1. Who we are
CanIShip is a product of Äctvli Responsible Consulting ("we", "us", "our"). We are the data controller for personal data processed through this service. Contact: reachout@actvli.com
2. What data we collect
- Account data: your email address, name (if provided), and authentication method (email/password, Google, or GitHub).
- Audit data: URLs you submit for auditing, descriptions and flows you provide, and audit results generated.
- Billing data: subscription plan and payment status. Card details are processed directly by Stripe — we never see or store them.
- Usage data: number of audits run per month, timestamps of activity.
- Technical data: IP address, browser type, and session cookies required to keep you logged in.
3. Why we collect it (legal basis)
- Contract performance (Art. 6(1)(b) GDPR): to create your account, run audits, and deliver reports.
- Legitimate interest (Art. 6(1)(f) GDPR): to improve the audit engine, fix bugs, and prevent abuse.
- Consent (Art. 6(1)(a) GDPR): for marketing communications, if you opt in.
- Legal obligation (Art. 6(1)(c) GDPR): for billing records and tax compliance.
4. Who we share data with
We do not sell your data. We share it only with these sub-processors to deliver the service:
| Processor | Purpose | Location |
|---|
| Supabase | Authentication, database | EU (Frankfurt) |
| Stripe | Payment processing | EU / US (SCCs) |
| Resend | Transactional email | US (SCCs) |
| Railway | Application hosting | EU (Amsterdam) |
| Anthropic | AI audit analysis (Claude API) | US (SCCs) |
SCCs = Standard Contractual Clauses for lawful EU→US data transfers.
5. How long we keep your data
- Account data: for as long as your account is active, plus 30 days after deletion.
- Audit reports: retained for 12 months, then automatically deleted.
- Billing records: 7 years for tax compliance.
6. Your rights under GDPR
You have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data.
- Erasure — request deletion of your account and data ("right to be forgotten").
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interest.
- Restriction — ask us to pause processing in certain circumstances.
To exercise any right, email reachout@actvli.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
7. Cookies
We use only session cookies necessary for authentication (set by Supabase) and a cookie to store your preferences. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
8. Security
We use HTTPS, database row-level security, and server-side auth for all routes. Passwords are hashed by Supabase (bcrypt). No plaintext credentials are ever stored.
9. Changes to this policy
We may update this policy periodically. Material changes will be notified by email. Continued use of the service after the effective date constitutes acceptance.