Home/ Privacy Policy

Legal

Privacy Policy

Plain-English version: we don't sell your data, we don't train models on your code, and we keep what we collect to the minimum we need to do the work.

Effective 1 May 2026 Last updated 2 May 2026 Version 2026.05 Controller ShipAfterAI, LLC · Brooklyn, NY

01Summary

This is the short version. The numbered sections below are the binding text.

  • We don't sell your data. Ever. Not to anyone.
  • Your code is never used to train any AI model. Not ours, not a vendor's.
  • We work read-only. Access credentials are revoked the day the engagement ends.
  • We collect the minimum. Names, work emails, the contents of your intake form, and whatever access you grant for the engagement.
  • We delete on request, and we delete on a schedule even if you don't ask.

02Who this applies to

This policy describes how ShipAfterAI, LLC ("we", "us") handles personal data of:

  • Visitors to shipafterai.com
  • People who fill in our intake form, request the launch checklist, or email us
  • Clients during an active engagement (audit, hardening, CTO-lite, due diligence)

If you are an end user of our clients' software, this policy doesn't apply to you — your relationship is with them. We don't operate consumer-facing services.

03What we collect

From everyone

  • Standard server logs: IP address, user agent, request path, timestamp. Kept 30 days.

If you contact us or use a form

  • Name and work email
  • The contents of the message or intake form
  • Stack and rough engagement context (so we can reply usefully)

If you become a client

  • Billing details (handled by Stripe — we never see your card number)
  • Read-only access credentials to the systems you grant us
  • Calendar metadata for scheduled calls

We do not collect special-category data (health, biometric, political opinion, etc.). We do not run web tracking, fingerprinting, or session replay.

04How we use it

We use what we collect for these purposes only:

  • Replying to you. If you ask a question, we answer it.
  • Delivering an engagement. Reading your code, writing the report, holding the walkthrough call.
  • Running the business. Invoicing, accounting, taxes.
  • Improving the product. Aggregated, anonymized patterns from our audits inform what we write about and which checks we add to the checklist. No client is ever identifiable.

We never use what we collect for advertising, profiling, or training AI models.

05Your code & access credentials

Your codebase is the most sensitive thing you give us. The rules:

  • NDA-first. A mutual NDA is signed before access is provisioned.
  • Read-only. Wherever the platform supports it, our credentials are read-only. Where it doesn't, we ask you to scope an account that is.
  • Logged. Every read of your repository, database, or hosting console is auditable on your side. We don't ask you to disable that.
  • Local-only working copies. Working clones of your repository sit on encrypted disks on engagement laptops. They are wiped within 30 days of engagement close, and we'll wipe them sooner on request.
  • No model training. Your code is never sent to a third-party AI service, used as fine-tuning data, or pasted into a public chatbot. If we use any AI tool internally during the engagement, it runs locally or on a contractually no-training endpoint.

06Sharing & subprocessors

We don't share personal data with third parties for their own purposes. We do use a small set of vendors to operate the business:

  • Stripe — payment processing
  • Fastmail — email and calendar
  • Linear & GitHub — engagement tracking and report drafting (in private, access-controlled workspaces)
  • 1Password — secret storage for client-issued access credentials
  • Plausible — privacy-friendly, cookieless website analytics

We will not transfer your data to any subprocessor not on this list without notice. The current list is maintained at shipafterai.com/subprocessors.

07Storage, retention, security

  • Where. Operational data is stored in EU and US regions of the vendors listed above.
  • How long. Intake messages: 12 months. Engagement artifacts (reports, working notes): 24 months unless you ask us to delete sooner. Tax records: 7 years (statutory).
  • Encryption. All laptops use full-disk encryption. All credentials live in 1Password vaults with hardware-key MFA. All transport is TLS.
  • Breach notification. If we ever have a security incident affecting your data, we will notify you within 72 hours of confirmation, with what we know, and an action plan.

08Your rights

If you are in the EEA, UK, California, or another jurisdiction with comparable rules, you have the right to:

  • Ask what we hold about you
  • Ask us to correct it
  • Ask us to delete it (subject to legal retention rules — e.g., tax records)
  • Ask us to export it in a portable format
  • Object to a particular use
  • Lodge a complaint with your supervisory authority

The fastest way to exercise any of these is to email privacy@shipafterai.com. We respond within 14 days; in practice, usually within 2.

09Cookies & analytics

This website does not set tracking cookies. We use Plausible Analytics, which records aggregated, anonymized page-view counts without cookies and without personal identifiers. You don't need to "accept cookies" to use the site, because there is nothing to accept.

10Changes to this policy

If we change this policy materially, we will email everyone we have an active engagement with at least 14 days before the change takes effect. The version and effective date at the top of this page will always reflect the current text. Past versions are available on request.

11Contact

ShipAfterAI, LLC
Privacy contact: privacy@shipafterai.com
General contact: hello@shipafterai.com
Postal: 220 Bedford Avenue, Suite 4F, Brooklyn, NY 11211, USA