Privacy Policy

Effective: 2025-09-07

This Privacy Policy explains how SchemaShield ("SchemaShield", "we", "us") collects, uses, and protects information in connection with our website and services.

1) Information We Process

• Account & Contact Data: Email addresses and basic profile info you provide during onboarding or via third‑party sign‑in.
• Billing Data: Payments are processed by Stripe. We do not store full card details. We may store your Stripe customer ID and subscription status.
• Service Data (Prompts/Outputs): By default, we operate with Zero‑Persistence: prompts and outputs are processed in memory and not written to disk. If you explicitly enable persist=true for debugging, we store minimal request/response artifacts for a limited retention (see Retention below). You control whether such storage occurs.
• Provider Keys (BYO): You may supply provider API keys per request. We pass these through, do not persist them by default, and never use them except to fulfill your request.
• Usage & Analytics: We collect minimal technical and usage data (e.g., request timing, error counts) to operate, secure, and improve the service. We use Vercel Web Analytics (cookieless) and server logs.
• Leads: If you sign up for updates, we store your email and tag. We use Resend to send transactional emails.

2) How We Use Information

• Provide and maintain the services (validation, repair, CI checks).
• Provision, monitor, and enforce plan entitlements and quotas.
• Process payments and manage subscriptions (via Stripe).
• Secure, debug, and improve performance and reliability.
• Communicate important updates, billing notices, and support responses.

3) Legal Bases (EEA/UK)

We process personal data under one or more of the following bases: to perform a contract; legitimate interests in operating and securing the service; compliance with legal obligations; and consent (where applicable, e.g., optional emails).

4) Data Sharing & Sub‑processors

We share data with trusted providers solely to deliver the service:

• Vercel (hosting, web analytics).
• Stripe (payments, subscriptions).
• Resend (transactional email).
• LLM Providers you select (e.g., OpenAI, Anthropic). Prompts/outputs are transmitted only to providers you choose.

We do not sell personal information.

5) International Transfers

Data may be processed in the United States and other jurisdictions by us or our providers. Where applicable, we rely on appropriate safeguards (e.g., SCCs) for cross‑border transfers.

6) Security

We use TLS for data in transit, HSTS, least‑privilege access, and secure storage of any optional persisted logs. See our Security page for details.

7) Data Retention

• Zero‑Persistence default: No prompts/outputs are stored by default.
• Optional persist=true: If enabled, we retain minimal request/response artifacts for up to 30 days unless you delete earlier or request removal.
• Billing & records: Kept as required for accounting, tax, and compliance.

8) Your Rights

Depending on your location, you may have rights to access, rectify, delete, or port your personal data, and to object or restrict certain processing. Contact us to exercise these rights.

9) Cookies

We use an httpOnly session cookie when you sign in with Google. Vercel Web Analytics is cookieless. You can control cookies via your browser settings.

10) Children

The service is not intended for children under 16. We do not knowingly collect information from children.

11) Changes

We may update this Policy. We will post the updated date and, where appropriate, provide additional notice.

12) Contact

Questions or requests: privacy@schemashield.ai