Privacy Policy

1. Information We Collect

Information you provide directly

• Account information: name, email address, and password (stored as a bcrypt hash; we never store your plaintext password)
• App specifications: the descriptions and requirements you provide through our chat intake process
• Chat messages: the conversation history between you and our AI intake system
• Payment information: processed and stored by Stripe; we do not store your full credit card number, only a Stripe customer ID and payment references

Information collected automatically

• Usage logs: build status, timestamps, and technical metadata about your app builds
• Session data: we use session cookies to keep you logged in (see Cookies section below)

Information we do not collect

• We do not use tracking cookies, analytics pixels, or third-party advertising trackers
• We do not collect location data, device fingerprints, or browsing history beyond our own site

2. How We Use Your Information

• To provide the Service: processing your app specifications, building your applications, and deploying them
• To communicate with you: sending build status notifications, account-related emails, and responding to support requests
• To process payments: facilitating transactions through Stripe
• To improve the Service: using anonymized, aggregated data to understand usage patterns and improve our platform
• To protect the Service: detecting and preventing fraud, abuse, and security threats

3. Third-Party Services

We share information with the following third-party services as necessary to operate the platform. Each service processes data according to its own privacy policy:

• Stripe (payments): processes your payment information. Stripe Privacy Policy
• Railway (hosting): hosts your generated applications. Railway Privacy Policy
• Resend (email): delivers transactional emails (build notifications, password resets). Resend Privacy Policy
• Anthropic (AI): processes your app descriptions to generate specifications and code. Your chat messages and app specifications are sent to Anthropic's Claude API for processing. Anthropic Privacy Policy

We do not sell, rent, or trade your personal information to any third party, for advertising or any other purpose.

4. Cookies

We use only essential session cookies to maintain your login state. These cookies are:

• HTTP-only (not accessible to JavaScript)
• Secure (transmitted only over HTTPS in production)
• SameSite: Lax (provides CSRF protection)
• Expire after 30 days of inactivity

We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

5. Data Security

We take reasonable measures to protect your information, including:

• Passwords are hashed with bcrypt before storage
• All data transmitted over HTTPS with HSTS enabled
• CSRF protection on all state-changing operations
• Parameterized database queries to prevent SQL injection
• Security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection)
• Session data stored server-side in PostgreSQL

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

• Active accounts: your account data, app specifications, and chat history are retained for as long as your account is active
• Account deletion: upon request, we will delete your personal data within 30 days. This includes your account information, app specifications, and chat history
• Hosted applications: if you request account deletion, we will take down any hosted applications within 30 days and delete associated deployment data
• Anonymized data: aggregated, anonymized data that cannot identify you may be retained indefinitely for service improvement
• Legal obligations: we may retain certain data as required by law (such as payment records for tax purposes)

7. Your Rights

You have the right to:

• Access your data: request a copy of the personal information we hold about you
• Correct your data: request correction of any inaccurate information
• Delete your data: request deletion of your account and personal information
• Unsubscribe from emails: opt out of non-essential emails using the unsubscribe link in any email we send

To exercise any of these rights, contact us at support@craftandship.io. We will respond to requests within 30 days.

8. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know: you may request details about the categories and specific pieces of personal information we have collected about you
• Right to delete: you may request deletion of your personal information, subject to certain exceptions
• Right to opt out of sale: we do not sell personal information, so this right does not apply
• Non-discrimination: we will not discriminate against you for exercising your CCPA rights

To make a CCPA request, email us at support@craftandship.io with "CCPA Request" in the subject line.

9. Children's Privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected information from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact us at support@craftandship.io.

10. International Users

The Service is operated from the United States. If you are accessing the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days advance notice via email. The "Effective Date" at the top of this page indicates when the policy was last updated.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

CraftAndShip
Email: support@craftandship.io
Texas, USA