Terms of Service

By accessing or using Shieldly ("the Service"), you agree to these Terms of Service. If you do not agree, do not use the Service.

We collect only what is necessary to operate the Service:

• User identity: An opaque user ID issued by Clerk (our authentication provider). We do not store your email or name directly — those are managed by Clerk.
• Plan and subscription status: Your current plan tier (Free, Builder, Pro, Team), updated via Lemon Squeezy webhooks when you subscribe or cancel.
• Usage metadata: Timestamp, input size in characters (not content), AI units consumed, plan tier per analysis. Used for daily cap enforcement and your usage dashboard.
• Settings preferences: Notification preferences, default AWS region, privacy toggles. Stored on your account record.
• Shared analyses (optional): AI-generated findings only (not your policy text), stored for 30 days when you explicitly use the Share feature.

• Policy text or content: Your IAM policies, CloudFormation templates, and uploaded files are never stored or logged.
• Analysis results: AI findings are returned to you in real time and not stored, unless you use the History feature (which you can disable).
• Payment information: All billing is processed by Lemon Squeezy (PCI DSS Level 1). We never see, receive, or store card numbers or billing details.
• IP addresses or browsing data: We do not log client IP addresses beyond what Clerk uses for authentication fraud prevention.

To avoid re-running identical analyses, we compute a one-way SHA-256 hash of your input for cache keying. This hash is stored server-side. A SHA-256 hash is mathematically irreversible — it cannot be used to reconstruct your original input. The hash reveals nothing about your policy content.

• Clerk: Authentication (sign-in, sign-up, JWT issuance). Processes name, email, and OAuth tokens.
• Lemon Squeezy: Payment processing and subscription management. PCI DSS Level 1 compliant.
• Amazon Web Services: Hosting infrastructure (Lambda, DynamoDB, API Gateway, SES). Subject to AWS SOC 2 and ISO 27001 certifications.
• AI providers: Your policy text is transmitted to AI model APIs (under enterprise API agreements that prohibit training on API data) for analysis. These providers do not retain your input after the response is returned.
• PostHog / Google Analytics: Anonymized product analytics (page views, feature usage). No personal data is included in analytics events.

• Usage metadata: 30 days (Builder), 90 days (Pro), indefinite (Team), or until account deletion.
• Shared analyses: 30 days (auto-expire via DynamoDB TTL).
• Account data (userId, plan): Retained until you delete your account.
• Cache hashes: Retained for up to 7 days to serve cached responses.

You may at any time:

• Disable analysis history in Settings → Privacy (stops new records from being stored)
• Disable link sharing in Settings → Privacy
• Request deletion of all data associated with your account by emailing privacy@shieldly.io
• Export your usage history from the History panel

Deletion requests are processed within 30 days.

You may not use Shieldly to analyze policies belonging to AWS accounts or organizations you do not have authorization to access. You are responsible for ensuring you have the right to analyze any policy you submit.

Shieldly is provided "as is" without uptime guarantees on free plans. Paid plans are subject to commercially reasonable availability. We are not liable for any losses resulting from downtime or incorrect analysis results.

We may update these terms. Material changes will be announced via email (to signed-in users) and on the Shieldly website at least 14 days before taking effect.

Questions: support@shieldly.io
Privacy: privacy@shieldly.io