Back

Privacy Policy

Last updated: 30 April 2026

1. Who we are

ShipStreak is a publishing-streak tool operated from the European Union. This policy explains what personal data we collect, why we collect it, how we use it, and which third parties process it on our behalf. It applies to shipstreak.space, all subdomains (e.g. username.shipstreak.space), and any custom domain you may bind to your public profile.

We act as the data controller for the data described below. For third-party processors, the relevant provider acts as a sub-processor under our instructions.

2. What we collect

Account data

  • Email address
  • Firebase user id (uid)
  • Display name (optional, set by you)
  • Public username (your profile slug)
  • Timezone (used to anchor day boundaries on your streaks)
  • Preferred output tone (raw, clean, hype — Pro only)
  • Custom domain (Pro only, if you set one)

Product data

  • Streak metadata (duration, day index, status, timestamps)
  • Daily entry bullets you submit
  • The generated post text produced from those bullets
  • Completion timestamps used to render your public calendar

Billing data

  • Stripe customer id
  • Subscription state mirror (plan, status, period end, cancel-at-period-end flag)
  • We do not see, store, or process your card number, CVC, or full card details on our servers — Stripe handles all card data directly.

Operational data

  • Two essential cookies: session (auth) and csrf_token (CSRF protection). No analytics or advertising cookies.
  • Audit log of security events (sign-in, password reset, billing changes, deletion) used for abuse prevention and account recovery.

3. How we use it

  • Run the daily publishing loop and enforce streak rules.
  • Render your public profile (completion calendar + streak state). Bullets and generated post text are never published to your public profile.
  • Process subscriptions and reflect plan entitlements.
  • Reply to support requests sent to support@shipstreak.space.
  • Detect and prevent abuse (rate limiting, audit logs).

We do not sell your data, we do not run ad networks on the site, and we do not profile you for marketing.

4. Third-party processors

  • Firebase (Google) — authentication, Firestore database, hosting of session tokens. Personal account + product data is stored here.
  • Stripe — payment processing and subscription lifecycle. Card details flow directly between you and Stripe.
  • OpenAI — used only when a Pro user triggers a polished post tone. The bullets you wrote are sent per-request to generate the post text and are not used to train OpenAI models(we use the API tier with training disabled). We do not retain anything on OpenAI's side beyond the request itself.
  • Vercel — application hosting and edge routing. Receives standard request metadata (IP, user agent) for delivery and abuse prevention.

5. Cookies

We use two strictly-necessary cookies: session and csrf_token. Both are required for the app to function and to defend against cross-site request forgery. We do not set analytics, advertising, or third-party tracking cookies, so we do not show a cookie consent banner.

6. Retention

Account, product, and billing data is retained for as long as your account exists. You can delete your account at any time from /dashboard/account; deletion removes your profile, streaks, entries, and public page. Audit log entries are retained up to 12 months for security purposes. Stripe retains billing records independently per its own retention policy and applicable financial regulations.

7. Your rights

Under the GDPR and equivalent laws, you can:

  • Access the personal data we hold about you.
  • Correct inaccurate data via the account page.
  • Delete your account and associated data.
  • Export your data — every account can call GET /api/user/export from /dashboard/account to download a JSON snapshot.
  • Withdraw consent or object to processing.
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, email us at support@shipstreak.space. We respond within 30 days.

8. Children

ShipStreak is not intended for users under the age of 16. We do not knowingly collect data from anyone under 16; if you believe a minor has signed up, contact us and we will delete the account.

9. International transfers

Some of our processors (Google/Firebase, Stripe, OpenAI, Vercel) are based in the United States and may process data outside the EEA. Where this happens, we rely on Standard Contractual Clauses and the providers' own data processing terms.

10. Updates to this policy

We will update this policy when our processing changes materially. The date at the top of the page reflects the most recent revision; we will notify active accounts by email when changes are material.

11. Contact

Questions about this policy or your data? support@shipstreak.space.