Stub — counsel review pending

Privacy Policy

What we collect, why we collect it, how long we keep it, and the rights you have over your data.

Authoritative source: legal/privacy-policy.md in the platform repository. Each section flagged [REVIEW] in the source awaits external counsel input before going live.

Counsel review in progress

Showly is finalizing this document with counsel. For the binding version applicable to your account, contact legal@showly.ai.

What we collect

Account data email, display name, avatar, OAuth provider account id
Org data org name, slug, region, members, roles
Resource data projects, sites, deployments, builds
Billing data billing address; payment methods are Stripe-managed (we store only brand + last4)
Usage data per-metric usage_events (deploy counts, AI credits, build minutes)
Audit log every state-changing action
Diagnostic data request logs (PII redacted via the Pino redactor) + Sentry error reports
Visitor analytics on customer sites that embed the Showly pixel: pageviews + daily-salted visitor hash, no cookies, no PII

Why we collect it

To operate Showly itself (sign-in, deploys, billing), to keep the platform secure (audit + anomaly detection), and to be honest about how it's used (aggregated product analytics). We don't sell personal data, we don't run ad networks, and we don't fingerprint users.

How long we keep it

audit_events 5 years (EU recordkeeping requirement)
metrics_events 2 years
form_submissions 90 days
suspended orgs 30 days then archived
analytics (site-level) per plan tier — Free 30d, Pro 12mo, Team unlimited, Enterprise custom

Your rights

EU residents: GDPR Articles 15 (access), 16 (rectification), 17 (erasure), 18 (restriction), 20 (portability), 21 (objection), 22 (no solely-automated decisions on legal effects). The privacy center exposes one-click flows for access (export) and erasure (deletion). Rectification, restriction, objection — email privacy@showly.ai and we will respond within 30 days as required.

California residents: CCPA / CPRA — same access + deletion mechanism. We do not sell or share personal information.

Sub-processors

The list of vendors we use to process personal data lives in legal/sub-processors.md. Notifications of changes go out via this page + email to DPA-signing customers at least 30 days before a new sub-processor comes online.

Cookie preferences

Essential cookies (session, CSRF, language) are always set. Everything else — analytics, marketing, preference cookies — is opt-in. Your current choice is logged against an anonymous id and replayable for GDPR audits (cookie_consents table preserves every transition).

Change your cookie preferences →

This page summarises the current draft. The repository holds the full structural document — see the legal/privacy-policy.md referenced above. Substantive language is intentionally conservative until counsel review concludes.