← Back to Shelfie

Privacy Policy

Last updated: 20 June 2026 · Version 2026-06

Shelfie ("we", "us") is operated from the United Kingdom. This policy explains how we process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have concerns, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk.

1. Data we collect

• Account data — name, email address, password hash (held by Supabase Auth; we never store plain-text passwords).
• Library content — photos, videos, binder names, page layouts, and optional text you add to albums.
• Billing data — subscription status and Stripe customer identifiers (payment card details are held by Stripe, not Shelfie).
• Sharing data — email addresses you invite to shared binders and share role/status.
• Technical data — IP address, browser user agent, and session identifiers for security and fraud prevention.
• Communications — transactional emails (account confirmation, password reset, share invites, export ready).

2. Why we use your data (lawful bases)

• Contract — to provide the Shelfie service you sign up for (storing and displaying your library, subscriptions).
• Legitimate interests — security logging, abuse prevention, and improving reliability (balanced against your rights).
• Consent — where you opt in (e.g. waitlist marketing if offered separately; Privacy Policy acceptance at signup).
• Legal obligation — tax/accounting records where applicable.

3. Retention

• Active accounts — data kept while your account is open.
• Deleted accounts— profile, albums, photos, and storage objects are permanently deleted when you use "Delete account" (typically within minutes; backups may persist for up to 30 days — see our backup runbook).
• Export files — ZIP exports expire after 24 hours.
• Security logs — rate-limit and audit logs up to 12 months.

4. Sub-processors

We use trusted providers who process data on our behalf under data processing agreements:

• Supabase — database, authentication, file storage (EU region required for production). Privacy policy
• Stripe — subscription payments. Privacy policy
• Resend — transactional email. Privacy policy
• Vercel — application hosting (if deployed there). Privacy policy

5. International transfers

We design for EU/UK hosting (Supabase EU region). If any sub-processor transfers data outside the UK, we rely on UK IDTA/SCCs or equivalent safeguards. Contact us before production launch if your Supabase project is not in an EU region.

6. Your rights

Under UK GDPR you have the right to:

• Access your data — Settings → Download my data (JSON or ZIP).
• Rectification — update your name in account settings.
• Erasure — Settings → Delete account (full deletion).
• Portability — JSON/ZIP export as above.
• Restrict or object to processing — contact us.
• Complain to the ICO — ico.org.uk/make-a-complaint

7. Contact

Data controller: Shelfie. For privacy requests, email the address listed on our website or in your account confirmation email.

Cookie Policy