Privacy Policy

Last updated: May 28, 2026

Shelf is designed from the ground up to be private. The short version: your data stays on your device. We can't see it, we don't want it, and we have no way to access it — with the specific exceptions disclosed below.

This policy applies to every Shelf surface: the desktop app (macOS, Windows, Linux), the mobile apps (Android, iOS), this landing site, the portal at auth.shelf.app, and the hosted API at api.shelf.app.

1. What data Shelf collects

Almost nothing. Shelf is an application that runs on your device.

Your apps and their data — every app you create in Shelf, and every byte of data those apps save, is stored in a local SQLite database on your device. This data never leaves your device unless you enable Cloud Sync (see section 4).
Your AI API key (BYOK mode) — if you bring your own DeepSeek key, it is stored in local storage on your device and sent directly from your device to DeepSeek's servers. It is never sent to Shelf's servers.
Your preferences — theme settings, UI mode, and other preferences are stored locally on your device.

2. Shelf account and cloud-assisted generation

When you sign in to Shelf or use the free daily generation tier, your prompt is transmitted to Shelf's servers to complete generation. Shelf acts as a secure proxy — your prompt is forwarded to the AI provider (DeepSeek) and the generated app is returned to your device.

Shelf does not store your prompt text. It is held in memory only for the duration of the request and discarded immediately after. No prompt content is written to any database or log.

The "Improve with AI" feature similarly transmits your current app code and improvement instruction to Shelf's servers to complete the request. The same no-storage rule applies.

Metadata we do retain for account users: request timestamp, success or failure status, and token usage count (for rate limiting). This metadata does not include prompt content.

3. Optional anonymous analytics

After your first successful app generation, Shelf asks once whether you'd like to share anonymous usage statistics. This is entirely optional — the default is off.

If you opt in, Shelf sends the following events to PostHog:

App generated / improved (AI provider type, duration in milliseconds)
Onboarding path completed (import / BYOK / sign-in)
Theme preset changed
Rate limit reached
Generation errors (error type only)
Session start (operating system name, app version)

What is never collected, even if you opt in:

The content of any prompt you type
The HTML of any generated app
Your name, email address, or any account identifier
Your IP address (explicitly disabled)
Your API keys or authentication tokens

Analytics events are associated with a random anonymous ID generated on your machine and stored in local storage (shelf_analytics_id). This ID is not linked to your Shelf account. Clearing your browser storage or reinstalling Shelf resets it.

You can change your analytics preference at any time in Settings → Privacy.

PostHog's privacy policy is available at posthog.com/privacy.

4. Cloud Sync (paid plans)

When Cloud Sync is enabled on a paid plan, your app names and generated app code are uploaded to Shelf's servers so you can access them across devices.

What is synced: app name, generated HTML, and position in your library.
What is not synced by default: the data stored inside your apps (e.g. entries you type into a habit tracker). App data sync is an opt-in feature available on higher plans.
App names contain a partial prompt — app names are derived from the first 28 characters of your prompt. By enabling Cloud Sync you acknowledge that this excerpt is stored on Shelf's servers.
All synced data is encrypted in transit (TLS) and at rest (AES-256).
You can delete your cloud data at any time from Settings → Apps.
Shelf does not analyse, sell, or use your synced app data to train AI models.

Cloud Sync is disabled by default. BYOK users and free-tier users who have not enabled sync are not affected by this section.

5. Marketplace creator profile

If you publish to the Shelf Marketplace, you create a public creator profile. The following fields are public — shown on your creator page and on every bundle you publish:

Username — your unique marketplace handle, used in your profile URL and recorded as the author of your bundles.
Display name, bio, and links — optional public details you choose to add.
Avatar — an optional profile image you upload. Avatars are stored in Google Firebase Storage and served publicly via a download URL.

Only the fields above are public. Your email address and account identifiers are never shown on your public profile. You can edit or clear any of these fields at any time in Settings → Profile.

6. Exporting and deleting your data

Export — from Settings → Profile you can download a complete JSON copy of the data Shelf holds for your account: your profile, cloud-synced apps, published bundles, and purchase records.
Deletion — you can delete your account from Settings → Profile. This permanently removes your creator profile (including avatar and public fields), cloud-synced apps, and published bundles, and frees your username for others to claim.
What is retained after deletion — records we are legally required to keep for tax and accounting purposes (payment, payout, and purchase records) are retained for up to 7 years after deletion, then deleted. These records are dissociated from your public profile to the extent possible.

7. What data Shelf does not collect

We do not store prompt text on our servers — for any user, on any plan.
We do not collect your name, email address, or personal identifiers beyond what Firebase Authentication requires for account creation.
We do not use tracking cookies on this website.
We do not train AI models on your prompts, apps, or app data.
We do not collect device contacts, calendar, photos, microphone, camera, location, SMS, call logs, or any biometric data on any platform.
We do not use the Android Advertising ID. The mobile apps do not link with or collect any advertising identifier.

8. AI generation (BYOK)

When you generate an app using your own API key (BYOK mode), your prompt is sent directly from your device to your chosen AI provider (e.g. DeepSeek). Shelf does not proxy or see this request at all. Your use of the AI provider's API is subject to that provider's own privacy policy and terms of service.

9. Apps you generate or install (the sandboxed runtime)

Shelf's core feature is a sandboxed runtime that renders HTML apps — apps you describe in plain English, apps you create with Improve-with-AI, and bundles you install from the marketplace. These HTML apps run inside a strictly sandboxed frame on your device. The following invariants apply to every app you use inside Shelf:

Data you enter into a Shelf app stays on your device. Each app's data is stored in a per-app key/value scope inside Shelf's local SQLite database. Shelf does not read, transmit, or analyse the contents of these scopes. We have no path to do so even if we wanted to — the sandboxed app communicates with Shelf only through a tightly scoped message channel that handles storage reads and writes, and nothing else.
One app cannot read another app's data. Each app's scope is isolated by an internal app ID. A marketplace bundle cannot reach into the data of an app you built yourself, and vice-versa.
A Shelf app cannot reach native device features. It cannot access your camera, microphone, contacts, location, photos, files outside its own scope, or any system permission. Shelf itself does not request these permissions, and the sandbox does not expose them even if the underlying device grants them.
A Shelf app runs in a unique opaque origin. It cannot read Shelf's own storage, cookies, or authentication tokens.
Optional Cloud Sync syncs app definitions, not the data inside apps. When Cloud Sync is enabled, Shelf uploads the HTML and name of each app so the same library is available on your other devices. The data each app stores is not synced by default. App-data sync is a separate opt-in available on higher plans, disclosed at the time of opt-in.

Marketplace bundles. Bundles published to the Shelf Marketplace are reviewed before they are made available for install — see the four-layer security review described in our Community Guidelines. In addition to that review:

Every published bundle is signed by Shelf; the desktop and mobile client verify the signature before importing the bundle.
Paid bundles are encrypted at rest and require an online entitlement check on open.
You can report a bundle at any time from the bundle page (web) or the in-app sidebar context menu. Reported bundles enter a re-review queue; confirmed violations are removed and the publisher banned.

10. Mobile apps (Android & iOS)

The mobile builds of Shelf use the same data-handling rules as the desktop app: app definitions and the data inside each app are stored locally on the device, and only the items listed above (prompts in cloud mode, optional analytics, optional Cloud Sync, optional account/profile data) leave the device.

Permissions requested: Internet access only. The app does not request access to contacts, calendar, photos, files outside its own sandbox, location, microphone, camera, SMS, call logs, or notifications. If any future feature requires a new permission, it will only be requested at the moment that feature is used and a corresponding update will appear here first.
Advertising ID (Android): Not collected. The app does not include any advertising SDK and does not read GAID.
Push notifications: Not used at the time of this update.
Google Play Services: The Android build uses Google Play Services only as required for Firebase Authentication (sign-in) and the Android system itself. It is not used for advertising, attribution, or analytics.
Crash diagnostics: If a crash occurs, the platform-native crash reporter (Google Play or Apple) may collect a stack trace per its own policy. Shelf does not bundle a third-party crash SDK.
Account purchases (Android): Paid plan upgrades for the Shelf platform are completed on our website (auth.shelf.app), not inside the Android app. Payment data is processed by Stripe under their privacy policy: stripe.com/privacy.

11. This website

This landing page may use standard web server logs (IP address, browser, page visited, timestamp) for operational purposes. These logs are not shared with third parties and are retained for a short period for security and performance monitoring only.

12. Children's privacy

Shelf is not directed at children under 13. We do not knowingly collect information from children. If you believe a child has provided us with personal information, contact us at the email below and we will delete it.

13. Changes to this policy

If we make meaningful changes to this policy, we will update the date at the top and post notice on this page. Continued use of Shelf after changes are posted constitutes acceptance of those changes.

14. Contact

Questions about this policy? Email us at hello@getshelf.app.