Privacy Policy
Last updated: July 2026
1. Who we are
Shipwright ("Shipwright", "we", "us") is an independent software product operated by a sole trader based in Sweden. This Privacy Policy explains how we handle personal data when you visit our website, use the demo application (accounts, the demo chat, and the dashboard), or purchase our software starter kit.
For the purposes of the EU and UK General Data Protection Regulation (GDPR), we are the "data controller" of your personal data. You can reach us about privacy, or to exercise your rights, at support@shipwrightkit.com.
2. The data we collect
We collect only what we need to run the service. Depending on how you use Shipwright, that includes:
- Account data — your name, email address, and a securely hashed password when you create an account. If you sign in with a social provider, we receive the identifiers and tokens that provider returns.
- Authentication & security data — session identifiers, your IP address, and your browser user-agent string, used to keep you signed in, secure your account, and prevent abuse.
- AI content — the prompts and messages you submit to the demo chat, together with the responses generated for you and metadata such as the model used, token counts, and timestamps. For anonymous use of the public demo, requests are attributed to your IP address rather than to an account.
- Billing data — when you subscribe in-app or buy the kit, our payment providers process your payment details directly. We receive and store only limited billing metadata (such as a customer ID, subscription ID, plan, and status). We never see or store your full card number.
- Usage & analytics data — aggregated, cookieless measurements of page views and referrers so we can understand traffic. This does not identify you individually.
- Communications — messages you send us (for example, support or refund requests) and the information they contain.
3. How we use your data
We use your personal data to:
- Provide, operate, and maintain the website, demo, and your account.
- Generate AI responses to the prompts you submit.
- Authenticate you, keep the service secure, and detect, prevent, and investigate fraud, abuse, and violations of our Terms.
- Enforce usage quotas and meter usage for billing.
- Process payments, manage subscriptions, and deliver the kit you purchased.
- Respond to your enquiries and provide support.
- Measure and improve the service.
- Comply with our legal, tax, and accounting obligations.
4. Our legal bases (GDPR)
Where the GDPR applies, we rely on the following legal bases:
- Performance of a contract — to provide the service, your account, and any product you purchase.
- Legitimate interests — to secure the service, prevent abuse, meter usage, and understand and improve how the service is used, balanced against your rights.
- Legal obligation — to meet tax, accounting, and other legal requirements.
- Consent — where we ask for it (for example, optional communications). You can withdraw consent at any time.
5. AI processing and the providers we use
To generate responses, the prompts you submit are sent to our AI provider, Anthropic, which processes them to return a response. We do not use your conversations to train AI models.
We share personal data with a small number of service providers (processors / sub-processors) who process it only on our instructions:
- Anthropic (PBC) — AI model provider that processes prompts to generate responses.
- Stripe — payment processing for in-app subscriptions.
- Polar — our merchant of record for purchases of the kit; Polar processes checkout and payment and remits applicable taxes.
- Vercel — website and application hosting, and cookieless web analytics.
- Our database and email providers — to store your account and usage data and to send service-related messages.
Each provider handles your data under its own privacy terms and our agreements with it. We do not sell your personal data.
6. Cookies and tracking
We keep cookies to a minimum. We use strictly-necessary cookies to sign you in and keep your session secure — these are required for the service to work and do not need consent.
Our analytics are cookieless: we do not use advertising, marketing, or cross-site tracking cookies, and we do not build advertising profiles about you. Because of this, we do not display a cookie-consent banner. If we ever introduce non-essential cookies, we will ask for your consent first and update this policy.
7. International data transfers
We and our providers may process your data in countries outside your own, including the United States. Where we transfer personal data out of the EEA or the UK, we rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses (and the UK Addendum) — so your data keeps an equivalent level of protection.
8. How long we keep your data
We keep personal data only as long as we need it for the purposes above. Account data is kept while your account is active. When you delete your account, the associated account, session, and billing records are removed, and related usage records are deleted or de-identified, except where we must keep certain records (for example, invoices) to meet legal and tax obligations.
9. Your rights
Depending on where you live, you have rights over your personal data. Under the GDPR (EEA/UK) these include the right to:
- Access the personal data we hold about you and get a copy.
- Rectify data that is inaccurate or incomplete.
- Erase your data (the 'right to be forgotten').
- Restrict or object to certain processing.
- Data portability — receive your data in a portable format.
- Withdraw consent at any time, where we rely on consent.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email us at support@shipwrightkit.com. We will respond within the time limits set by applicable law and may need to verify your identity first.
10. California privacy rights (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect and how we use it, to request access to or deletion of that information, to correct inaccurate information, and to not be discriminated against for exercising these rights.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. To exercise your California rights, contact us at the email above; we will verify and respond as required by law.
11. How we protect your data
We take reasonable technical and organizational measures to protect your data, including encryption in transit (HTTPS), hashing of passwords, and access controls. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your data and to notify you and the authorities of a breach where the law requires.
12. Children
Shipwright is not directed to children. We do not knowingly collect personal data from anyone under 16 (or under 13 in the United States). If you believe a child has provided us personal data, contact us and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will change the 'Last updated' date above and, for material changes, take reasonable steps to let you know. Your continued use of the service after an update means you accept the revised policy.
14. Contact us
Questions about this policy or your data? Email support@shipwrightkit.com. We are Shipwright, a sole trader based in Sweden.
See also our Terms of Service, or go back to the site.