Privacy Policy

1. Information We Collect

We collect the following information when you use ShellCraft:

Account Information:

• Email address (required for account creation and authentication)
• Google profile information (if you sign in with Google)

Usage Data:

• AI credit consumption and API usage metrics
• Shell creation, visit counts, and interaction data
• Activity logs (shell creation, data saves, bot interactions)

Technical Data:

• IP address hashes (for shell visit analytics — we store hashes, not raw IPs)
• User agent strings (browser identification)
• Session tokens (for authentication)

Telegram Data:

• Telegram user ID (when you connect your Telegram account)

Optional Data:

• API keys you provide (Anthropic, OpenAI, OpenRouter) — encrypted at rest with AES-256-GCM

2. How We Use Your Information

• To provide and operate the Service (shell creation, hosting, sharing)
• To authenticate your identity and maintain your session
• To process payments and manage your subscription
• To track credit usage and enforce plan limits
• To send transactional emails (magic links, account notifications)
• To display shell analytics (visit counts, visitor data)

3. Third-Party Services

We share data with the following third-party services as necessary to operate:

• Anthropic / OpenAI / OpenRouter — AI model providers. Your messages to your claw are sent to these providers for processing. If you use your own API key, requests are made on your behalf
• MercadoPago — Payment processing for ARS subscriptions and credit purchases (Argentina)
• Paddle — Payment processing for USD subscriptions and credit purchases (international)
• Resend — Email delivery for magic links and notifications
• Telegram Bot API — To facilitate claw interactions via Telegram
• Google OAuth — For Google sign-in authentication

4. Data Storage and Security

• Your data is stored in a SQLite database on our servers
• API keys are encrypted at rest using AES-256-GCM encryption
• Session tokens are generated using cryptographically secure random bytes
• Magic links expire after 15 minutes
• Sessions expire after 30 days
• IP addresses are stored as hashes, not in plain text

5. Cookies

We use the following cookies:

• shellcraft_session — Authentication session token (HTTP-only, 30-day expiry)
• shellcraft_lang — Language preference (1-year expiry)

We do not use third-party tracking cookies or advertising cookies.

6. Your Rights

You have the right to:

• Access your personal data through your dashboard and settings
• Delete your API keys at any time through settings
• Disconnect your Telegram account at any time
• Cancel your subscription and downgrade to the free plan
• Request deletion of your account and associated data by contacting us

7. Data Retention

• Account data is retained as long as your account is active
• Published shells remain accessible until you delete them or your account
• Expired session tokens and magic links are automatically cleaned up
• Activity logs are retained for analytics and support purposes

8. Children's Privacy

ShellCraft is not intended for users under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email.

10. Contact

For privacy-related inquiries, contact us at alejo@quasar.ar.