Shipeasy

Privacy Policy

Effective June 5, 2026. See also our Terms of Service.

This Privacy Policy describes how Shipeasy, Inc. (“Shipeasy”, “we”, “us”) collects, uses, shares, and protects personal data when you use shipeasy.ai, the Shipeasy platform, the SDKs, the CLI, and related services (collectively, the “Service”). It applies to information about (a) the people who sign in to a Shipeasy account (“Customers”) and (b) the end users of Customer applications whose evaluation events flow through Shipeasy (“End Users”).

We are the controller for personal data about Customers. For End Users, the Customer is the controller and Shipeasy acts as a processor on the Customer’s behalf.

1. What we collect

1.1 Account data

When you sign in with an OAuth provider (Google, GitHub, etc.), we receive your name, email address, OAuth subject identifier, and profile image URL. We store your active project memberships, role on each project, and audit records of administrative actions you take in the dashboard.

1.2 Billing data

If you upgrade to a paid plan, our payment processor Stripe collects and processes your billing details, including name, billing address, and payment instrument. Shipeasy does not store full payment card numbers; we receive only a Stripe customer ID, the last four digits and brand of the card, and invoice metadata required for accounting.

1.3 Configuration data

Flags, killswitches, configs, experiments, universes, metrics, translation profiles, and targeting rules that you create are stored in our database and replicated to our edge cache so that SDKs can evaluate them at low latency. This data is treated as Customer Data under our Terms of Service.

1.4 Evaluation context and events

When an End User triggers an SDK evaluation (e.g. a call to flags.get("checkout-v2", { user_id, country })), the SDK sends the context you choose to pass to api.shipeasy.ai/sdk/evaluate over TLS. Tracked events (flags.track(...)) are written to Cloudflare Analytics Engine. The contents of these payloads are entirely controlled by the Customer; Shipeasy does not require any specific fields. We recommend Customers pass an opaque bucketing key (a stable non-PII user identifier) rather than email addresses or full names.

1.5 Telemetry and logs

We collect technical logs about the Service’s operation: HTTP request metadata (path, status, IP address, user agent), Cloudflare Worker invocation logs, and crash reports. These are used to operate, secure, and debug the Service.

1.6 Cookies and similar technologies

We use a small number of strictly necessary cookies, primarily the Auth.js session cookie (a signed JSON Web Token with a 15-minute expiry, used to keep you signed in to the dashboard) and a CSRF protection cookie. We do not use third-party advertising or cross-site tracking cookies on the dashboard or the marketing site.

2. How we use it

We use personal data to:

  • provide and operate the Service (authenticate you, evaluate flags, store configs);
  • process payments and send invoices via Stripe;
  • send transactional emails (sign-in links, billing receipts, security notices);
  • maintain the security and integrity of the Service, including detecting and preventing abuse;
  • compute aggregate, anonymised product and usage analytics that do not identify any individual; and
  • comply with legal obligations.

We do not sell personal data. We do not use the contents of Customer Data to train generative AI models without the Customer’s prior written consent.

3. Legal bases (EEA / UK)

If you are in the European Economic Area or the United Kingdom, our legal bases for processing your personal data are: (a) performance of a contract to deliver the Service you have signed up for; (b) our legitimate interests in operating, securing, and improving the Service, where those interests are not overridden by your rights; (c) consent, where required (e.g. optional cookies, marketing emails); and (d) compliance with legal obligations.

4. Subprocessors

We rely on the following subprocessors to deliver the Service:

  • Cloudflare, Inc.— hosting (Workers), edge cache (KV), database (D1), event store (Analytics Engine), queues, and CDN. Customer Data is processed and stored in Cloudflare’s global network.
  • Stripe, Inc. — payment processing for paid plans.
  • OAuth identity providers (Google, GitHub) — only when you choose to sign in through them. We receive only the data you authorise.
  • Email delivery providers — for transactional email (sign-in links, receipts, security notices).

We require subprocessors to maintain a level of data protection at least as strict as described in this Policy. An up-to-date list is available on request at hi@shipeasy.ai.

5. International transfers

Cloudflare operates a global network and processes data close to the End User’s location. Where personal data is transferred out of the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented where appropriate by additional safeguards. By agreeing to these Terms you acknowledge that your data may be processed in any country in which Cloudflare operates a data centre.

6. Retention

We retain personal data only as long as needed for the purposes described above. As a baseline: account data is retained for the lifetime of your account; configuration data (Customer Data) is retained until you delete it or 30 days after termination of your account; evaluation events are retained for up to 90 days for analysis (longer on Enterprise plans where contractually agreed); logs are retained for up to 30 days. We may retain data for longer where required by law or to resolve disputes.

7. Security

We protect personal data with industry-standard safeguards: TLS for data in transit; encryption at rest provided by Cloudflare D1, KV, and Analytics Engine; signed, short-lived (15-minute) Auth.js JWT session tokens; SDK keys hashed with SHA-256 before storage; role-based access controls; and audit logs for administrative actions. No system is perfectly secure, and we cannot guarantee absolute security.

8. Your rights

Depending on where you live, you may have the right to: access the personal data we hold about you; correct it; delete it; restrict or object to our processing of it; receive a portable copy; and lodge a complaint with your local data protection authority. EEA / UK residents may exercise rights under the GDPR / UK GDPR. California residents may exercise rights under the CCPA / CPRA, including the right to know what personal information we collect and to delete it. We do not sell personal information and we do not knowingly share personal information for cross-context behavioural advertising.

To exercise any of these rights, contact hi@shipeasy.ai. We will respond within the period required by applicable law (no later than 30 days under the GDPR; no later than 45 days under the CCPA). If your data was submitted to the Service by a Customer (i.e. you are an End User of a Customer’s application), please direct your request to that Customer in the first instance; we will support the Customer in responding.

9. Children

The Service is not directed to children under 16 (or under 13, where local law sets a lower threshold). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

10. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced at least 30 days in advance via email to the address on your account and/or via an in-product notice. The “Effective” date at the top of this page reflects the latest version.

11. Contact

Shipeasy, Inc. · hi@shipeasy.ai. For data protection enquiries, please reference “Privacy” in the subject line.