Privacy Policy

Effective: 2026-06-02

This policy explains what data ShipSet collects, why, how long we keep it, who we share it with, and how you can see, export, or delete it. ShipSet is operated by Nesora Innovations LLP, registered in India. Reach us at privacy@shipset.app for any privacy matter.

1. Who this policy applies to

This policy covers everyone who visits shipset.app, signs up for an account, takes the diagnostic quiz, joins our waitlist, or uses any feature of the ShipSet product. It applies whether you are in India (covered by the Digital Personal Data Protection Act 2023, DPDP), the European Economic Area or the United Kingdom (covered by the GDPR and UK GDPR), or anywhere else.

2. What we collect, and why

We collect only what we need to run the product. Specifically:

2.1 Account data

• Email address — used to log you in via a one-time link, send transactional emails (login, payment, certificate), and identify your account.
• Display name (optional) — only if you set one.
• Authentication metadata — login timestamps, IP at login, and the browser session token (stored as an HTTP-only cookie). We do not store passwords; login is by emailed magic link.

2.2 Product data

• Lesson progress, XP, streaks, badges — to power your dashboard, your certificate, and your portfolio export.
• Submissions you write inside lessons — your written answers, journal entries, and prototype links. These belong to you and are never shared without your consent.
• Captain (AI mentor) conversations — your messages and the AI replies, stored to give Captain memory across sessions. Conversations are sent to Anthropic (our LLM provider) over an encrypted connection; Anthropic does not use them to train their models per their API terms.
• Quiz responses — the answers you give in the diagnostic, used to personalise your recommended starting point and (if you opt in with your email) to email you your blueprint.

2.3 Payment data

• Plan and entitlement state — which plan you bought, when, and whether it is active, cancelled, or refunded.
• Provider transaction IDs — references issued by Razorpay (INR) or Lemon Squeezy (USD). We never see or store your full card number, UPI ID, CVV, or bank credentials. Those are held by the payment provider, who is independently PCI-DSS compliant.
• Billing email and country — as provided to the payment processor for tax and receipts.

2.4 Technical and analytics data

• Cookies and local storage — see Section 7 for the full list. We use one strictly necessary cookie for your login session, and (if you consent) one analytics cookie set by PostHog.
• Server logs — IP address, request path, status code, user agent, and timestamp. We use these to detect abuse, debug errors, and meet legal record-keeping duties. Logs are retained for up to 30 days unless an incident requires longer.
• Product analytics (PostHog) — only if you have consented to analytics cookies. We disable autocapture and record only the events we explicitly choose (page views, signup, lesson complete, paywall view, payment intent). We do not store your email or display name in analytics events. PostHog respects the Do Not Track browser signal.

3. Legal basis for processing

Under the GDPR / UK GDPR, we rely on the following legal bases:

• Contract (Art. 6(1)(b)) — to give you access to the product you have signed up for.
• Legitimate interest (Art. 6(1)(f)) — to keep the service secure, to fight fraud, to maintain audit trails of payments, and to send essential service emails.
• Consent (Art. 6(1)(a)) — for non-essential analytics cookies, and for marketing email beyond purely transactional content. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — to keep tax invoices, GST records, and other documentation required by Indian law.

Under India's DPDP Act 2023, we rely on consent (Sec. 6) for processing your personal data, and on the legitimate uses (Sec. 7) exception for security, fraud prevention, and compliance with law.

4. Who we share data with

We do not sell your data. We share it only with the service providers we need to run the product, each bound by a data processing agreement:

• Supabase (US) — database and authentication. Hosts your account record, lesson progress, and submissions.
• Vercel (US) — application hosting and CDN.
• Razorpay (India) — INR payments processing.
• Lemon Squeezy (US, merchant of record) — USD payments, VAT and sales tax handling. Activated post-LLP.
• Anthropic (US) — Claude API, processes Captain conversations.
• Resend (US) — transactional email delivery.
• PostHog (US / EU) — product analytics, only if you have consented.

We may also disclose data when required by law, by a court order, or to protect our rights or the safety of others.

5. International transfers

Because some of our providers (Supabase, Vercel, Anthropic, Resend) are based in the United States, your data is transferred outside India and outside the EEA. Each provider commits to Standard Contractual Clauses or equivalent safeguards as part of their processor agreement.

6. How long we keep your data

• Account, progress, submissions, Captain conversations — for as long as your account is active, plus 30 days after deletion to allow recovery of accidental deletions.
• Payment records and tax invoices — at least 8 years, as required by Indian tax law, even after you delete your account.
• Server logs — up to 30 days.
• Quiz responses with no associated account — 12 months.
• Waitlist emails — until you unsubscribe.

7. Cookies and similar technologies

We use the minimum cookies we need to run the site. You will see a consent banner on your first visit; you can change your choices any time at the "Cookie settings" link in the footer.

• Strictly necessary (always on) — Supabase auth cookies (sb-*), CSRF tokens, and a consent state cookie (shipset_consent) that remembers your choice for one year.
• Analytics (consent required) — PostHog (ph_*) for product analytics. Off by default. We disable autocapture and respect Do Not Track.

We do not run advertising cookies, retargeting pixels, or social media trackers.

8. Your rights

You have the right, free of charge, to:

• Access the data we hold about you. Use Account → Export my data on /app/you, or email us. We respond within 30 days.
• Correct inaccurate data, directly in the product or by emailing us.
• Delete your account and the personal data attached to it. Use Account → Delete account on /app/you. Tax and payment records are retained as required by Section 6.
• Withdraw consent to analytics or marketing email at any time.
• Port your data — the export is a machine-readable JSON file.
• Object to processing based on legitimate interest.
• Lodge a complaint with your local supervisory authority. EEA users can contact their national data protection authority; UK users can contact the ICO; Indian users can contact the Data Protection Board of India once it is operational.

9. Security

We encrypt all data in transit (TLS 1.2+) and at rest (AES-256 on Supabase and Vercel). Row-level security policies in the database enforce that users can only see their own data. Webhooks are verified with HMAC-SHA256 signatures. We keep a security audit log of high-risk events (login, payment, refund, deletion) and we publish a security contact at /.well-known/security.txt.

If we discover a personal data breach that is likely to result in risk to you, we will notify you and the relevant authorities without undue delay, in line with GDPR Art. 33-34 and DPDP Sec. 8(6).

10. Children

ShipSet is not directed at children under 18 and we do not knowingly collect data from anyone under that age. If you believe a child has provided us data, email privacy@shipset.app and we will delete it.

11. AI features and Captain

Captain is an AI mentor powered by Anthropic Claude. Your messages to Captain are sent to Anthropic over an encrypted connection so the model can respond. Per the Anthropic commercial API terms, these messages are not used to train Anthropic models. We store your conversation history in your account so Captain has memory across sessions; you can wipe it any time by deleting your account.

12. Changes to this policy

We will publish material changes here with a new effective date and, where required, notify you by email or in-product banner before the change takes effect. The current version is always at shipset.app/privacy.

13. Contact us

Nesora Innovations LLP — operator of ShipSet.
Privacy email: privacy@shipset.app
General support: hello@shipset.app