Privacy Policy

Effective date: March 9, 2026

Introduction

Alex Shapiro, doing business as Ash ("we", "us", or "our"), operates the ashell.dev website and the Ash macOS application (collectively, "the Service"). This page informs you of our policies regarding the collection, use, and disclosure of personal information when you use the Service.

Information We Collect

Account Information

When you create an account via OAuth (GitHub or Google), we receive and store your name, email address, and avatar URL from the identity provider.

License Validation

When Ash validates your license, it sends your license key and a machine identifier (a randomly generated UUID) to our server. We store the machine identifier and the timestamp of the last validation. We do not collect information about what you are sandboxing, what policies you use, or any file or network activity.

App Telemetry

The Ash application collects anonymous usage telemetry, including app lifecycle events (launch, update), sandbox session metadata (agent name, duration, exit reason), and error reports. Telemetry does not include any user ID, account identifier, IP address, or license key, and cannot be linked back to your identity.

You can opt out of telemetry at any time. Instructions are available on our website.

Cookies

We use signed session cookies to authenticate logged-in users on ashell.dev. These cookies are strictly necessary to operate the Service and do not track you across other websites. We do not use cookies for advertising or third-party analytics purposes.

Server-Side Web Analytics

We use PostHog for server-side web analytics on ashell.dev. This may include page views, referrer information, and general usage patterns. No cookies are set for analytics purposes.

Server Access Logs

We collect standard server access logs (IP address, request path, user agent, timestamp) for operational and security purposes.

EU Residents

We are based in the United States and do not currently maintain an establishment or designated representative in the European Union. If you are located in the EU and have questions or concerns about how we process your data, please contact us at legal@ashell.dev.

Legal Basis for Processing

We process your personal data on the following bases:

  • Contract performance: Account information and license validation data are processed to provide you with the Service.
  • Legitimate interest: Server access logs and web analytics are processed for security and fraud prevention.
  • Consent: App telemetry is collected for product improvement and may be disabled at any time. Instructions are available on our website. Disabling telemetry takes effect immediately.

How We Use Your Information

  • To provide and maintain the Service
  • To manage your account and license
  • To send transactional emails (license expiry, service updates)
  • To understand aggregate usage patterns and improve the product
  • To detect and prevent abuse

Data Sharing

We do not sell your personal information. We share data only with the following service providers, solely to operate the Service:

  • PostHog (US-hosted) for product analytics and web analytics (subject to PostHog's privacy policy).
  • Fly.io for hosting infrastructure.

International Data Transfers

Our servers and service providers are located in the United States. If you are accessing the Service from outside the United States, your personal data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you acknowledge this transfer. Where required by applicable law (such as the GDPR), we rely on standard contractual clauses or other lawful transfer mechanisms.

Data Retention

Account data is retained as long as your account is active. App telemetry and web analytics data hosted on PostHog is retained according to PostHog's retention policy. Server access logs are retained for 90 days. You may request deletion of your account and associated data at any time by contacting us.

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access and portability: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete data.
  • Deletion: Request that we delete your personal data.
  • Restriction and objection: Request that we restrict or stop certain processing of your data.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint: If you are in the EU, you have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at the address below. We will respond within 30 days (or sooner if required by applicable law).

Additional Rights for California Residents

Under the California Consumer Privacy Act (CCPA), California residents have the right to: know what personal information we collect and how it is used; request deletion of personal information; and not be discriminated against for exercising these rights. We do not sell personal information as defined by the CCPA.

Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us so we can promptly delete it.

Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or through the Service. The "effective date" at the top of this page indicates when the policy was last revised.

Security

We use industry-standard security measures including encrypted connections (TLS), signed session cookies, and hashed API tokens. All data is stored in encrypted-at-rest databases.

Contact

If you have questions about this privacy policy, contact us at legal@ashell.dev.