ShowKit

Privacy Policy

Last updated: June 4, 2026

This Privacy Policy explains how showkit.dev ("we", "us") collects, uses, and protects personal data. We're committed to keeping the data we hold to a minimum and using it only for the purposes described here.

1. Who we are

showkit.dev is operated as a sole proprietorship based in São Paulo, Brazil. For data protection purposes, we're the "controller" (LGPD) / "controller" (GDPR) of the personal data we process about our account holders. Contact: hello@showkit.dev. The same address serves as our LGPD data-protection contact (encarregado).

2. What we collect

From account holders (you): email address, workspace name and slug, Stripe customer ID, billing address (for tax), and any content you submit to your workspace (changelog entries, roadmap items, testimonials, settings).

From end-users of your embed: aggregate page-view counts and basic device metadata for the analytics surfaces we provide to you. We do not set advertising cookies. Where required, we rely on your consent (collected by you) before tracking anything that requires it under GDPR or similar laws.

Automatically: log files (IP address, user agent, timestamps) for the purposes of security, abuse prevention, and debugging. Logs are retained for 30 days.

3. Why we process it (legal bases)

  • Contract: to provide the Service you signed up for (your account, billing, support).
  • Legitimate interest: security, fraud prevention, product analytics, and reasonable communications about the Service (e.g. incident notices).
  • Legal obligation: tax records, responding to lawful requests.
  • Consent: only where we ask for it specifically (e.g. marketing emails). You can withdraw consent at any time.

4. Sub-processors

We share data with the following sub-processors strictly to operate the Service:

  • Stripe (Ireland / USA) — payments, billing, tax.
  • Supabase (USA) — database, authentication.
  • Vercel (USA) — application hosting.
  • Cloudflare R2 (USA) — widget bundle CDN.
  • Resend (USA) — transactional email.
  • PostHog (USA / EU) — product analytics, error monitoring, feature flags.
  • Anthropic (USA) — AI-assisted changelog drafting, when you opt in.

Where data is transferred outside the EEA/UK, transfers are covered by EU Standard Contractual Clauses or equivalent safeguards. We will give 30 days notice before adding a materially new sub-processor.

5. International transfers

Most of our infrastructure runs in the United States. By using the Service, you acknowledge that your data will be transferred to and processed in jurisdictions outside your own. Where applicable we rely on Standard Contractual Clauses.

6. Retention

We keep your account data for as long as your account is active. After cancellation we keep it for 30 days to allow export, then delete it (except for records we're legally required to retain, such as invoices). Server logs are retained for 30 days.

7. Your rights

Under Brazil's LGPD, the EU/UK GDPR, the California CCPA, and similar laws, you have the right to:

  • confirm we hold personal data about you, and access it;
  • correct inaccurate or incomplete data;
  • request anonymization, blocking, or deletion of unnecessary or excessive data;
  • delete your data (subject to legal-retention requirements);
  • export your data in a portable, machine-readable format;
  • information about the public and private entities we share data with;
  • object to or restrict processing based on legitimate interest;
  • withdraw any consent you previously gave, free of charge;
  • complain to your local data-protection authority — in Brazil that's the ANPD (Autoridade Nacional de Proteção de Dados); in the EU/UK, your national DPA.

Email hello@showkit.dev and we'll respond within 15 days (the LGPD standard) where possible, and in no case later than 30 days.

8. Cookies

The showkit.dev dashboard uses cookies strictly necessary to keep you logged in. We do not use advertising cookies. The widget we embed on your site does not set any third-party cookies on your visitors.

9. Security

We take reasonable technical and organizational measures to protect personal data, including encryption in transit, role-based access control, and regular dependency updates. No system is perfectly secure — if we become aware of a personal-data breach affecting you, we'll notify you and the relevant authority (the ANPD under LGPD; the applicable supervisory authority under GDPR) within the legally required window, which is "a reasonable timeframe" under LGPD and 72 hours under GDPR.

10. Children

The Service is not intended for anyone under 16. We don't knowingly collect data from children.

11. Changes

We may update this Policy. Material changes will be announced by email to active account holders at least 30 days before they take effect. The current version is always at showkit.dev/privacy with the "Last updated" date.

12. Contact

Email hello@showkit.dev for any privacy question, data-access request, or complaint.