ShakeShake
Privacy Policy

Privacy Policy

Last updated: April 18, 2026

Overview

Shake (“Shake,” “we,” “us,” or “our”) provides a project workspace and AI collaboration platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services at shake.dev.

By using Shake, you agree to the practices described in this policy. If you do not agree, please discontinue use of the service.

Information we collect

Account information

When you create an account, we collect your email address. We use magic link authentication — no password is stored. We may also collect a display name if you provide one.

Workspace and project data

We store the content you create in Shake: cards, documents, chat messages, comments, file attachments, and workspace settings. This data is stored in Supabase-hosted PostgreSQL databases. Row-level security policies ensure that only authorized workspace members can access workspace data.

Integration credentials

When you connect third-party services (GitHub, Vercel, Supabase, Railway), we store OAuth access tokens encrypted at rest using AES-256-GCM. These tokens are used solely to perform actions on your behalf within those services. We never share these credentials with third parties.

Usage data

We collect usage data to operate and improve the service, including: pages visited, features used, AI credit consumption, session duration, and error logs. This data is used for product analytics and debugging.

Payment information

Credit purchases are processed by Square. We do not store your full payment card number, CVC, or billing address — Square handles all payment data directly. We store only your Square customer ID, which is used to process subsequent purchases and configure auto-recharge.

Communications

When you send us email or support requests, we retain those communications to respond to you and improve the service.

How we use your information

  • To provide and operate the Shake service
  • To authenticate you and maintain your session
  • To execute AI agent runs on your behalf and bill credits accordingly
  • To send transactional emails (magic link sign-in, credit top-up receipts, auto-recharge notifications, workspace invitations)
  • To monitor service health, diagnose errors, and improve reliability
  • To comply with legal obligations

We do not sell your personal data. We do not use your workspace content to train AI models.

AI and third-party model providers

When you use Shake, your prompts and relevant workspace context are sent to Anthropic’s Claude API to generate responses. Anthropic’s privacy policy governs how they handle this data. We do not send your data to Anthropic for training purposes beyond what Anthropic’s standard API terms permit.

The AI model in use is an implementation detail of Shake. We may change the underlying model provider without notice, subject to maintaining equivalent privacy protections.

Data sharing and disclosure

We share your data only in the following circumstances:

  • Service providers. We use third-party infrastructure providers (Supabase for databases, Vercel for hosting, Mailgun for email, Upstash for rate limiting, Square for payments, Anthropic for AI). These providers process data on our behalf under data processing agreements.
  • Third-party integrations you authorize. When you connect GitHub, Vercel, Supabase, or Railway, data is shared with those services as part of the integration you explicitly authorized.
  • Legal compliance. We may disclose data when required by law, court order, or to protect the rights and safety of Shake users.
  • Business transfers. If Shake is acquired or merged, your data may be transferred as part of that transaction. We will notify you of any such change and your rights.

Data retention

We retain your account data for as long as your account is active. Workspace data (cards, documents, messages) is retained until you or your workspace owner deletes it. Credit transaction records are retained for seven years for financial audit purposes.

You may request deletion of your account and associated personal data by contacting us at privacy@shake.dev. Workspace data will be deleted or anonymized within 30 days of a valid deletion request, subject to legal retention obligations.

Security

We implement industry-standard security practices:

  • All data in transit is encrypted via TLS 1.2+
  • OAuth tokens are encrypted at rest with AES-256-GCM
  • Row-level security policies are enforced at the database layer
  • Authentication uses magic links (no password storage)
  • Rate limiting is applied to all authentication and API endpoints

No security measure is 100% effective. If you discover a security vulnerability, please disclose it responsibly to security@shake.dev.

Cookies and tracking

Shake uses session cookies required for authentication. We do not use third-party advertising cookies or cross-site tracking. Analytics data collected is first-party and used solely to improve the product.

Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or export your personal data; to object to certain processing; and to lodge a complaint with a supervisory authority. To exercise these rights, contact us at privacy@shake.dev.

Children

Shake is not directed to children under 13 (or 16 in some jurisdictions). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

Changes to this policy

We may update this Privacy Policy. We will notify you of material changes by email or by posting a notice in the Shake interface. Continued use of the service after notification constitutes acceptance of the updated policy.

Contact

Questions about this policy or your data? privacy@shake.dev

Privacy Policy | Shake