ShackleAIShackleAI

Privacy Policy

Effective date: March 11, 2026 · Last updated: March 11, 2026

1. Overview

ShackleAI (“we”, “us”, “our”) respects your privacy. This policy explains what data we collect, why we collect it, and how we protect it. We comply with the General Data Protection Regulation (GDPR) and applicable data protection laws.

2. Data We Collect

2.1 Account Data

When you sign in via GitHub OAuth, we receive:

  • GitHub username, email address, and avatar URL
  • GitHub user ID (used as your unique identifier)

We do not request access to your repositories, code, or private GitHub data.

2.2 Platform Usage Data

  • Agent configurations (names, allowed tools, policies)
  • API request logs (endpoint, timestamp, status code, latency)
  • Tool usage analytics (which tools are called, frequency)
  • LLM Gateway usage (model, token counts, costs — not prompt content)

2.3 Vault Data

OAuth tokens and API keys stored in the Vault are encrypted with AES-256 at rest. We never log, inspect, or read your stored credentials. Vault data is only decrypted at runtime when your agent makes an authorized tool call.

2.4 Memory Data

If you use the Memory service, we store text embeddings (via pgvector) and associated metadata. Memory data is isolated per-user and is never shared across accounts.

2.5 Cookies

We use essential cookies for authentication (session token). See our Cookie Policy for details.

3. How We Use Your Data

  • To authenticate you and maintain your session
  • To provide and operate the Platform services
  • To enforce rate limits, budgets, and governance policies
  • To generate usage analytics visible in your dashboard
  • To send transactional emails (account, billing, security alerts)
  • To improve the Platform based on aggregate, anonymized usage patterns

We do not:

  • Sell your data to third parties
  • Use your data to train AI models
  • Share your data with advertisers
  • Read or log the content of your LLM prompts or responses

4. Third-Party Services

We use the following third-party services that process your data:

  • GitHub — OAuth authentication (username, email, avatar)
  • Stripe — payment processing (billing info, not stored by us)
  • AWS (Lightsail) — infrastructure hosting (all data stored on AWS in ap-south-1 region)
  • Google Analytics — anonymous website analytics (pages visited, session duration)
  • AWS SES — transactional email delivery

5. Data Storage & Security

5.1 Infrastructure

  • PostgreSQL 16 with pgvector — application database
  • Redis 7 — session cache and rate limiting
  • All services run on a single AWS Lightsail VPS (pre-launch architecture)
  • HTTPS enforced via Caddy with automatic TLS certificates

5.2 Encryption

  • All traffic encrypted in transit (TLS 1.2+)
  • Vault credentials encrypted at rest (AES-256)
  • Database connections use TLS within the Docker network
  • Session tokens are JWT-signed with a server-side secret

6. Data Retention

  • Account data: retained while your account is active
  • API logs: retained for 90 days, then automatically purged
  • Vault data: deleted within 24 hours of connection removal
  • Upon account deletion: all data removed within 30 days, except where legally required to retain

7. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data
  • Portability — export your data in a structured format
  • Restriction — limit processing of your data
  • Objection — object to processing based on legitimate interests

To exercise any of these rights, email useshackleai@gmail.com. We will respond within 30 days.

8. International Transfers

Our infrastructure is hosted in the AWS ap-south-1 (Mumbai) region. If you are accessing the Platform from outside India, your data will be transferred to and processed in India. We rely on standard contractual clauses for EU-to-India data transfers.

9. Children’s Privacy

The Platform is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has provided us personal data, contact us to have it removed.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Platform at least 14 days before they take effect.

11. Contact

For privacy-related questions or data requests, contact us at useshackleai@gmail.com.