Privacy Policy

ShieldNode is an API proxy. The bodies of your API requests and responses pass through our infrastructure to reach the upstream API, but we do not log, store, inspect, decrypt for inspection, or process the content of those bodies. We never see what your requests contain or what the upstream API replies. We only record technical metadata about each call (method, path without query string, status, latency, timestamp).

For any personal data that you choose to send through ShieldNode in a request body, response body, or URL path:

• You are the sole data controller (and, where applicable, the sole processor) of that data.
• ShieldNode is not a processor with respect to that content. It is your own data flowing to your own chosen upstream API on credentials you control.
• Your obligations to data subjects, regulators, and third parties for that data are entirely yours. See Terms of Service, Section 5 (Your Use of the Service) and Section 6 (Compliance Obligations).

This Privacy Policy describes what we do with the data we do see, your account information, encrypted upstream credentials, virtual key hashes, and request metadata.

• To provide the service, authenticating you, storing your services and virtual keys, forwarding proxied requests to target APIs.
• To enforce security, detecting abuse, rate limit violations, and unauthorized access.
• To process payments, billing for paid plans via Stripe (web) or RevenueCat (mobile). Payment card data is processed entirely by these providers and never touches our servers.
• To communicate with you, transactional emails (account creation, password reset). We do not send marketing emails without your explicit consent.
• To comply with legal obligations, responding to lawful requests from authorities.

We do not sell, rent, or trade your personal information. We share data only with the following service providers (sub-processors), limited to what is necessary for them to perform their function on our behalf:

We may add or change sub-processors as the service evolves. The list above is kept current on this page; we do not commit to individual notice for each change.

We may disclose your information if required by law, court order, subpoena, or governmental request, or to protect the rights, property, or safety of ShieldNode, our users, or the public. Where legally permitted, we will notify you of such requests so you may seek a protective order.

ShieldNode and all our current sub-processors operate primarily in the United States. If you access ShieldNode from the European Union, the United Kingdom, Switzerland, or another jurisdiction with data-export restrictions, your information will be transferred to and processed in the USA.

For transfers of personal data from the EU/EEA, UK, or Switzerland to the USA, we rely on the European Commission's Standard Contractual Clauses (SCCs) or, where applicable, the UK International Data Transfer Addendum incorporated into our agreements with sub-processors. Where a sub-processor is certified under the EU-US Data Privacy Framework or its UK / Swiss extensions, we may also rely on that certification.

By using ShieldNode while located in a region with data-export rules, you acknowledge that we and our sub-processors process your data in the USA on the legal bases described above.

• Account data, retained as long as your account is active. Deleted within 30 days of account deletion request.
• Encrypted credentials, deleted immediately when you delete a service.
• Virtual key hashes, deleted when the key is deleted.
• Request logs, automatically deleted after 7 days (Free), 30 days (Pro), or 90 days (Team).
• Payment records, retained as required by applicable law (typically 7 years).

We implement industry-standard security measures including:

• AES-256-GCM encryption for all stored API credentials
• One-way hashing for virtual keys
• TLS/HTTPS encryption for all data in transit
• No plaintext credential storage at any layer (application, database, cache, or logs)
• Access controls limiting who can access production systems

No method of transmission over the internet or storage system is 100% secure. We cannot guarantee absolute security, and we are not liable for unauthorized access that occurs despite reasonable security measures (see Terms of Service, Section 10).

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours where required by applicable law (e.g. GDPR Article 33).
• Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (e.g. GDPR Article 34).
• Provide information about the nature of the breach, the likely consequences, the measures taken or proposed to address it, and contact details for further information.

Notification will be made by email to the address associated with your account, or by another method of equivalent reach if email is impracticable.

If you are located in the European Union, the European Economic Area, or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:

• Right of access, request a copy of the personal data we hold about you.
• Right to rectification, request correction of inaccurate data.
• Right to erasure, request deletion of your personal data ("right to be forgotten"), subject to legal-retention exceptions.
• Right to data portability, receive your data in a structured, machine-readable format.
• Right to object, object to processing of your personal data based on legitimate interests.
• Right to restrict processing, request that we limit how we use your data while a dispute is resolved.
• Right to withdraw consent, where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
• Right to lodge a complaint, file a complaint with the data-protection supervisory authority in your country of residence (e.g. CNIL in France, ICO in the UK, AEPD in Spain).

Our legal bases for processing your data are:

• Contract performance (Article 6(1)(b)), providing the service you signed up for.
• Legitimate interests (Article 6(1)(f)), security, abuse prevention, fraud detection, service reliability.
• Legal obligation (Article 6(1)(c)), retention of payment records, tax records, and responses to lawful authority requests.
• Consent (Article 6(1)(a)), where you explicitly opt in (e.g. marketing communications, if any).

To exercise any of these rights, contact us at contact@shieldnode.app. We will respond within 30 days of a verifiable request, and may extend this period by an additional 60 days where the request is complex or numerous, in which case we will notify you of the extension.

Scope. These rights apply to the personal data we control as described in this Privacy Policy (account info, encrypted credentials metadata, virtual key hashes, request metadata). They do not extend to the content of API requests or responses you proxy through ShieldNode, for that content you are the controller, and any data-subject request relating to that content must be addressed to you, not to us.

Data Processing Agreement. If you process personal data of EU/UK residents through ShieldNode in your role as a controller and require a Data Processing Agreement (DPA) with us as a processor for the limited metadata we handle, contact us at contact@shieldnode.app.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to know, request information about what personal data we collect and how we use it.
• Right to delete, request deletion of your personal data, subject to certain exceptions.
• Right to opt-out of sale, we do not sell personal information. This right is not applicable.
• Right to non-discrimination, we will not discriminate against you for exercising your privacy rights.

To submit a request, contact us at contact@shieldnode.app. We will respond within 45 days.

ShieldNode uses essential cookies necessary for the service to function (authentication, preferences) and a small set of product-analytics cookies set by PostHog to attribute events to the correct user session. See our Cookie Policy for full details. We do not use advertising cookies.

ShieldNode is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us immediately at contact@shieldnode.app and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of significant changes by email (to the address associated with your account) or by posting a notice on shieldnode.app. Your continued use of the service after changes take effect constitutes acceptance of the updated policy.

For any privacy-related questions, data requests, or concerns: