Privacy Policy
Last updated: May 2026
1. Who we are
Shipmarket ("we", "us") provides the Shipmarket web application and related services (the "Service"). This policy explains how we handle personal data when you use the Service. For contractual terms, see our Terms of Service.
Data controller: the operator of Shipmarket, based in Israel, is responsible for personal data processed as described here. Primary contact for privacy inquiries and statutory requests: [email protected]. Where law requires a postal or registered business address, we will provide it on request to the same address.
2. Information we collect
- Account and profile: email address, name (if provided), password hash, and workspace details you enter (for example product name, audience, and marketing context), including strategy quiz responses and generated strategy artifacts tied to your workspace.
- Media uploads: images and media files you attach to scheduled posts, stored in Cloudflare R2 object storage.
- Usage and product analytics: we use PostHog to understand feature usage and improve the product. Where required, we rely on consent or legitimate interest as described in applicable law.
- Connected platforms: when you connect LinkedIn, Reddit, Dev.to, Instagram, or Facebook, we store tokens and identifiers needed to publish on your behalf, using encryption at rest. We do not sell your social data.
- Billing: payments are processed by Paddle (merchant of record). We receive subscription status and limited billing metadata from Paddle, not your full card number.
- Communications: transactional email (for example sign-in, billing, and security notices) via our email provider.
3. Cookies and similar technologies
We use cookies and similar technologies as needed to operate the Service (for example session and security cookies). Where we use analytics or other non-essential cookies or trackers, we do so in line with applicable law— including obtaining consent where required—and you can adjust choices through your browser or any cookie banner we present. Blocking strictly necessary cookies may prevent parts of the Service from working.
4. How we use information
We use personal data to provide and secure the Service, generate strategy and content for your workspace, process subscriptions, send service-related messages, debug and improve reliability, and comply with law. We do not use your content to train third-party public models unless we notify you and offer a clear choice where required.
5. Automated processing and AI
Shipmarket uses AI inference (via Anthropic) to generate marketing strategies and content drafts based on inputs you provide (such as quiz answers, product description, and target audience). This automated processing assists you — it does not constitute a fully automated decision with legal or similarly significant effects. You review and approve all generated strategy outputs and posts before they are published. You may at any time request human review of any AI-generated output by contacting us.
6. Legal bases (EEA, UK, Switzerland)
Where GDPR applies, we process data on the basis of contract (providing the Service you request), legitimate interests (security, product improvement, and fraud prevention, balanced against your rights), consent where we use non-essential cookies or analytics that require it, and legal obligation where applicable.
7. Subprocessors and sharing
We use vetted infrastructure and service providers to run the Service. Current subprocessors include:
- Railway — application hosting and database
- Anthropic — AI inference and content generation (your workspace inputs are processed to produce strategy and content drafts)
- Paddle — payment processing and subscription management (merchant of record)
- Resend — transactional email delivery
- PostHog — product analytics
- Sentry — error monitoring
- Cloudflare R2 — media and file storage for post attachments
Subprocessors handle data only under our instructions and under appropriate data processing agreements. We may disclose information if required by law or to protect rights and safety.
8. Retention
We retain account and workspace data while your account is active and for up to 12 months afterward to resolve disputes, enforce agreements, and meet legal requirements. Financial and billing records may be retained for up to 7 years as required by applicable law. Post history and analytics data are retained for up to 24 months from creation. You may request deletion of your account and associated data subject to these lawful retention needs by contacting us.
9. Your rights
Depending on where you live, you may have rights to access, correct, delete, or export your personal data, to object to or restrict certain processing, and to withdraw consent where processing is consent-based. To exercise any of these rights, contact us at the email below. You may also lodge a complaint with your local supervisory authority.
California residents (CCPA/CPRA): you have the right to know what personal information we collect and how it is used, the right to delete your personal information, the right to correct inaccurate personal information, the right to opt-out of the sale or sharing of personal information (we do not sell or share personal information as defined by CCPA), and the right to non-discrimination for exercising these rights. To submit a CCPA request, contact us at the email below.
10. International transfers
We may process data in the United States and other countries where we or our providers operate. The operator is located in Israel. Where GDPR applies, we use appropriate safeguards (such as Standard Contractual Clauses) when transferring personal data outside your region.
11. Children
The Service is not directed to children under 16, and we do not knowingly collect personal information from them.
12. Data security and breach notification
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse (including encryption of OAuth tokens at rest, HTTPS enforcement, and access controls). In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and will notify affected individuals without undue delay where required by applicable law.
13. Changes
We may update this Privacy Policy from time to time. We will post the updated version on this page and adjust the "Last updated" date. Material changes will be communicated through the Service or by email where appropriate.
14. Contact
Questions or requests regarding privacy: [email protected].