Legal
ShipStacked · Last updated: 5 April 2026
ShipStacked is operated by ShipStacked, Ronda de Sant Pere 52, 08010 Barcelona, Spain.
For any privacy-related questions or requests, contact us at privacy@shipstacked.com.
When you create an account:
When you build your profile (builders):
When you build your profile (employers):
When you use the platform:
When you connect GitHub:
When you pay (employers):
Payment is processed entirely by Stripe. We receive confirmation of payment and your subscription status. We do not store card numbers or payment details.
When you use the Builder API:
We use this data to operate and improve the platform. We do not sell it.
| Purpose | Legal basis |
|---|---|
| Providing the platform — creating your account, showing your profile, enabling messaging | Performance of a contract |
| Processing payments and managing subscriptions | Performance of a contract |
| Sending transactional emails (welcome, verification, message notifications) | Performance of a contract |
| Auto-verification of builder profiles | Performance of a contract |
| Calculating Velocity Scores | Performance of a contract |
| Displaying your public profile to employers and visitors | Legitimate interests |
| Improving the platform through usage analytics | Legitimate interests |
| Complying with legal obligations | Legal obligation |
We do not use your data for advertising. We do not sell your data to third parties. ShipStacked is ad-free.
We share data only with the service providers necessary to operate the platform:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database and file storage | EU (AWS eu-west-1) |
| Vercel | Hosting and edge functions | Global CDN |
| Stripe | Payment processing | USA (EU Standard Contractual Clauses apply) |
| Resend | Transactional email delivery | USA (EU Standard Contractual Clauses apply) |
| GitHub | OAuth authentication and commit data | USA (EU Standard Contractual Clauses apply) |
We do not share your personal data with any other third parties unless required by law.
Public profile data: Builder profiles marked as published are publicly accessible and may be indexed by search engines. This includes your name, role, bio, location, skills, projects, and Build Feed posts. You control this — set your profile to unpublished at any time from your dashboard.
Employer access: Paid employers can view your published profile and message you directly. They cannot export or bulk-download your data.
| Data type | Retention period |
|---|---|
| Active account data | Retained for as long as your account is active |
| Deleted account data | 30 days after deletion, then permanently deleted |
| Payment records | 7 years (required by EU tax law) |
| Messages | Deleted with your account (30-day retention applies) |
| API key hashes | Deleted immediately on revocation |
When you delete your account, your public profile is removed immediately. All other data is permanently deleted after 30 days. Payment records are retained for 7 years as required by law — this data is held by Stripe.
If you are located in the European Economic Area (EEA), you have the following rights:
Right of access: You can request a copy of all personal data we hold about you.
Right to rectification: You can correct inaccurate data from your dashboard at any time, or by contacting us.
Right to erasure: You can delete your account at any time. We will permanently delete your data within 30 days, except where required by law.
Right to restriction: You can ask us to restrict processing of your data while a dispute is resolved.
Right to data portability: You can request your data in a machine-readable format.
Right to object: You can object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, email privacy@shipstacked.com. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at aepd.es.
ShipStacked uses strictly necessary cookies only:
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics. Because we only use strictly necessary cookies, we do not require a cookie consent banner under GDPR.
We take reasonable technical and organisational measures to protect your data:
No system is completely secure. If you become aware of a security issue, please contact privacy@shipstacked.com.
ShipStacked is based in Spain (EU). Some of our service providers process data outside the EEA. Where this occurs, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses. See Section 4 for details of our providers.
ShipStacked is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact privacy@shipstacked.com and we will delete the account.
We may update this policy from time to time. We will notify registered users of material changes by email. The date at the top of this document reflects when it was last updated.
See also: Terms of Service