Skip to content
SHOTSHQ
Start free
TemplatesPricingDocsChangelogSign in
← /docs
[ DOC / PRIVACY ]

PRIVACY POLICY

What we collect, why, and how to delete it.

Last updated: 2026-04-30

What we collect

  • Account data — email, name, OAuth provider IDs (Google, Apple) via our identity provider Clerk.
  • Project content — uploaded screenshots, canvas state, generated outputs, headlines, and locale data.
  • Billing data — handled by Stripe; we store only the customer ID and plan status, never card numbers.
  • Usage data — feature events, error logs, and performance traces. Used for product improvement and debugging.

Why we collect it

  • To provide the service you signed up for (legal basis: contract).
  • To prevent abuse and protect other users (legitimate interest).
  • To process payments and meet tax obligations (legal obligation).
  • To send transactional emails (contract). We never send marketing without explicit opt-in.

Third-party processors

We share the minimum necessary data with the following processors, each bound by their own DPA:

  • Clerk — authentication and session management.
  • Neon — Postgres hosting (project metadata, ledger).
  • Cloudflare R2 — object storage (uploaded + generated assets).
  • Stripe — payment processing and subscription billing.
  • OpenAI — AI copy and image generation.
  • fal.ai — AI image processing.
  • Trigger.dev — background job orchestration.
  • Loops — transactional email delivery.
  • PostHog — product analytics (events only, no PII).
  • Sentry — error monitoring.
  • Vercel — application hosting and edge network.

Data retention

  • AI prompts — passed through to model providers and not retained by us beyond 24 hours.
  • Project assets — kept for the lifetime of your account. Deleted within 30 days of project deletion or account closure.
  • Billing records — retained for 7 years to meet tax and accounting obligations.
  • Logs — kept for 30 days, then deleted.

Your rights (GDPR, CCPA)

You have the right to:

  • Access — request a copy of your data.
  • Correction — fix inaccurate data.
  • Deletion — close your account and delete all associated data.
  • Portability — export your data in a machine-readable format.
  • Object — opt out of processing for legitimate-interest purposes.

Email privacy@shotshq.com with any of these requests. We respond within 30 days.

Security

See our security page for details on encryption, access controls, and disclosure.

Children

ShotsHQ is not intended for users under 13. We don't knowingly collect data from children.

Changes

Material changes will be announced via email and the changelog at least 14 days before they take effect.

Data Protection Officer

For EU/UK GDPR matters: privacy@shotshq.com.