Privacy Policy
Effective Date: May 20, 2026
This Privacy Policy explains how Shaker ("we", "us", "our"), operating at shakerapp.ai, collects, uses, stores, and protects your personal data when you use our Platform. We are committed to protecting your privacy and handling your data transparently and lawfully.
1. Data We Collect
1.1 Account Data
When you register, we collect:
- Full name and email address
- Password (stored as a bcrypt hash — never in plain text)
- Account creation date and last login timestamp
1.2 Payment Data
All payment processing is handled by Paddle.com as our Merchant of Record. We do not store full card numbers, CVVs, or bank account details. We receive from Paddle only:
- Paddle customer ID and subscription ID
- Subscription status, plan, and billing dates
- Country of billing (for tax purposes)
Paddle's privacy practices are governed by the Paddle Privacy Policy.
1.3 Usage and Technical Data
- IP address and approximate geolocation (country/city level)
- Browser type, OS, device type
- Pages visited, features used, AI generation requests
- Token usage and credit consumption per action
- Project files and AI-generated content you create
- Chat history with the AI assistant
1.4 Communication Data
- Emails you send to our support team
- Feedback and bug reports submitted through the Platform
1.5 Third-Party Authentication
If you sign in with Google OAuth, we receive your name, email address, and profile picture URL from Google. We do not receive your Google password. Google's use of data is governed by the Google Privacy Policy.
2. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Provide the Platform and AI generation services | Contract performance |
| Process payments and manage subscriptions | Contract performance |
| Send transactional emails (receipts, password reset) | Contract performance |
| Prevent fraud and abuse | Legitimate interest |
| Improve AI models and Platform quality (anonymised) | Legitimate interest |
| Comply with legal obligations (tax, KYC) | Legal obligation |
| Send marketing emails about Platform updates | Consent (opt-out available) |
| Detect security threats and monitor uptime | Legitimate interest |
3. AI Processing and Third-Party AI Providers
To provide AI generation features, your prompts, project context, and uploaded files are sent to third-party AI providers. These providers process your input to generate responses. The following AI providers may receive your data:
- Anthropic (Claude models) — Privacy Policy
- Google DeepMind (Gemini models) — Privacy Policy
- OpenAI (GPT models) — Privacy Policy
- DeepSeek (DeepSeek models) — Privacy Policy
- OpenRouter (API routing layer) — Privacy Policy
- Groq (fast inference) — Privacy Policy
We do not share your name, email, or payment data with AI providers. Only the content of your AI requests and project context is transmitted for the purpose of generating responses.
By using AI features, you acknowledge and accept that your prompts may be processed by the above providers subject to their respective privacy policies and data retention practices.
4. Cookies and Tracking
We use the following types of cookies and local storage:
- Authentication: JWT token stored in localStorage to keep you signed in
- Session: Session management for OAuth flows
- Analytics: Anonymised usage data to improve the Platform
- reCAPTCHA: Google reCAPTCHA v3 is used to prevent bot abuse
We do not use advertising cookies or sell your data to advertisers. You can clear browser storage at any time to remove all local tokens.
5. Data Sharing
We do not sell your personal data. We share data only with:
- Paddle — payment processing and tax compliance
- AI Providers — as described in Section 3
- Coolify / Cloud Infrastructure — hosting and deployment operations
- Law enforcement — only when required by valid legal process
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion + 30 days |
| Project files and generated code | Until deletion by user or account termination |
| Payment records | 7 years (legal/tax obligation) |
| AI usage logs (anonymised) | 12 months |
| Chat history | Until project deletion |
| Server access logs | 90 days |
| Trial credits | 30 days from registration |
7. Your Rights (GDPR / CCPA)
Depending on your location, you may have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you
- Right of Rectification: Correct inaccurate or incomplete data
- Right of Erasure: Request deletion of your data ("right to be forgotten")
- Right of Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interest
- Right to Restrict: Restrict processing of your data in certain circumstances
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw at any time
To exercise these rights, email us at privacy@shakerapp.ai. We will respond within 30 days. We may need to verify your identity before processing your request.
If you are a resident of California (CCPA), you have additional rights including the right to know what personal information is sold or disclosed and to opt-out of such sale. We do not sell personal information.
8. International Data Transfers
Your data may be processed in countries outside your country of residence, including the United States, where our infrastructure and some AI providers are located. When we transfer data from the EU/EEA, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses or adequacy decisions).
9. Data Security
We implement industry-standard security measures including:
- TLS 1.2+ encryption for all data in transit
- Bcrypt hashing for all passwords
- JWT tokens with expiry for session management
- PostgreSQL with restricted access credentials
- Regular security updates to server infrastructure
No system is 100% secure. In the event of a data breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law.
10. Children's Privacy
The Platform is not intended for use by persons under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by email or by posting a notice on the Platform. Continued use of the Platform after the effective date of changes constitutes acceptance of the updated Policy.
12. Contact and Data Protection Officer
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.