Privacy policy

This policy applies to shieldmycode.com, the application at shield.shieldmycode.com, our API endpoints, and any related sub-services we operate. It does not cover third-party sites linked from ours.

• Account data: username, email, hashed password (bcrypt), optional avatar URL, current plan, billing status.
• Usage data: obfuscation counts, file size in / out, request duration, strictness level used, anonymized IP hash for abuse triage.
• Session data: device-bound session tokens, last-active timestamp, and the user-agent of the device that issued the session.
• Telemetry events (optional): if you enable the threat-intel telemetry URL, your obfuscated code reports tamper events back to your account dashboard. These events include reason codes, anonymized IP, and approximate geo.
• Billing data: processed by Stripe; we receive a customer ID, subscription status, and the last four digits of the payment method, never full card numbers.

• To operate the service: authenticate sessions, enforce quotas, run obfuscations.
• To support you: respond to email, troubleshoot bugs, send transactional notifications.
• To detect abuse: spot bulk-scraper patterns, sharing patterns, and quota bypass attempts.
• To improve the service: aggregate usage statistics inform what we build next.
• To comply with legal obligations: respond to lawful requests where required.

Source code submitted to Shield is processed in-memory in our obfuscation engine. We do not store the original source after the response is returned, and we do not use it to train any model. We retain only metadata about the run (size, level, duration) for quota and audit purposes.

If you connect a GitHub account, the personal access token you provide is encrypted at rest and used solely to fetch and (if you ask) commit files. You can revoke it from the dashboard at any time.

The optional telemetry URL allows obfuscated code in the wild to report tamper events to your Shield account dashboard. Events include reason (for example integrity, devtools, domain), strictness level, a coarse geolocation, and an anonymized IP hash. We cap stored events per user at 10,000 and rotate older events out automatically.

We do not sell personal information. We share data only with:

• Stripe – payment processing.
• Email infrastructure – transactional email delivery.
• Cloud hosting – the infrastructure that runs Shield.
• Lawful requests – when compelled by valid legal process.

Account data is kept while your account is active. After deletion we retain billing records for the period required by tax law (typically 7 years) and minimal records needed to enforce these Terms (for example, a hash of your prior email to prevent abuse re-registration).

Passwords are hashed with bcrypt. Sessions are HttpOnly cookies scoped to our domain, rotated on each login. We patch our LEMP stack regularly and apply database migrations under transaction. No system is perfectly secure; please report vulnerabilities to security@shieldmycode.com.

Depending on your jurisdiction you may have rights to access, correct, export, restrict, or delete your personal data. You can do most of this from the dashboard. For other requests email privacy@shieldmycode.com and we will respond within 30 days.

Shield is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has an account, contact us and we will delete it.

Our infrastructure may be located outside your country. Where required, we rely on standard contractual clauses or equivalent mechanisms for international transfers.

Privacy questions: privacy@shieldmycode.com.