Privacy Policy
Effective: 2026-05-25 · Last revised: 2026-05-25
ShipPulse ("we", "us") is a feedback, roadmap, changelog and testimonials platform for indie B2B SaaS teams. This policy explains what data we collect when you use our website and product, how we use it, and the rights you have over it. It applies to shippulse.app, custom domains pointed at our service, and the widget embeds you mount on your own site.
1. Information We Collect
Account data. When you sign up we store your email, a hashed password (or OAuth identifier), your display name, and your organization name. Billing data (last four digits of the card, billing address, VAT ID if provided) is handled by Lemon Squeezy and surfaced to us only as charge metadata.
Product data. Feedback submissions, votes, roadmap items, changelog entries, and testimonials you create or that your end-users submit through your widgets. Submitter email addresses are stored against feedback items so the proof loop can reach them.
Usage data. Standard server logs (IP address, user agent, requested URL, timestamp). Product analytics events via PostHog if you have not opted out (see Cookies & Tracking).
2. How We Use It
To operate the product (render your dashboard, ship the widget, process payments, deliver proof-loop emails); to communicate with you about service updates and billing; to investigate abuse and enforce our Terms; and to improve the product based on aggregate usage patterns. We do not sell your data, ever. We do not share it with third parties except the sub-processors listed below, and only to the extent each one needs to perform its function.
3. Cookies & Tracking
We set a session cookie when you log in (HttpOnly, SameSite=Lax) and a remember-me cookie if you opt in. We use PostHog for product analytics; PostHog sets its own cookies and respects Do Not Track. You can opt out of PostHog under Settings → Privacy in your dashboard, which sets a local flag and stops all PostHog calls from your browser. We do not use third-party advertising cookies.
4. Data Retention
Active accounts: data retained for the life of the account. Cancelled accounts: data retained read-only for 90 days, then deleted. Server logs: 30 days. Backups: 30 days rolling. Billing records: retained for the tax-mandated period in the relevant jurisdiction (typically seven years). Feedback items, votes, testimonials, and changelog entries that you have published publicly remain visible on your public roadmap until you remove them; deleting your account also removes them.
5. Your Rights
Under GDPR (EU/UK), CCPA/CPRA (California) and equivalent regimes you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to processing or withdraw consent. To exercise any of these, email [email protected] and we will respond within 30 days. Account-holders can export and delete most data self-service from the dashboard.
California residents: we do not sell personal information, and we do not share it for cross-context behavioral advertising. The categories of personal information we collect are summarized above in "Information We Collect"; the purposes for collection are summarized in "How We Use It". You may request access, deletion, or correction; we will not discriminate against you for exercising these rights. If you have a legal representative making a request on your behalf, we may ask for proof of authorization before acting.
EU/UK residents: in addition to the rights above, you have the right to lodge a complaint with your local data-protection supervisory authority. The legal bases on which we process your personal data are: contract (account, billing, service delivery), legitimate interests (security, product improvement, fraud prevention), legal obligation (tax records, lawful requests), and consent (where required, for analytics and marketing emails).
6. Sub-processors
We use the following sub-processors. Each is bound by a data- processing agreement consistent with this policy.
- Supabase — Primary database + auth (EU (Frankfurt))
- Resend — Transactional + proof-loop emails (US)
- Lemon Squeezy — Payment processing (merchant of record) (US)
- PostHog — Product analytics (optional opt-out) (EU (Frankfurt))
- Cloudflare — CDN, DDoS protection, custom-domain TLS (Global)
7. International Transfers
Primary data storage is in the EU (Frankfurt). Some sub-processors (Resend, Lemon Squeezy) are US-based; transfers rely on Standard Contractual Clauses and applicable adequacy decisions. A copy of the SCCs is available on request.
8. Contact
Questions, complaints, or requests: [email protected]. You also have the right to lodge a complaint with your local data- protection supervisory authority.