Privacy Policy
How we collect, use, and protect your personal data
1. Who We Are
ShapeLoop ("we," "our," or "us") is a web-based platform that enables users to create, customize, and download animated shape overlays for video editing.
We are committed to protecting your privacy and ensuring transparency in how we collect, use, and store your personal data.
Data Controller:
ShapeLoop OÜ
Registry Code: 17394931
Address: Sepapaja tn 6, 15551 Tallinn, Estonia
Email: hello@shapeloop.io
2. Information We Collect
We collect only the data necessary to provide and improve our services.
2.1 Account Information
- Email address (for authentication and communication)
- Name (if provided via Google OAuth)
- Authentication credentials (Magic Link tokens or OAuth tokens)
2.2 Usage Data
- Downloads count (to enforce plan limits)
- Plan type (Free, Credits, Pro, Founder's Deal)
- Credits balance (for pay-as-you-go users)
- Creation history (shape settings, effect types, timestamps)
2.3 Payment Data
- LemonSqueezy Customer ID (links your account to payment provider)
- Transaction IDs (for billing records)
- Subscription status (active, cancelled, expired)
Important: We do NOT store credit card numbers, CVV codes, or full payment details. All payment processing is handled by LemonSqueezy (Merchant of Record), which uses Stripe for payment processing (PCI DSS Level 1 certified).
2.4 Technical Data
- IP address (for rate limiting and security)
- Browser type and version (for compatibility)
- Device information (desktop/mobile, screen resolution)
2.5 Cookies
We use essential cookies only:
- Session cookies (for authentication, expires on browser close)
- Persistent login cookies (httpOnly, secure, sameSite=strict, 30-day expiry)
We do NOT use:
- Google Analytics
- Facebook Pixel
- Marketing/tracking cookies
- Third-party advertising cookies
3. User-Created Content
3.1 Shape Creations
When you create animated shapes, we store:
- Shape configuration (type, size, color, border thickness)
- Animation effect settings
- Creation timestamp
- Download history
3.2 Storage & Deletion
| Plan | Storage Policy |
|---|---|
| FREE (no account) | Shapes downloaded immediately, NO storage on our servers |
| FREE (signed in) | Last 50 creations stored, auto-deleted after 30 days |
| Credits | Last 100 creations stored, kept for 90 days |
| Pro / Founder's Deal | Unlimited creations stored until account deletion |
You may delete your creations at any time via the "My Creations" page. Deletion is immediate and permanent.
We do NOT sell, share, or use your creations for any purpose other than providing the service to you.
4. How We Use Your Data
We use data strictly to:
- Authenticate and manage your account
- Process payments and track subscription status
- Enforce plan limits (downloads per day, credits balance)
- Store your creations for later re-download
- Send transactional emails (welcome, password reset, payment receipts)
- Improve platform performance (anonymized, aggregated analytics)
- Prevent abuse (rate limiting, security monitoring)
- Comply with legal obligations (tax records, fraud prevention)
We do NOT:
- Sell, rent, or trade personal data to third parties
- Use your data for advertising purposes
- Share your data with marketing partners
- Profile users for targeted advertising
5. Legal Basis for Processing (GDPR)
We process your data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Account creation & authentication | Performance of contract |
| Payment processing | Performance of contract |
| Storing your creations | Performance of contract |
| Transactional emails | Performance of contract |
| Security & abuse prevention | Legitimate interest |
| Legal compliance (tax, fraud) | Legal obligation |
| Service improvement (anonymized) | Legitimate interest |
| Marketing emails (if opted in) | Consent |
6. Data Storage and Security
6.1 Hosting Location
- Primary hosting: Hetzner Cloud (Germany, EU)
- Data centers: ISO 27001 certified, GDPR compliant
- Data sovereignty: All user data remains within the European Economic Area (EEA)
6.2 Security Measures
- Encryption in transit: TLS 1.3 (HTTPS everywhere)
- Encryption at rest: AES-256 for sensitive data
- Password storage: We use Magic Link / OAuth (no passwords stored)
- Database security: PostgreSQL with encrypted connections
- Access control: Least-privilege principle, 2FA for admin access
- Regular backups: Daily encrypted backups, 30-day retention
- Security updates: Regular patching and vulnerability scanning
6.3 Third-Party Security
All third-party services we use are GDPR compliant and EU-based where possible:
- LemonSqueezy (payments) - Merchant of Record, handles tax compliance
- Brevo (email) - EU-based, GDPR compliant
- Hetzner (hosting) - German company, EU data centers
- Cloudflare (CDN) - EU nodes available, GDPR compliant
7. Your Rights (GDPR)
Under the General Data Protection Regulation (GDPR), you have the right to:
7.1 Right to Access
Request a copy of all personal data we hold about you.
7.2 Right to Rectification
Correct any inaccurate or incomplete personal data.
7.3 Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data. This includes:
- Account deletion
- All stored creations
- Payment history (except legally required records)
- Email from our mailing lists
7.4 Right to Data Portability
Receive your data in a structured, machine-readable format (JSON export).
7.5 Right to Restrict Processing
Request that we limit how we use your data.
7.6 Right to Object
Object to processing based on legitimate interest.
7.7 Right to Withdraw Consent
Withdraw consent at any time (e.g., unsubscribe from marketing emails).
How to Exercise Your Rights:
- Self-service: Settings → Account → Delete Account / Export Data
- Email: hello@shapeloop.io
- Response time: Within 30 days (as required by GDPR)
8. Data Retention
We retain your data only as long as necessary:
| Data Type | Retention Period |
|---|---|
| Account data (active) | Until account deletion |
| Account data (deleted) | Purged within 30 days |
| Creations (FREE signed in) | 30 days, then auto-deleted |
| Creations (Credits) | 90 days, then auto-deleted |
| Creations (Pro/Founder's) | Until account deletion |
| Payment records | 7 years (legal requirement) |
| Security logs | 90 days |
| Support tickets | 2 years after resolution |
After account deletion:
- Personal data: Deleted within 30 days
- Anonymized usage statistics: May be retained indefinitely
- Legal/tax records: Retained as required by law (up to 7 years)
9. Third-Party Services
We integrate with the following third-party services:
9.1 LemonSqueezy (Payment Processing)
- Purpose: Process payments, manage subscriptions, handle tax compliance
- Data shared: Email, payment method (handled by LemonSqueezy), transaction amount
- Privacy policy: lemonsqueezy.com/privacy
- Note: LemonSqueezy acts as Merchant of Record and handles VAT/tax collection
9.2 Brevo (Email Delivery)
- Purpose: Send transactional and marketing emails
- Data shared: Email address, name (if provided)
- Privacy policy: brevo.com/legal/privacypolicy
- Data location: EU (France)
9.3 Google OAuth (Optional Login)
- Purpose: Alternative authentication method
- Data received: Email, name, profile picture
- Privacy policy: policies.google.com/privacy
- Note: We only request minimal scopes (email, profile)
9.4 Cloudflare (CDN & Security)
- Purpose: Content delivery, DDoS protection
- Data processed: IP address, request headers
- Privacy policy: cloudflare.com/privacypolicy
- Data location: EU nodes used for EU visitors
10. International Data Transfers
We do NOT transfer your personal data outside the European Economic Area (EEA).
All our infrastructure, hosting, and primary service providers are located within the EU:
- Hosting: Hetzner (Germany)
- Email: Brevo (France)
- CDN: Cloudflare (EU nodes)
Exception: If you use Google OAuth, Google may process authentication data in the US under their Standard Contractual Clauses (SCCs) and additional safeguards.
11. Children's Privacy
ShapeLoop is not intended for users under the age of 16.
We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at hello@shapeloop.io and we will delete the data immediately.
For users aged 16-18, parental consent may be required depending on local laws.
12. Cookies Policy
12.1 What Cookies We Use
| Cookie Name | Purpose | Type | Expiry |
|---|---|---|---|
session_token | Authentication | Essential | Session |
auth_token | Persistent login | Essential | 30 days |
csrf_token | Security (CSRF protection) | Essential | Session |
12.2 What We Don't Use
- Analytics cookies (Google Analytics, Mixpanel)
- Marketing cookies (Facebook Pixel, Google Ads)
- Third-party tracking cookies
- Social media cookies
12.3 Managing Cookies
Since we only use essential cookies required for the service to function, there is no cookie consent banner needed. These cookies cannot be disabled while using ShapeLoop.
If you wish to block all cookies, you may do so in your browser settings, but this will prevent you from logging in.
13. Data Breach Notification
In the unlikely event of a data breach that affects your personal data:
- Detection: We will investigate and assess the breach within 24 hours
- Authority notification: We will notify the relevant supervisory authority within 72 hours (as required by GDPR)
- User notification: If the breach poses a high risk to your rights, we will notify you via email within 72 hours
- Mitigation: We will take immediate steps to contain and remediate the breach
14. Changes to This Policy
We may update this Privacy Policy to reflect:
- Changes to our services
- New legal requirements
- Improvements to our practices
How we notify you:
- Minor changes: Updated "Last updated" date at the top
- Major changes: Email notification at least 30 days before changes take effect
Continued use of ShapeLoop after changes constitutes acceptance of the updated policy.
15. Contact Us
Questions about this Privacy Policy or your personal data?
Email: hello@shapeloop.io
Data Controller:
ShapeLoop OÜ
Sepapaja tn 6, 15551 Tallinn
Estonia, European Union
Response time: We aim to respond within 5 business days, and will fulfill GDPR requests within 30 days.
16. Supervisory Authority
If you believe we have not addressed your concerns adequately, you have the right to lodge a complaint with a supervisory authority.
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: www.aki.ee
Email: info@aki.ee
You may also contact the supervisory authority in your country of residence.
Document Version: 2.0 | Effective Date: December 2025
This Privacy Policy is governed by the laws of the Republic of Estonia and the European Union (GDPR).