GDPR

GDPR Compliance

Last updated: February 15, 2026

ShorShield is committed to compliance with the General Data Protection Regulation (EU) 2016/679. As a company headquartered in Berlin, Germany, GDPR applies directly to our operations. This page supplements our Privacy Policy with GDPR-specific information.

🇪🇺 Privacy by Design: ShorShield's zero-knowledge architecture is itself a GDPR compliance measure. By architecturally preventing ourselves from accessing user vault contents, we minimize the risk and impact of any data breach.

1. Data Controller

Yash Thakare (trading as ShorShield)
Berlin, Germany
Email: shorshield@gmail.com

Privacy Contact

ShorShield is operated by a sole founder. For all data protection enquiries, including exercising your rights under GDPR, contact:

Yash Thakare, Founder & CEO
Email: shorshield@gmail.com

Note: As a sole-founder operation that does not yet process personal data at the scale threshold defined in Art. 37 GDPR, we have not appointed a formal Data Protection Officer. We continuously assess whether a DPO appointment becomes required as the platform scales.

2. Legal Basis for Processing

Processing Activity	Legal Basis (Art. 6 GDPR)
Account creation and authentication	Contract performance (Art. 6(1)(b)) — necessary to provide the service
Encrypted vault storage	Contract performance (Art. 6(1)(b)) — core service functionality
Session management and security logging	Legitimate interest (Art. 6(1)(f)) — platform security and abuse prevention
Contact form submissions	Consent (Art. 6(1)(a)) — voluntary submission with clear purpose
Enterprise audit logs	Legitimate interest (Art. 6(1)(f)) — organizational security compliance
Email notifications	Contract performance (Art. 6(1)(b)) — service-related communications

3. Your Rights Under GDPR

📋 Right of Access (Art. 15)

Request a copy of all personal data we hold about you, including processing purposes and retention periods.

✏️ Right to Rectification (Art. 16)

Request correction of inaccurate personal data. You can update your email and profile directly in the dashboard.

🗑️ Right to Erasure (Art. 17)

Request deletion of your account and all associated data. Due to zero-knowledge, we cannot selectively delete vault contents — full account deletion removes everything.

⏸️ Right to Restriction (Art. 18)

Request that we limit processing of your data while a dispute is resolved or while you exercise other rights.

📦 Right to Portability (Art. 20)

Request your data in a machine-readable format. Export functionality is available through the dashboard.

🚫 Right to Object (Art. 21)

Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling grounds.

To exercise any of these rights, email shorshield@gmail.com. We will respond within 30 days as required by GDPR.

4. Data Processing and Storage

Storage Location

Our primary data storage infrastructure is located within the European Union. However, some of our sub-processors are headquartered in the United States. Where personal data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Art. 46(2)(c) GDPR) and verify that each sub-processor provides adequate supplementary measures.

Sub-Processors

We use the following sub-processors to operate the ShorShield platform:

Sub-Processor	Purpose	Data Residency	Transfer Safeguard
Supabase Inc.	Database hosting and backend infrastructure	EU (Frankfurt region)	EU data region; SCCs in place
Cloudflare Inc.	Application hosting (Cloudflare Pages), CDN, and DDoS protection	Global edge network; origin in EU	SCCs; Cloudflare DPA
Google LLC	Transactional email delivery (Google Workspace / Gmail SMTP)	US (data may be processed globally)	SCCs; Google Data Processing Terms; EU Data Processing Addendum

For the most current list of sub-processors, or to be notified of changes, contact shorshield@gmail.com.

Data Minimization

We collect only the data strictly necessary to provide the service. Our zero-knowledge architecture ensures that vault contents (passwords, credentials, notes) are encrypted client-side and inaccessible to us.

5. Data Protection Impact Assessment

Given the sensitive nature of password management, we have conducted an internal Data Protection Impact Assessment (DPIA) as described in Art. 35 GDPR. Our zero-knowledge architecture inherently mitigates the highest-risk scenario (server breach exposing credentials) by ensuring encrypted data cannot be decrypted without client-held keys.

Note: This DPIA was conducted internally by the founder and has not yet been reviewed by an independent third-party auditor. An external review is planned as the platform scales.

A summary of the DPIA is available upon request. Contact shorshield@gmail.com to request a copy.

6. Breach Notification

In the event of a personal data breach:

We will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR)
Affected individuals will be notified without undue delay when the breach poses a high risk (Art. 34 GDPR)
All breach incidents are documented regardless of severity

7. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. For ShorShield, the relevant authority is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin, Germany
www.datenschutz-berlin.de

8. Contact

All enquiries: shorshield@gmail.com