Privacy policy

How Shipset collects, processes, and protects your personal data.

Last updated · 13 May 2026

This is a draft document

Shipset is in pre-launch. These terms describe our intent but have not yet been reviewed by counsel. They are not a substitute for professional legal advice, and final wording may change before public launch.

1. Who we are

The controller under the EU General Data Protection Regulation (GDPR) and applicable German data protection law is the operator of this site. Contact details are listed in our Impressum.

2. What data we collect

We process the following categories of personal data:

Account data — email address, username, display name, hashed password, optional bio + location, profile image URL, language preference, two-factor enrollment state. Provided by you when you sign up or update your profile.
Authentication data — session tokens (stored in HTTP-only cookies), OAuth provider identifiers when you log in via GitHub / Google / Discord, the IP-hash of your sign-in (truncated SHA-256, never the raw IP).
Usage data — challenges you start, tasks you mark complete, submissions you publish, comments + tips you post, content you like or report.
Billing data — when you subscribe to a paid plan, Stripe collects your payment instrument and billing address. We store only the resulting subscription identifiers, your VAT region, and invoice references — never card numbers.
Technical data — user-agent (truncated), referrer, locale, timestamps of key events (security activity log). Server-side error reports forwarded to Sentry.

3. Why we process this data (legal basis)

Contractual performance (Art. 6(1)(b) GDPR) — running the service you signed up for, fulfilling Pro subscriptions, processing submissions.
Legitimate interests (Art. 6(1)(f) GDPR) — securing the platform (bot-protection via Cloudflare Turnstile, rate-limiting via Upstash Redis), preventing fraud, debugging via Sentry, maintaining audit trails on security-relevant events.
Consent (Art. 6(1)(a) GDPR) — newsletter subscription, optional analytics cookies (see Cookies). Consent is freely revocable at any time.
Legal obligation (Art. 6(1)(c) GDPR) — invoicing retention under §147 AO (10 years), DSGVO record-keeping.

4. Who we share data with (processors)

The following data processors operate parts of the service on our behalf:

Vercel Inc. (USA) — application hosting, Edge functions, deployment logs. Contract per Art. 28 GDPR + EU Standard Contractual Clauses for transfers.
Supabase Inc. (EU-West region) — Postgres database + file storage. Processing within the EU.
Cloudflare Inc. (USA) — DNS, CDN, R2 object storage, Turnstile bot challenge. Cloudflare Email Routing handles inbound mail.
Sentry GmbH (Germany, ingest in DE region) — error monitoring + performance traces. IPs are scrubbed; user identifiers are pseudonymous.
Resend Inc. (USA) — transactional email (verification, password reset, notifications). Contract per Art. 28 GDPR.
Stripe Inc. (USA / Ireland) — payment processing. Direct controller for card data; we never see your card number.
Upstash Inc. (USA, EU region) — managed Redis for rate-limiting and ephemeral session metadata.

5. International transfers

Some processors are headquartered in the United States. Transfers rely on EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023). Copies of the safeguards are available on request.

6. How long we keep data

Account data — for as long as your account is active. After deletion, we keep the bare minimum (pseudonymous user-id reference) for legal-defence and audit purposes, max 6 months.
Security events — 1 year (for incident investigation).
Invoices + tax records — 10 years per §147 AO.
Sentry events — 30 days for breadcrumbs, 90 days for issues.

7. Your rights

Under the GDPR you have the right to:

request access to your data (Art. 15) — available at any time via Settings;
request rectification of inaccurate data (Art. 16);
request deletion (Art. 17) — "Delete account" in Settings irreversibly removes your profile, submissions, and comments;
restrict processing (Art. 18);
data portability (Art. 20) — export your account data as JSON from Settings;
object to processing (Art. 21);
withdraw consent (Art. 7(3)) — at any time, without affecting prior processing;
lodge a complaint with the supervisory authority — for residents of Germany, the competent authority is the data protection authority of your federal state.

8. Cookies and tracking

We use a minimal set of strictly necessary cookies (session, CSRF, language preference). Optional analytics cookies are off by default and require opt-in. Full details in our Cookies policy.

9. Security

Passwords are hashed with Argon2id, transport is TLS 1.3-only, two-factor authentication (TOTP) is available. We log security-relevant events with hashed IPs so we can investigate without storing PII. See Security overview.

10. Changes to this notice

We may update this notice as the service evolves. Substantive changes will be announced via email to active users at least 14 days before they take effect.

11. Contact

For privacy questions or to exercise your rights, write to julio@shipset.dev.

2. What data we collect

We process the following categories of personal data:

Account data — email address, username, display name, hashed password, optional bio + location, profile image URL, language preference, two-factor enrollment state. Provided by you when you sign up or update your profile.

Authentication data — session tokens (stored in HTTP-only cookies), OAuth provider identifiers when you log in via GitHub / Google / Discord, the IP-hash of your sign-in (truncated SHA-256, never the raw IP).

Usage data — challenges you start, tasks you mark complete, submissions you publish, comments + tips you post, content you like or report.

Billing data — when you subscribe to a paid plan, Stripe collects your payment instrument and billing address. We store only the resulting subscription identifiers, your VAT region, and invoice references — never card numbers.

Technical data — user-agent (truncated), referrer, locale, timestamps of key events (security activity log). Server-side error reports forwarded to Sentry.

3. Why we process this data (legal basis)

Contractual performance (Art. 6(1)(b) GDPR) — running the service you signed up for, fulfilling Pro subscriptions, processing submissions.

Legitimate interests (Art. 6(1)(f) GDPR) — securing the platform (bot-protection via Cloudflare Turnstile, rate-limiting via Upstash Redis), preventing fraud, debugging via Sentry, maintaining audit trails on security-relevant events.

Consent (Art. 6(1)(a) GDPR) — newsletter subscription, optional analytics cookies (see Cookies). Consent is freely revocable at any time.

Legal obligation (Art. 6(1)(c) GDPR) — invoicing retention under §147 AO (10 years), DSGVO record-keeping.

4. Who we share data with (processors)

The following data processors operate parts of the service on our behalf:

Vercel Inc. (USA) — application hosting, Edge functions, deployment logs. Contract per Art. 28 GDPR + EU Standard Contractual Clauses for transfers.

Supabase Inc. (EU-West region) — Postgres database + file storage. Processing within the EU.

Cloudflare Inc. (USA) — DNS, CDN, R2 object storage, Turnstile bot challenge. Cloudflare Email Routing handles inbound mail.

Sentry GmbH (Germany, ingest in DE region) — error monitoring + performance traces. IPs are scrubbed; user identifiers are pseudonymous.

Resend Inc. (USA) — transactional email (verification, password reset, notifications). Contract per Art. 28 GDPR.

Stripe Inc. (USA / Ireland) — payment processing. Direct controller for card data; we never see your card number.

Upstash Inc. (USA, EU region) — managed Redis for rate-limiting and ephemeral session metadata.

6. How long we keep data

Account data — for as long as your account is active. After deletion, we keep the bare minimum (pseudonymous user-id reference) for legal-defence and audit purposes, max 6 months.

Security events — 1 year (for incident investigation).

Invoices + tax records — 10 years per §147 AO.

Sentry events — 30 days for breadcrumbs, 90 days for issues.

7. Your rights

Under the GDPR you have the right to:

request access to your data (Art. 15) — available at any time via Settings;

request rectification of inaccurate data (Art. 16);

request deletion (Art. 17) — "Delete account" in Settings irreversibly removes your profile, submissions, and comments;

restrict processing (Art. 18);

data portability (Art. 20) — export your account data as JSON from Settings;

object to processing (Art. 21);

withdraw consent (Art. 7(3)) — at any time, without affecting prior processing;

lodge a complaint with the supervisory authority — for residents of Germany, the competent authority is the data protection authority of your federal state.