Privacy Policy

Last updated: May 13, 2026

This policy describes how Shipstable, built by RADLAB LLC, handles your data. If something is unclear, contact us at privacy@shipstable.io.

What We Collect

We collect only the data necessary to provide the features you use and to understand how Shipstable is being used so we can improve it.

What	Why	How long	Who can access
Email address, name, profile image (from your auth provider)	Account creation, login, showing you who you are inside the app	Until you delete your account	RADLAB LLC (via Supabase)
Messages you send to AI agents through Shipstable	Routing your prompt to the AI provider you chose, streaming the response back	In transit only at this time — we do not store conversation history server-side as of the date above. When that changes, we will update this policy before turning on persistence.	RADLAB LLC backend, the AI provider you selected (OpenAI or Anthropic)
Aggregate token-usage counts per request (prompt tokens, completion tokens)	Billing aggregation, abuse detection, capacity planning	Until you delete your account	RADLAB LLC
Product usage analytics (anonymized): page views, screen views, feature interactions, approximate country (from IP)	Understanding which features are used and where users get stuck	12 months	RADLAB LLC (via PostHog)
Anonymous web visit metrics (page views, referrers, country)	Marketing page performance, traffic-source attribution	Vercel default retention	RADLAB LLC (via Vercel Web Analytics, cookieless)
Advertising event data (when running paid campaigns): aggregated conversion events tied to ad clicks	Measuring whether paid acquisition campaigns are reaching real users	Per ad-network policy (typically 13 months)	RADLAB LLC, Google Ads, Meta (Facebook/Instagram)

If we add new categories of data, we update this policy and notify you before collection begins.

What We Do Not Collect

Shipstable does not:

Record keystrokes, screen content, or ambient audio
Track your precise location (we infer country from IP, no GPS or background location)
Read your messages, photos, contacts, or other apps' data
Sell, rent, or trade your data
Use your prompts, AI agent inputs, or AI responses to train any model. We do not train ML models on your data, and neither do OpenAI or Anthropic for API requests originated through Shipstable (per their published API terms as of the date above).

AI Providers and How Your Prompts Are Handled

Shipstable is an orchestration layer. When you send a message to an AI agent, your prompt is routed through our backend to the AI provider you selected (OpenAI, Anthropic, or others). The response is streamed back to you. Specifically:

If you are on a Pro, Pro+, or Teams plan, we use ShipStable-managed API keys on your behalf. If you bring your own accounts, requests are made using your own API keys.
Per OpenAI's and Anthropic's published API terms (as of the date above), data sent through their APIs is not used to train their models.
Your prompts and AI responses transit our backend infrastructure (Vercel-hosted web, Supabase-backed auth/db, Hono API on Bun).
We do not log or persist the body of your AI conversations server-side as of the date above. Aggregate metadata (which model was used, token counts, timestamps) is logged for billing and abuse detection.

If we ever change the conversation-persistence policy (for example, if we add chat history that survives across sessions), we will update this policy before turning that on.

What We Share

We share data with third parties only when necessary, and only the minimum required. We do not sell your personal information.

Third party	What they receive	Why
Supabase	Account identifiers (email, name, image), authentication tokens, application database rows	Authentication and database hosting
OpenAI	Your AI prompts and the model responses, when you select an OpenAI model	Running the AI model that powers your chosen agent. Not used by OpenAI for training, per their API terms.
Anthropic	Your AI prompts and the model responses, when you select a Claude model	Running the AI model that powers your chosen agent. Not used by Anthropic for training, per their API terms.
Vercel	Standard HTTP request data (URL, status code, IP for routing, country); cookieless analytics beacon	Web hosting, edge security, anonymous traffic analytics
PostHog	Anonymized product-usage events, approximate country	Product analytics — understanding feature usage
Google Ads (when running paid campaigns)	Aggregated ad conversion events via the Conversions API	Measuring paid acquisition effectiveness
Meta (Facebook/Instagram, when running paid campaigns)	Aggregated ad conversion events via the Conversions API	Measuring paid acquisition effectiveness

Each sub-processor is bound by a Data Processing Agreement that requires them to act only on our instructions.

Cookies and Similar Technologies

Shipstable uses a small number of cookies and similar local-storage technologies:

Necessary — sign-in session, your cookie-preferences choice. Set on every visit. Cannot be disabled if you want to use the product.
Analytics (PostHog) — anonymous session and event identifiers. Loaded only after you accept the cookie banner. Can be turned off at any time via “Manage cookies” in the footer.
Advertising (Google Ads, Meta) — loaded only when we are running paid campaigns AND you have accepted the cookie banner.

Vercel Web Analytics is cookieless and is not affected by the cookie banner. It honors browser Do Not Track and Global Privacy Control signals automatically.

Your Choices

On your first visit you will see a cookie preferences banner. You can accept all categories, decline non-essential ones, or pick category by category. You can change your choice at any time via “Manage cookies” in the footer.

EU and UK visitors: no analytics or advertising cookies are loaded until you make a choice in the banner. Essential cookies are set on first load because they are required to operate the service.

How We Protect Your Data

We use TLS in transit, encryption at rest at the database layer, access controls, regular security scanning, and monitoring for unauthorized access. Authentication uses our auth provider's best-practice flows; we never store passwords in a readable form. Security headers on every response include HSTS preload, X-Frame-Options DENY, Permissions-Policy denying camera/mic/geo, and strict Referrer-Policy.

How Long We Keep Your Data

We keep your data only as long as we need it to provide the service. When you delete your account, your data is permanently removed within 30 days. Analytics events older than 12 months are automatically purged from PostHog. Advertising conversion data follows each ad network's standard retention.

Deleting Your Data

You can request deletion of your account and all associated data from your Settings page in the app or at shipstable.io/delete. Deletion is permanent and irreversible. We aim to complete deletion within 30 days. If you have an active subscription, cancel it before deleting your account.

Your Rights

Under GDPR (EU/UK), CCPA (California), and similar regulations, you have the right to:

Access — request a copy of your data
Correction — ask us to fix inaccurate data
Deletion — request permanent account and data deletion
Portability — receive a copy of your data in a usable format
Objection — object to processing for analytics or advertising
Withdraw consent — turn off analytics or advertising cookies at any time via the cookie banner
Lodge a complaint — with your local data protection authority

To exercise any of these rights, email privacy@shipstable.io. We respond within 30 days.

Children

Shipstable is not designed for children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

Changes to This Policy

We will notify you before material changes take effect and will not apply weaker rules retroactively. The “Last updated” date at the top reflects the most recent revision.

Contact

Email: privacy@shipstable.io. We respond within 30 days.