shutap
roomshalls

privacy policy

pseudonymous by design. your content is scrubbed of identifiers before it’s stored.

Effective July 1, 2026. Controller: Shutap. Contact: privacy@shutap.com. The short version: shutap is pseudonymous by design, an automatic Scrubber removes personal identifiers before anything is stored, we keep only the scrubbed version, we do not sell your personal information, and you can access, export, or delete your data at any time.

our approach

Shutap is built to be pseudonymous and privacy-protective. You write under a pseudonym, and our Scrubber automatically removes personal identifiers (names, addresses, specific locations, phone numbers, emails) before storage — we keep only the scrubbed version.

what we collect

  • Account: a pseudonym, your email (sign-in and check-ins), timezone, notification preferences, consent records.
  • Content: your stories, spills, scans, and check-in responses — stored only in scrubbed form.
  • Usage: product analytics via PostHog, tied to a pseudonymous ID.
  • Device/technical: standard log and device data.

how we use it

To run the community and companion; deliver check-ins; provide the Mirror (your patterns over time, for subscribers); produce aggregated, de-identified insights; keep the service safe; and comply with law. We do not sell your personal information.

ai processing

Your messages are processed by Google's Gemini models via the Lovable AI Gateway to generate companion responses, Mirror readings, and safety checks. Under the gateway's commercial terms, your content is not used to train the underlying models. AI processing happens only to provide these features to you.

subprocessors

  • Lovable / Supabase — database, auth, storage, and hosting.
  • Lovable AI Gateway (Google Gemini) — AI responses for the companion and Mirror.
  • Resend — email delivery for sign-in and check-ins.
  • PostHog — pseudonymous product analytics.

Each processes data only to provide their service to shutap.

legal & safety disclosure

We may disclose information where required by law or to prevent imminent harm. Crisis-flagged content is kept private, excluded from public display and our aggregated corpus, and is never sold or monetized.

retention

We keep your data while your account is active and as needed for the purposes above; you can delete your content or account at any time.

security

We use reasonable technical and organizational measures to protect your data. No system is perfectly secure. In a breach affecting your personal data, we will notify you and the authorities as required by law.

your rights

Depending on where you live (including under GDPR and California's CCPA/CPRA), you may have the right to access, correct, delete, export, object to, or restrict processing, and to withdraw consent. Delete your stories and account, or request an export, from Account & Data settings or via privacy@shutap.com. We do not sell personal information. We will not discriminate against you for exercising these rights. We honor verified requests within 30 days.

children

Shutap is for adults 18+. We do not knowingly collect data from anyone under 18; if we learn we have, we delete it.

international users and transfers

Shutap is operated from the United States. If you access it from outside the US, your data is processed in the US. Where required for EU or UK users, we rely on appropriate safeguards (such as Standard Contractual Clauses) with our providers.

cookies

We use essential cookies to run the service and privacy-preserving analytics (PostHog). We do not use advertising cookies. In the EU and UK we show a consent banner and default to declining non-essential cookies.

changes & contact

Material changes to this policy will be notified in-product. Questions or requests: privacy@shutap.com.