Privacy Policy

1. Who We Are

ShapeLoop ("we," "our," or "us") is a web-based platform that enables users to create, customize, and download animated shape overlays for video editing.

We are committed to protecting your privacy and ensuring transparency in how we collect, use, and store your personal data.

Data Controller:
ShapeLoop OÜ (Made in Europe)
Email: hello@klavinskis.com

2. Information We Collect

We collect only the data necessary to provide and improve our services.

2.1 Account Information

• Email address (for authentication and communication)
• Name (if provided via Google OAuth)
• Authentication credentials (Magic Link tokens or OAuth tokens)

2.2 Usage Data

• Downloads count (to enforce plan limits)
• Plan type (Free, Credits, Pro, Founder's Deal)
• Credits balance (for pay-as-you-go users)
• Creation history (shape settings, effect types, timestamps)

2.3 Payment Data

• Stripe Customer ID (links your account to payment provider)
• Transaction IDs (for billing records)
• Subscription status (active, cancelled, expired)

Important: We do NOT store credit card numbers, CVV codes, or full payment details. All payment processing is handled by Stripe (PCI DSS Level 1 certified).

2.4 Technical Data

• IP address (for rate limiting and security)
• Browser type and version (for compatibility)
• Device information (desktop/mobile, screen resolution)

2.5 Cookies

We use essential cookies only:

• Session cookies (for authentication, expires on browser close)
• Persistent login cookies (httpOnly, secure, sameSite=strict, 30-day expiry)

We do NOT use:

• ❌ Google Analytics
• ❌ Facebook Pixel
• ❌ Marketing/tracking cookies
• ❌ Third-party advertising cookies

3. User-Created Content

3.1 Shape Creations

When you create animated shapes, we store:

• Shape configuration (type, size, color, border thickness)
• Animation effect settings
• Creation timestamp
• Download history

3.2 Storage & Deletion

• FREE (no account): Shapes downloaded immediately, NO storage on our servers
• FREE (signed in): Last 50 creations stored, auto-deleted after 30 days
• Credits: Last 100 creations stored, kept for 90 days
• Pro / Founder's Deal: Unlimited creations stored until account deletion

You may delete your creations at any time via the "My Creations" page. Deletion is immediate and permanent.

We do NOT sell, share, or use your creations for any purpose other than providing the service to you.

4. How We Use Your Data

We use data strictly to:

• ✅ Authenticate and manage your account
• ✅ Process payments and track subscription status
• ✅ Enforce plan limits (downloads per day, credits balance)
• ✅ Store your creations for later re-download
• ✅ Send transactional emails (welcome, password reset, payment receipts)
• ✅ Improve platform performance (anonymized, aggregated analytics)
• ✅ Prevent abuse (rate limiting, security monitoring)
• ✅ Comply with legal obligations (tax records, fraud prevention)

We do NOT:

• ❌ Sell, rent, or trade personal data to third parties
• ❌ Use your data for advertising purposes
• ❌ Share your data with marketing partners
• ❌ Profile users for targeted advertising

5. Data Storage and Security

5.1 Hosting Location

• Primary hosting: Hetzner Cloud (Germany, EU)
• Data centers: ISO 27001 certified, GDPR compliant
• Data sovereignty: All user data remains within the European Economic Area (EEA)

5.2 Security Measures

• Encryption in transit: TLS 1.3 (HTTPS everywhere)
• Encryption at rest: AES-256 for sensitive data
• Password storage: We use Magic Link / OAuth (no passwords stored)
• Database security: PostgreSQL with encrypted connections
• Access control: Least-privilege principle, 2FA for admin access
• Regular backups: Daily encrypted backups, 30-day retention

6. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the right to:

• Right to Access - Request a copy of all personal data we hold about you
• Right to Rectification - Correct any inaccurate or incomplete personal data
• Right to Erasure - Request deletion of your personal data
• Right to Data Portability - Receive your data in a structured, machine-readable format
• Right to Restrict Processing - Request that we limit how we use your data
• Right to Object - Object to processing based on legitimate interest
• Right to Withdraw Consent - Withdraw consent at any time

How to Exercise Your Rights:

• Self-service: Settings → Account → Delete Account / Export Data
• Email: hello@shapeloop.io
• Response time: Within 30 days (as required by GDPR)

7. Data Retention

We retain your data only as long as necessary:

8. Third-Party Services

We integrate with the following third-party services:

8.1 Stripe (Payment Processing)

• Purpose: Process payments, manage subscriptions
• Privacy policy: https://stripe.com/privacy
• Data location: EU

8.2 Brevo (Email Delivery)

• Purpose: Send transactional and marketing emails
• Privacy policy: https://www.brevo.com/legal/privacypolicy/
• Data location: EU (France)

9. International Data Transfers

We do NOT transfer your personal data outside the European Economic Area (EEA).

All our infrastructure, hosting, and primary service providers are located within the EU:

• Hosting: Hetzner (Germany)
• Email: Brevo (France)
• CDN: Cloudflare (EU nodes)

10. Children's Privacy

ShapeLoop is not intended for users under the age of 16.

We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at hello@shapeloop.io and we will delete the data immediately.

11. Contact Us

Questions about this Privacy Policy or your personal data?

📧 Email: hello@shapeloop.io

Data Controller:
ShapeLoop OÜ
Estonia, European Union

Response time: We aim to respond within 5 business days, and will fulfill GDPR requests within 30 days.

12. Supervisory Authority

If you believe we have not addressed your concerns adequately, you have the right to lodge a complaint with a supervisory authority.

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: https://www.aki.ee
Email: info@aki.ee