we”, “our”, or “us”) operates the ShipDeck platform accessible at app.shipdeck.dev (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Your name and email address
• Profile information from your authentication provider (Google or GitHub)
• Account preferences and settings

2.2 Project Data

When you use the Service, we collect and process:

• GitHub repository metadata (repository names, file structures, commit history)
• Source code submitted for AI analysis (processed transiently and not stored permanently)
• Project management data (milestones, tasks, documents, budgets)
• AI agent run results and generated reports

2.3 Google User Data

If you sign in with your Google account, we access the following data:

• Google Profile: Your name, email address, and profile picture for authentication and account display.

We do not access your Gmail messages, Google Drive files, or Google Calendar events through your Google sign-in. Email and file integrations in ShipDeck are powered by separate automation workflows (n8n) that use independently configured service credentials, not your personal Google OAuth token.

2.4 Communication Data

Messages sent through integrated communication channels (e.g., WhatsApp via AIDeck).

2.5 Usage Data

We automatically collect:

• Log data (IP address, browser type, pages visited, timestamps)
• Feature usage patterns and interaction data
• AI token consumption and agent execution metrics

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Run AI-powered code analysis, generate project documents, and produce actionable insights
• Manage your projects, track milestones, and facilitate team collaboration
• Send notifications about agent runs, analysis results, and project updates
• Process payments and manage your subscription
• Respond to support requests and communicate with you about the Service
• Detect and prevent fraud, abuse, or security incidents
• Comply with legal obligations

4. Google User Data — Specific Disclosures

ShipDeck’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4.1 How We Use Google Data

ShipDeck requests only basic, non-sensitive Google OAuth scopes:

• openid — Verify your identity via OpenID Connect.
• email — Read your email address for account creation and login.
• profile — Read your name and profile picture for display in the app.

We do not request access to Gmail, Google Drive, Google Calendar, or any other Google service through your OAuth token.

4.2 Google Data Storage

• Your email address, display name, and profile picture URL are stored in our database for the lifetime of your account.
• Session data is stored temporarily and expires after 7 days of inactivity.
• We do not store Google OAuth access tokens or refresh tokens long-term.

4.3 Google Data Sharing

We do not share Google user data with any third parties. Your Google profile information stays within the ShipDeck platform.

4.4 Revoking Google Access

You can revoke ShipDeck’s access to your Google data at any time by:

• Visiting your Google Account permissions page and removing ShipDeck.
• Using the disconnect option in your ShipDeck Settings page.

Upon revocation, your Google profile data will be removed within 30 days. Authentication sessions are invalidated immediately.

5. Third-Party Services

We integrate with the following third-party services to provide our functionality:

• Anthropic (Claude AI): We send project data and code to Anthropic’s Claude API for AI-powered analysis. Data sent to Claude is not used to train AI models.
• GitHub API: We access your GitHub repositories (with your authorization) to import project data, analyze codebases, and track changes.
• Google OAuth: We use Google Sign-In for authentication only (email, name, profile picture). See Section 4 for details.
• Stripe: We use Stripe for payment processing. We do not store your credit card information.

6. Data Storage and Security

We take the security of your data seriously:

• Your data is stored in a PostgreSQL database hosted on a dedicated server located in Germany (Contabo GmbH data center).
• All data is encrypted in transit using TLS 1.2 or higher.
• Database connections are restricted to localhost (not publicly accessible).
• Server backups are performed daily and encrypted at rest.
• AI agent containers are ephemeral and isolated; source code loaded for analysis is not persisted after the agent run completes.
• Authentication is handled via Better Auth with secure, HTTP-only session cookies.
• Access to production systems is restricted and monitored.

7. Data Sharing

We do not sell, trade, or rent your personal information to third parties. We may share data only in the following circumstances:

• With third-party service providers necessary to operate the platform (as listed in Section 5).
• When required by law, regulation, or legal process.
• To protect the rights, safety, or property of ShipDeck, our users, or the public.

8. Data Retention

• Account data is retained for as long as your account is active.
• Project data is retained until you delete it or close your account.
• After account closure, your data enters a 30-day grace period, then is permanently deleted.
• Usage logs and analytics data are retained for up to 12 months.
• Backup snapshots are retained for 10 days on a rolling basis.

9. Your Rights

You have the right to:

• Access: Request a copy of all personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your account and all associated data.
• Export: Request an export of your project data in a machine-readable format (JSON).
• Restriction: Request restriction of processing of your personal data.
• Objection: Object to the processing of your personal data for certain purposes.
• Portability: Request transfer of your data to another service provider.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

10. Cookies and Local Storage

ShipDeck uses the following browser storage mechanisms:

• Session cookies: Essential cookies for authentication and maintaining your login session. These are HTTP-only and secure.
• Local storage: Used to store your UI preferences (theme, sidebar state, selected project). This data never leaves your browser.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. We do not use Google Analytics or similar tracking services.

11. Children’s Privacy

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16.

12. International Data Transfers

Your data is primarily stored on servers located in Germany. When data is processed by third-party services (such as Anthropic’s Claude AI or GitHub), it may be transferred to and processed in the United States. These transfers are conducted under appropriate data processing agreements and safeguards.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the “Last Updated” date. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy, your data, or your rights, please contact us:

Email: [email protected]

Owner: Osama Rehman Mughal ([email protected])

Website: shipdeck.dev