Privacy Policy
Last updated:
1. Data Controller
The data controller responsible for processing your personal data in connection with the Shenvy service is:
- Name:
- [PENDING — Full Legal Name]
- NIF/DNI:
- [PENDING — NIF/DNI]
- Address:
- [PENDING — Address, City, Spain]
- Contact:
- shenvy.dev@gmail.com
2. What Data We Collect
We collect only the data that is strictly necessary to deliver the Shenvy service.
2.1 Account Data (Firebase Authentication)
When you create an account, Firebase Authentication collects and stores your email address, a unique user identifier (UID), your chosen display name, and optionally a profile avatar URL.
2.2 Subscription Data (Firestore)
We store your current subscription plan (Free, Starter, or Team), subscription status, and Paddle customer and subscription identifiers. We do not store payment card details.
2.3 Team and Collaboration Data (Firestore)
If you use team features, we store team names, the email addresses of team members, and email addresses used in team invitations.
2.4 Technical Data — Zero-Knowledge Model (Firestore)
Shenvy stores metadata about your environment files and secrets (such as file names and entry counts) and hashes of API keys. Shenvy does not store or have access to the plaintext content of any secret or environment variable.
2.5 Browser Identity Data (Your Device Only)
Your browser generates and stores a cryptographic keypair in localStorage under the key shenvy_identity. Shenvy never receives your private key.
2.6 User Interface Preferences (Your Device Only)
We store UI preferences in localStorage under keys prefixed with sidebar_. This data never leaves your device.
2.7 Error Monitoring Data (Sentry)
We use Sentry for error monitoring. Sentry is configured with send_default_pii=False, excluding personally identifiable information from error reports.
2.8 Analytics Data (Firebase Analytics — Consent Required)
With your explicit consent (via the cookie banner on first visit), we use Firebase Analytics to collect session usage statistics and feature usage events. Firebase Analytics is not initialised unless you have granted consent.
3. Legal Basis for Processing
| Processing Purpose | Legal Basis |
|---|---|
| Authentication and account management | Art. 6(1)(b) — Performance of a contract |
| Service delivery (secrets storage, team features) | Art. 6(1)(b) — Performance of a contract |
| Error monitoring (Sentry) | Art. 6(1)(f) — Legitimate interest |
| Team invitations (Resend transactional email) | Art. 6(1)(b) — Performance of a contract |
| Analytics (Firebase Analytics) | Art. 6(1)(a) — Consent |
| Payments (processed by Paddle as independent controller) | Art. 6(1)(b) — Performance of a contract |
4. Third-Party Services
Google / Firebase — Data Processor
We use Google Firebase for authentication, database storage, and optional analytics. Data may be transferred to the United States under Standard Contractual Clauses (SCCs). See the Google Cloud DPA.
Sentry — Data Processor
We use Sentry for backend error monitoring. PII capture is disabled. See the Sentry DPA.
Resend — Data Processor
We use Resend to send transactional emails. See the Resend Privacy Policy.
Paddle — Independent Data Controller
Payments for Shenvy subscriptions are processed by Paddle acting as Merchant of Record (MOR). Paddle is an independent data controller. Shenvy does not receive or store your payment card details. See Paddle's Privacy Policy.
5. Zero-Knowledge Encryption Model
Shenvy is built on a zero-knowledge architecture. Encryption happens entirely within your browser before any data is transmitted to our servers. Shenvy has no technical capability to read, access, or disclose the plaintext content of any secret or environment variable you store.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (active accounts) | Duration of account lifetime |
| Account data (inactive accounts) | 2 years from last login, then permanently deleted |
| Sentry error logs | 90 days |
| Resend email delivery logs | 30 days |
| Firebase Analytics data | Governed by Google Analytics retention settings |
| Data following a deletion request | Deleted within 30 days of confirmed request |
7. International Data Transfers
Some of our third-party service providers operate outside the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place via Standard Contractual Clauses (SCCs) or adequacy decisions.
8. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. Contact us at shenvy.dev@gmail.com for requests.
| Right | How to Exercise |
|---|---|
| Right of access (Art. 15) | Email shenvy.dev@gmail.com to request a copy of your data |
| Right to rectification (Art. 16) | Update your profile in webapp account settings, or email us |
| Right to erasure (Art. 17) | Self-serve: Settings → Account → Delete Account in the webapp. |
| Right to portability (Art. 20) | Email shenvy.dev@gmail.com to request a machine-readable export |
| Right to withdraw consent | Clear shenvy_cookie_consent from localStorage. See our Cookie Policy. |
| Right to lodge a complaint | Contact the Spanish Data Protection Authority (AEPD) at www.aepd.es |
9. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email before the changes take effect.
10. Contact
For any privacy-related queries, contact us at: shenvy.dev@gmail.com