Privacy Policy

Last Updated: November 23, 2025

Shipanel ("Company," "we," "our," "us") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data when you use Shipanel (the "Service").

1. Information We Collect

1.1 Account Information

When you create a Shipanel account, we collect:

• Your name and email address
• Organization/company name
• Payment information (if upgrading to Pro)

1.2 Developer Information

When a developer is invited and connects via GitHub OAuth:

• Developer's GitHub username
• Developer's name and email
• List of repositories they have access to (read-only)

1.3 Repository and Push Data

To provide our core service, we process:

• Repository names and branch names
• Commit messages and timestamps
• Code diffs — BUT ONLY TEMPORARILY

Critical: We do NOT permanently store code or code diffs. Here's exactly what happens:

1. Developer pushes code to GitHub
2. Shipanel receives the git diff via GitHub webhook
3. AI processes the diff to generate an explanation
4. The code diff is immediately deleted from our systems (within seconds)
5. Only the explanation is stored in your dashboard
6. Code is gone. Permanently. No backup. No cache.

1.4 Usage and Analytics Data

• IP addresses and device information
• Browser type and operating system
• Pages visited, features used, time spent
• Error logs for debugging purposes
• Analytics cookies (Google Analytics, Segment)

1.5 Communication Data

• Support emails and chat transcripts
• Feedback and feature requests
• Survey responses

2. How We Use Your Information

We use collected information to:

• Provide and improve Shipanel (generating code explanations, managing invitations)
• Authenticate users and secure accounts
• Process payments and manage billing
• Send transactional emails (invitations, receipts, password resets)
• Respond to support requests
• Analyze usage patterns to improve the service
• Detect and prevent fraud or security threats
• Comply with legal obligations

3. Data We Do NOT Collect or Store

• Your source code — We read diffs temporarily, then delete them
• Keystrokes or screenshots — We are not a surveillance tool
• Activity logs of developers — We only know when code was pushed
• Passwords — We use GitHub OAuth; we never see your GitHub password

4.1 Third-Party Service Providers

4.1 We Share Data With:

• GitHub — Used for developer authentication via OAuth and to read repository metadata (repo names, branch names, commit metadata). No code is ever stored. Governed by GitHub’s Privacy Policy
• Fly.io — Our application hosting provider. Stores encrypted app data, serves the website globally, and manages server-side code execution. All customer/project data remains encrypted at rest.
• Supabase — Our secure managed database provider. Stores user accounts, project metadata, and AI-generated push explanations. Code diffs are never stored—only metadata and explanations persist.
• Lemon Squeezy — Handles payment processing for paid plans. Lemon Squeezy acts as Merchant of Record (MoR), so your payment information never touches Shipanel’s servers. Card and billing data is processed directly by Lemon Squeezy under strict PCI compliance. See Lemon Squeezy’s Data Processing Agreement.
• Google Analytics — Tracks anonymized website usage (page views, referral sources, feature usage). No personally identifiable information is shared. Used to improve user experience.
• Namecheap Private Email — Used to send transactional (invitations, password resets, support responses) and support emails from our official domain (hey@shipanel.com). No marketing lists shared with third parties.

4.2 We Do NOT:

• Sell your personal data to third parties
• Share code or code diffs with anyone
• Use your data for marketing to third parties
• Share data with advertisers

4.3 Legal Compliance

We may disclose information if required by law, court order, or government request. We will notify you of such requests when legally permitted.

5. Data Security

5.1 How We Protect Your Data

• All data in transit uses TLS 1.3 encryption
• Passwords are hashed using bcrypt
• Database encryption at rest (AES-256)
• Limited staff access (principle of least privilege)
• Regular security audits and penetration testing

5.2 Code Diff Handling

Code diffs are stored only in secure, encrypted cache while being processed:

• Deleted immediately after AI explanation is generated
• Not backed up or archived
• Not accessible to any staff member
• Not logged or monitored

5.3 What You Should Know

• No system is 100% secure. While we take security seriously, we cannot guarantee absolute security
• You are responsible for keeping your Shipanel password confidential

6. Data Retention

• Account information: Retained while your account is active, deleted 30 days after account closure
• Code diffs: Deleted immediately after processing (within seconds)
• Explanations/Dashboard data: Retained while your account is active, deleted upon request or account deletion
• Analytics data: Retained for 12 months then anonymized
• Payment records: Retained for 7 years (tax/legal compliance)

7. Your Privacy Rights

Depending on your location, you may have rights including:

7.1 GDPR (EU Users)

• Right to access your data
• Right to correct inaccurate data
• Right to deletion ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to lodge a complaint with your data protection authority

7.2 CCPA (California Users)

• Right to know what data we collect
• Right to delete your data
• Right to opt-out of data sharing
• Right to non-discrimination for exercising your rights

7.3 Other Jurisdictions

We comply with applicable privacy laws in your location.

To exercise any of these rights, contact us at: hey@shipanel.com

8. Cookies

8.1 Essential Cookies

• Session cookies to keep you logged in
• CSRF tokens for security
• Preference cookies (language, theme)

8.2 Analytics Cookies

• Google Analytics for usage insights
• These are optional; you can disable them

8.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies will impair the Service's functionality.

9. GitHub Integration

9.1 What Shipanel Accesses

When you authorize Shipanel via GitHub OAuth, we request:

• Read access to repository metadata
• Read access to commit data and diffs
• Repository name and branch information

9.2 What We Do NOT Access

• Your GitHub password (OAuth uses tokens, not passwords)
• Private repository code (unless explicitly granted access)
• Your GitHub account settings or SSH keys
• Other users' data

9.3 GitHub's Terms

Your use of GitHub is governed by GitHub's Terms of Service and Privacy Policy. Shipanel is not responsible for GitHub's data practices.

10. International Data Transfers

Shipanel may process data on servers located in the United States or other countries. If you are outside the US, your data is transferred internationally. By using Shipanel, you consent to this transfer. We comply with data transfer mechanisms including Standard Contractual Clauses under GDPR.

11. Children's Privacy

Shipanel is not intended for users under 16 years old. We do not knowingly collect data from children. If we discover we have done so, we will delete it immediately.

12. Changes to This Privacy Policy

We may update this policy at any time. Material changes will be announced via email or by prominently posting the updated policy at shipanel.com/privacy-policy. Your continued use of Shipanel after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related questions, requests, or concerns:

Email: hey@shipanel.com

Last Updated: November 23, 2025