ShelfBase

Rechtliches

Datenschutzerklärung

Version: pre-launch · Zuletzt aktualisiert 2026-05-12

This policy explains what personal data ShelfBase processes and why. ShelfBase is the data controller. Contact us at [email protected]for any privacy request.

1. Data we collect

  • Account data: email, hashed password, locale, country, optional VAT ID, plan, timestamps for verification and last login.
  • API usage: request counts per API key and per month, last-used timestamp. We do not log request bodies or query strings in identifiable form.
  • Billing: if you subscribe, our payment provider (PayPal) processes card or bank details; we receive only a subscription identifier and status.
  • Operational logs: short-retention server logs containing IP address and request metadata, kept to operate and secure the service.

2. Why we process it

  • To provide and maintain the API (legal basis: contract).
  • To bill customers and meet tax obligations (contract; legal obligation).
  • To detect abuse and protect the service (legitimate interest).
  • To send essential transactional emails (contract).

We do not sell personal data. We do not run advertising or behavioural profiling.

3. Cookies

We use a single first-party session cookie (sb_session) to keep you signed in. It is HttpOnly, SameSite=Lax, and expires after 7 days. No third-party analytics or advertising cookies are set.

4. Retention

  • Account data: while the account is active, plus 12 months after deletion.
  • API usage counters: rolling per-month window.
  • Invoices: 7 years (Dutch fiscal requirement).
  • Operational logs: 30 days.

5. Sub-processors

We use a small number of providers to operate the service: a hosting provider in the EU, a transactional email provider, and PayPal for subscription billing. Each processes data only as instructed and under a data-processing agreement.

6. Your rights

Under GDPR you may request access, correction, deletion, restriction, portability, or objection. Email [email protected] and we will respond within 30 days. You may also lodge a complaint with the Dutch DPA (Autoriteit Persoonsgegevens).

7. Security

Passwords are stored with bcrypt. API keys are stored as SHA-256 hashes only; the raw key is shown to you once at creation and is never retrievable afterwards. Traffic is encrypted in transit via TLS.

8. Changes

We will announce material changes by email and in the dashboard at least 14 days in advance.

This document is a pre-launch draft and will be finalized before public launch.