Privacy Policy

Last updated: February 15, 2026

At ShorShield ("we", "our", "us"), your privacy is fundamental to our product design. We operate on a zero-knowledge architecture — meaning we cannot access your stored credentials even if we wanted to. This policy explains what data we do and do not collect.

1. Information We Collect

Account Information

• Email address — for account identification and communication
• Public cryptographic keys — ML-DSA-65 (for authentication) and ML-KEM-1024 (for encryption). These are public keys only; private keys never leave your device.
• Company/organization name — for enterprise accounts

Vault Metadata (Unencrypted)

• Credential titles, usernames, and website URLs — stored in plaintext to enable search and autofill. Passwords and secure notes are always encrypted.

Technical Data

• Session data — IP address, user agent, session fingerprint (hashed)
• Audit logs — security-relevant events (logins, revocations, sharing actions)
• WebAuthn credentials — biometric authentication metadata (no biometric data is stored)

Contact Form Submissions

• Name, email, company (optional), and message content
• IP address for rate limiting and abuse prevention

2. Information We Do NOT Collect

• Your passwords or credential secrets (encrypted client-side)
• Private cryptographic keys (stored only in your browser's IndexedDB)
• Biometric data (WebAuthn uses device-level authentication)
• Browsing history or tracking data
• Third-party analytics or advertising identifiers

3. How We Use Your Information

• Authentication: Verifying your identity via cryptographic signatures
• Service delivery: Storing and synchronizing your encrypted vault
• Security: Rate limiting, abuse detection, session management
• Communication: Responding to enquiries, security notifications
• Compliance: Audit logging for enterprise customers

4. Data Storage and Security

Your data is stored on servers located in the European Union. We employ the following security measures:

• End-to-end encryption using NIST-standardized post-quantum algorithms
• TLS encryption for all data in transit
• HTTP-only, secure session cookies with SameSite protection
• Rate limiting across all endpoints
• Immediate session revocation capability

5. Data Sharing

We do not sell, rent, or share your personal data with third parties except:

• Sub-processors: Supabase (database hosting, EU region), Cloudflare (application hosting and CDN), and Google Workspace (transactional email). See our GDPR Compliance page for the full sub-processor list with data residency and transfer safeguard details.
• Legal requirements: when required by law, court order, or governmental regulation
• Enterprise admins: company administrators can view user email addresses and access audit logs for their organization only

6. Data Retention

• Account data: retained while your account is active
• Session data: automatically deleted after 24 hours or upon logout
• Audit logs: retained for 90 days (enterprise customers may configure longer retention)
• Contact submissions: retained for 12 months

7. Your Rights

Under the General Data Protection Regulation (GDPR), you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data ("right to be forgotten")
• Restrict or object to certain processing activities
• Request data portability in a machine-readable format
• Withdraw consent at any time

To exercise these rights, contact us at shorshield@gmail.com.

8. Cookies

We use only essential session cookies (HTTP-only) for authentication. We do not use tracking cookies, analytics cookies, or third-party advertising cookies. See our Cookie Policy for details.

9. Changes to This Policy

We will notify users of material changes via email or in-app notification at least 30 days before changes take effect. The "last updated" date above reflects the most recent revision.

10. Contact

For privacy-related enquiries:

• Email: shorshield@gmail.com
• Location: Berlin, Germany