Skip to main content

Privacy Policy

Last updated: May 16, 2026

This Privacy Policy explains how ShubHQ ("ShubHQ", "we", "our", or "us") collects, uses, shares, and protects your personal data when you visit shubhq.com, create an account, or use our products and services (the "Service"). It is intended to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

By using the Service, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Service.

We are committed to transparency. This document is written in plain language so you can understand exactly what happens with your data,without legal jargon or vague promises. If anything is unclear, we encourage you to contact us.

1. Who We Are (Data Controller)

The Service is operated by Aydın Nasuh, an independent operator, who acts as the data controller for personal data processed through the Service.

EU Representative (GDPR Art. 27)

We are in the process of appointing an EU Representative under Article 27 GDPR. Until appointed, EU/EEA users may contact us directly at support@shubhq.com for any privacy-related matter. This Policy will be updated with the representative's details once the appointment is finalised.

Data Protection Officer

We have not appointed a Data Protection Officer, as we are not required to do so under Article 37 GDPR. Privacy enquiries are handled directly by the operator.

2. Personal Data We Collect

We collect only the data we need to operate the Service. We do not collect sensitive personal data (such as health information, biometric data, or political opinions) unless you voluntarily provide it in a support message or user-generated content.

2.1 Account Data

When you create or use an account, we collect:

  • Name (or display name)
  • Email address
  • Hashed password (or OAuth identifier if you sign in via a third party)
  • Workspace / organisation name and role
  • Profile avatar (optional)
  • Timezone and language preference

Account data is required to provide the core Service. If you do not provide this information, you will not be able to create an account.

2.2 Usage and Device Data

When you interact with the Service, we automatically collect:

  • IP address (truncated where feasible before storage)
  • Browser type, operating system, device type, screen resolution
  • Pages viewed, features used, click events, session duration
  • Referring URL and timestamp
  • Diagnostic logs and error reports
  • Search queries and filters used within the platform

This data helps us understand how the Service is used, identify bugs, and improve performance. We do not use this data to identify you personally unless required for security investigations.

2.3 Payment Data

Payment information is collected and processed by Creem.io, acting as the Merchant of Record for transactions on the Service. We do not store your payment card details on our systems. Creem provides us with limited transaction metadata (e.g. plan purchased, subscription status, billing email, country of taxation, last four digits of card, invoice ID) which we use to operate your subscription and meet our tax and accounting obligations. Creem's own privacy practices are described at creem.io.

2.4 Communications

If you email us, fill out a contact form, or interact with our support system, we collect the contents of those communications and any information you choose to include. This includes in-app support tickets, direct messages within the platform, and any attachments you provide.

We retain support communications to maintain a history of your interactions with us, which helps us provide faster and more consistent support over time.

2.5 User-Generated Content

The Service allows users to create and share content within the platform, including community posts, link building requests, group discussions, and project descriptions. This content is stored on our servers and may be visible to other users depending on the privacy settings you choose. We do not claim ownership of your content, but by posting it, you grant us a limited licence to display and distribute it within the Service as necessary to provide the platform's features.

2.6 AI-Processed Data

Certain features of the Service use artificial intelligence and machine learning to generate insights, recommendations, and content (e.g. AI Project Analysis, Growth Planner, Content Strategy). When you use these features, your project data,such as domain name, keywords, competitor URLs, and search console data,may be processed by third-party AI providers to generate outputs.

We do not use your personal data to train AI models. AI processing is performed on a per-request basis and the results are stored within your account. Third-party AI providers process data under contractual obligations that limit retention and prohibit training on your data.

2.7 Cookies and Similar Technologies

We use cookies, local storage, and similar technologies as described in our Cookie Policy. These include essential cookies for authentication and security, functional cookies for preferences (such as theme and language), and,only with your consent,analytics cookies for understanding usage patterns.

You can manage your cookie preferences at any time through your browser settings or our cookie consent tool. Disabling essential cookies will prevent you from using the Service.

3. Legal Bases for Processing (GDPR Art. 6)

We rely on the following legal bases:

  • Contract (Art. 6(1)(b)): to create and operate your account, deliver the Service, process subscriptions, and provide customer support.
  • Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent fraud and abuse, run product analytics in aggregate, and improve our features. We balance these interests against your rights and freedoms.
  • Consent (Art. 6(1)(a)): for non-essential cookies, marketing emails, and any optional features we may introduce. You may withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)): to retain invoices and accounting records, and to respond to lawful requests from authorities.

4. How We Use Your Data

We use your personal data for the following purposes:

  • To provide, operate, and maintain the Service
  • To create and authenticate your account
  • To process subscriptions, renewals, refunds, and tax obligations (via Creem)
  • To send transactional emails (account, billing, security, service updates)
  • To send marketing emails,only with your consent, and you can unsubscribe at any time
  • To respond to support requests and other communications
  • To monitor performance, debug errors, and improve the Service
  • To detect, prevent, and respond to fraud, abuse, and security incidents
  • To generate AI-powered insights and recommendations when you use those features
  • To display your activity and contributions within the community features
  • To comply with applicable laws and enforce our Terms of Service
  • To conduct internal analytics and research to understand usage trends in aggregate

We do not use your personal data for automated profiling that produces legal or similarly significant effects. We do not sell your personal data. We do not use your data to train AI models.

5. Who We Share Data With (Sub-Processors)

We share personal data only with the limited set of third-party providers we need to run the Service. Each provider acts as a processor or independent controller under a written agreement that includes appropriate data protection terms.

Provider Role Data processed Location
Creem.io Merchant of Record,payments, billing, tax Name, email, billing address, payment metadata EU / global
xCloud Hosting, LLC Application hosting & infrastructure All Service data (account, usage, logs) Newark, New Jersey, USA (region: ewr)
Brevo SAS Transactional and marketing email delivery Email address, name, email engagement events European Union (France)
PostHog Inc. Product analytics Pseudonymous user ID, events, IP (truncated), device info USA (PostHog Cloud,region confirmed at deployment)

We do not sell your personal data and we do not share it for cross-context behavioural advertising. We may also disclose data: (i) to comply with applicable law or a valid legal request; (ii) to protect the rights, property, or safety of ShubHQ, our users, or others; and (iii) in connection with a merger, acquisition, financing, or sale of assets, in which case we will notify affected users.

6. International Data Transfers

The Service is hosted in the United States and several of our sub-processors are located outside the European Economic Area (EEA) and the United Kingdom. When personal data is transferred outside the EEA/UK to a country that does not benefit from a European Commission adequacy decision, we rely on appropriate safeguards, primarily the European Commission's Standard Contractual Clauses (SCCs) (Module 1 or 2 as applicable), supplemented by additional technical and organisational measures (e.g. encryption in transit, access controls, IP truncation).

You may request a copy of the SCCs we rely on by emailing support@shubhq.com.

7. How Long We Keep Your Data (Retention)

Category Retention period
Account data For as long as your account is active. After cancellation, soft-deleted for 30 days, then permanently deleted or anonymised.
Billing & invoice records 10 years, to meet tax and accounting obligations applicable to Creem (Merchant of Record) and the operator.
Server logs (incl. IP) 90 days, then deleted.
Product analytics (PostHog) 12 months at the event level, then aggregated/anonymised.
Support communications 24 months from the date of the last interaction.
Marketing email lists Until you unsubscribe, or 24 months of inactivity, whichever comes first.

We may retain limited data for longer where required by law, to resolve disputes, or to enforce our agreements.

8. Security

We take the security of your data seriously and implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit: All connections to the Service use TLS (HTTPS).
  • Encryption at rest: Where supported by our hosting provider, data is encrypted at rest.
  • Password security: Passwords are hashed using bcrypt at cost factor 12. We never store plain-text passwords.
  • Access controls: Role-based access controls limit who can access personal data internally.
  • Session security: Session cookies are HttpOnly, Secure, and SameSite=Lax. Session tokens are stored as SHA-256 hashes, bound to IP and user-agent, and rotated every 30 minutes.
  • Brute-force protection: Failed login attempts are counted per account and IP, with temporary lockout after repeated failures.
  • Security headers: Responses include X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
  • Audit logging: Active sessions, login history, and account activity are logged so users can review and revoke access.
  • Sub-processor review: We regularly review the security practices of our third-party providers.

No system is completely secure. We cannot guarantee absolute security, but we are committed to maintaining a strong security posture and responding promptly to any incidents. For a detailed overview of our security controls, visit our Security page.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33.
  • Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Art. 34.
  • Document the breach, its effects, and the remedial actions taken, regardless of whether notification is required.

We maintain an internal incident response plan and conduct regular reviews of our security measures to minimise the risk of breaches.

9. Your Rights Under GDPR

If you are in the EEA, the UK, or Switzerland, you have the following rights:

  • Access,obtain a copy of the personal data we hold about you.
  • Rectification,correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"),request deletion, subject to legal exceptions.
  • Restriction,restrict processing in certain circumstances.
  • Portability,receive your data in a structured, machine-readable format, or have it transmitted to another controller where technically feasible.
  • Objection,object to processing based on legitimate interests, including for direct marketing.
  • Withdraw consent,at any time, where processing is based on consent.
  • Lodge a complaint,with your local supervisory authority. A list of EEA authorities is available at edpb.europa.eu.

To exercise any of these rights, email support@shubhq.com. We will respond within one month, as required by GDPR Art. 12. We may need to verify your identity before acting on a request.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you the following rights with respect to your personal information:

  • Right to know,what categories of personal information we collect, the sources, the business purpose, and the third parties we share it with.
  • Right to access,request a copy of the specific pieces of personal information we have collected about you in the past 12 months.
  • Right to delete,request deletion of your personal information, subject to legal exceptions.
  • Right to correct,request correction of inaccurate personal information.
  • Right to opt out of sale or sharing,we do not sell your personal information and we do not share it for cross-context behavioural advertising. Therefore, no opt-out is required, but you may still confirm this status by contacting us.
  • Right to limit use of sensitive personal information,we do not use sensitive personal information for purposes that would trigger this right.
  • Right to non-discrimination,we will not discriminate against you for exercising any of these rights.

"Shine the Light" (CA Civil Code §1798.83): California residents may request information about disclosures of personal information to third parties for those parties' direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

To exercise any of these rights, email support@shubhq.com with the subject line "California Privacy Request". You may use an authorised agent; we will require written proof of authorisation.

11. Cookies

We use a minimal set of cookies and similar technologies for authentication, security, preferences, and analytics. For the full list, purposes, and how to control them, see our Cookie Policy.

12. Children's Privacy

The Service is not directed to, and we do not knowingly collect personal data from, children under 16 years of age. If you are a parent or guardian and believe your child has provided us with personal data, please contact support@shubhq.com and we will delete the data promptly.

13. Third-Party Links

The Service may contain links to third-party websites and tools. We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies before providing any personal information.

14. Automated Decision-Making

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing, including profiling.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

  • We will post the updated version on this page and revise the "Last updated" date.
  • For material changes, we will provide additional notice,for example, by email to your registered address or a prominent banner within the Service.
  • We will give you at least 30 days' notice before material changes take effect, giving you time to review and, if you disagree, export your data and close your account.

We encourage you to review this Policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

16. Contact Us

For any privacy-related question, request, or complaint, contact:

We aim to respond to all privacy enquiries within 30 days. If your request is complex, we may need additional time, but we will inform you of the delay and the reasons for it.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.