Your GDPR Rights

Last updated: May 2026 · For EU/EEA residents

Under the General Data Protection Regulation (GDPR), if you are in the EU or EEA, you have specific rights regarding your personal data. This page explains those rights and how to exercise them.

Your Rights Under GDPR

Right to Access

You have the right to request a copy of all personal data we hold about you. We will provide this within 30 days of your request.

Right to Rectification

If any data we hold about you is inaccurate or incomplete, you have the right to request correction. You can update most information directly in your account settings.

Right to Erasure ("Right to be Forgotten")

You can request that we delete all personal data we hold about you. This includes your account, projects, analytics data, and any other personal information. Note: Some data may be retained for legal compliance purposes.

Right to Data Portability

You have the right to receive your data in a structured, machine-readable format (JSON) and transfer it to another service.

Right to Restrict Processing

You can request that we stop processing your data in certain circumstances, such as when you contest its accuracy.

Right to Object

You have the right to object to processing of your data for marketing purposes. You can opt out of marketing emails at any time.

Rights Related to Automated Decision-Making

ShiftStackApp does not use fully automated decision-making that produces legal or significant effects on you.

Data We Collect

  • Account information (email, name)
  • Project data (website code, prompts, settings)
  • Usage analytics (page views, feature usage)
  • Payment information (processed by Stripe — we do not store card details)
  • Communication records (support tickets, emails)

Data Retention

Data TypeRetention Period
Account dataUntil account deletion + 30 days
Project filesUntil deleted by user
Analytics data24 months
Support tickets3 years
Payment records7 years (legal requirement)
Server logs90 days

Third-Party Processors

We share data with the following sub-processors (all GDPR compliant):

Supabase (database)
Stripe (payments)
Anthropic (AI processing)
Resend (email)
DigitalOcean (hosting)
Cloudflare (CDN)
GitHub (code storage)

How to Exercise Your Rights

To exercise any of your GDPR rights, contact our Data Protection Officer:

Email: [email protected]

Subject line: GDPR Request — [Your Right]

Response time: Within 30 days

Identity verification: We may ask you to verify your identity before processing your request

Data Breach Notification

In the event of a personal data breach that risks your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority. In the UK this is the Information Commissioner's Office (ICO).