Privacy Policy
ShapeKit (“ShapeKit,” “we,” “us”) is operated by ShapeKit, Inc., 9169 W State St #1395, Garden City, ID 83714, USA. For any questions about this policy or your personal data, contact us at privacy@shapekit.ai.
This policy explains what personal data we collect, why, how we share it with the vendors that help us run the service, how long we keep it, and the rights you have. It covers our marketing website and our application.
Our role: controller vs. processor
ShapeKit plays two different roles depending on the relationship:
- When we are the controller. For our marketing website, your ShapeKit account, billing, product analytics of our own service, support you request, and our product communications, we decide why and how data is processed and we handle your requests directly.
- When we are a processor. When a customer (“Crafter”) builds an app on ShapeKit and collects data about their own end clients (“Shapers”), the Crafter is the controller of that end-client data and ShapeKit processes it on the Crafter’s behalf under a Data Processing Addendum. If you are a Shaper and want to exercise rights over data a Crafter collected about you, your request generally goes to that Crafter; we assist them.
What we collect and why
| What | Examples | Why |
|---|---|---|
| Website / usage data | IP, device and browser metadata, page views, referral/UTM, cookies or local storage where enabled | Deliver and secure the site; first-party product analytics; marketing attribution |
| Account data | Name (if given), email, password hash or OAuth identifier, auth tokens, account status, security events | Create and secure your account; authenticate you |
| Team / app configuration | Team membership, roles, project and app settings, custom domains, saved views | Provide the multi-tenant app-building service |
| AI reshape requests | Prompt text, selected view/schema context, generated output, usage counters | Generate constrained app/view customizations; meter AI usage |
| Billing data | Plan, invoice metadata, payment status, billing email, transaction IDs, tax metadata | Subscriptions, fees, marketplace payments, tax and accounting records |
| Communications | Email address, invite tokens, message content, delivery metadata | Verification, magic links, invites, notifications, support |
| Support & privacy requests | Contact details, request content, identity-verification data | Support, rights requests, disputes, incident response |
| Security / audit logs | IPs, user IDs, auth events, admin actions, error traces | Detect abuse, debug, and protect tenant isolation |
Where required by law (for example for EU/UK users), we rely on an appropriate lawful basis for each purpose — typically performance of our contract with you, our legitimate interests in operating and securing the service, your consent where required (such as for non-essential cookies), or compliance with a legal obligation.
We do not want sensitive or special-category data in AI features or app content (see below).
AI features
ShapeKit uses third-party AI model providers — Anthropic and OpenAI — to power reshape features. When you use an AI feature, your prompt content and related context may be sent to a provider to generate output. These providers do not use your data to train their models and process it only to return the requested output. As a safeguard, please do not submit personal data about other people, credentials, or sensitive information into AI features.
Cookies and tracking
We use strictly necessary cookies for authentication and security. We do not run non-essential advertising or cross-site tracking cookies. We use PostHog for first-party product analytics to understand and improve the service. If we ever introduce non-essential cookies, we will inventory them and, where required, ask for your consent before they run. We honor recognized browser opt-out signals such as Global Privacy Control where the law requires it.
How we share data — our vendors
We share personal data with vendors who process it on our behalf under contract (our subprocessors) and with independent parties such as our payment processor. Our current list of subprocessors is published at shapekit.ai/subprocessors. We do not sell your personal data, and we do not “share” it for cross-context behavioral advertising.
International transfers
ShapeKit and its vendors may process data in the United States and other countries. Where we transfer EU/UK personal data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses where applicable.
Sensitive data
ShapeKit is not designed to process special-category data (GDPR Article 9) or “sensitive personal information” under US state privacy laws, and we ask Crafters and users not to put such data into app content or AI prompts.
Retention
We keep personal data only as long as needed for the purposes above, then delete or anonymize it, subject to legal, tax, security, and dispute-defense exceptions. Backups may retain deleted data for up to 90 days before purge.
Your rights
Depending on where you live, you may have the right to:
- Access / know what personal data we hold and how we use it.
- Correct inaccurate data.
- Delete / erase your data (subject to the exceptions noted under Retention).
- Portability — receive your data in a portable format.
- Object to or restrict certain processing.
- Opt out of sale or sharing of personal data — note that we do not sell or share data.
- Limit the use of sensitive personal information, to the extent we process any.
- Non-discrimination — we will not deny you service or charge you differently for exercising these rights.
To exercise any right, contact privacy@shapekit.ai. We verify your identity before acting, and we respond within the timelines the applicable law requires. If your request concerns data a Crafter controls (Shaper data), we will route or assist rather than act unilaterally. EU/UK users may also lodge a complaint with their local data protection authority.
Children
ShapeKit is not directed to children and we do not knowingly collect children’s data.
Changes to this policy
We will post changes here and update the effective date above. We will communicate material changes through the service where appropriate.