$ cat PRIVACY.md

Privacy Policy

This policy explains what personal data Shep collects, how we use and protect it, who we share it with, and the rights you have over it. It covers the shep.bot website, the Shep application and services at app.shep.bot, and personal data we obtain through integrations you connect — including the LinkedIn Member Data Portability API.

Last updated: 2026-07-09

Who we are

Shep (“Shep,” “we,” “us,” or “our”) provides an open-source orchestrator for AI coding agents and the related cloud service at app.shep.bot. For personal data described in this policy, Shep AI acts as the data controller, except where we process data on your behalf or on the behalf of a connected account provider, in which case we act as a data processor. You can reach our privacy contact at privacy@shep.bot.

The short version

The marketing website uses no tracking cookies, builds no advertising profiles, and sells no data. The Shep application is local-first: your code and repositories stay on the infrastructure you control. Where you choose to connect a third-party account — such as LinkedIn — we access only the data you explicitly authorize, use it solely to provide the feature you asked for, and let you access, correct, or delete it at any time.

Website analytics

On the shep.bot marketing website we use a self-hosted, first-party, cookieless analytics service at analytics.shep.bot to understand aggregate traffic — things like which pages are viewed and roughly how many visitors we get. It does not use cookies, does not fingerprint devices, does not track you across other sites, and does not build a profile tied to you as an individual. We only see aggregate page-view counts.

Cookies and browser storage

The marketing website does not set cookies for tracking or advertising. It uses two small, functional, first-party browser storage items that never leave your browser:

  • localStorage["shep-theme"] — remembers whether you prefer light or dark mode.
  • sessionStorage — caches the public GitHub star count for about 10 minutes so we don't re-fetch it on every page view.

The Shep application and account data

If you create an account for the Shep cloud service at app.shep.bot, we process the information needed to provide it — such as your account identifier and email address, authentication data, the repositories and tasks you configure, and operational logs used to run and secure the service. We use this data to deliver, maintain, secure, and improve the service, and to communicate with you about it. We do not sell personal data, and we do not use it for third-party advertising. The open-source Shep CLI is local-first and runs on your own machine or infrastructure; it does not send your source code to us.

LinkedIn Member Data Portability API

If you are a LinkedIn member and choose to connect your LinkedIn account and authorize Shep through LinkedIn's Member Data Portability API, we access only the LinkedIn member data you explicitly authorize at the point of consent. We handle that data as follows:

  • Purpose limitation. We use authorized LinkedIn member data solely to provide the specific feature you requested when you granted access. We do not repurpose it for unrelated uses.
  • Consent-based. Access is granted by you, the member, and can be withdrawn by you at any time — both within Shep and through your LinkedIn account settings. Withdrawing consent stops further processing.
  • No sale or ad targeting. We never sell LinkedIn member data, share it with data brokers, or use it for advertising or profiling.
  • Data minimisation. We request and retain only the fields necessary for the feature, and only for as long as needed to provide it.
  • Deletion.When you disconnect LinkedIn, withdraw consent, or ask us to erase the data, we delete the LinkedIn member data we hold (subject to any narrow legal-retention obligations) within the timeframe described in “Your data protection rights” below.
  • Compliance. Our use of this API is governed by the LinkedIn Data Portability API Terms of Use and applicable data protection law.

Third-party services and subprocessors

We share personal data only with service providers that help us operate Shep (for example, cloud hosting and infrastructure), under contracts that require them to protect it and use it only on our instructions. Loading the marketing website also makes a small number of direct browser requests, disclosed here plainly:

  • api.github.com — fetches the public star count for the Shep repository. No credentials are sent.
  • analytics.shep.bot — loads the cookieless analytics script described above.

How we protect your data

We use industry-standard safeguards to protect personal data, including encryption in transit (HTTPS/TLS), access controls and least-privilege permissions, and security headers on our web properties. Access to personal data is limited to those who need it to operate and support the service. No system is perfectly secure, but we work to protect your data and to respond promptly to any incident.

Data retention

We keep personal data only for as long as necessary to provide the service and for the purposes described in this policy, or as required by law. Data obtained through a connected integration such as the LinkedIn Member Data Portability API is retained only while your authorization is active and is deleted when you disconnect, withdraw consent, or request erasure, except where a short retention period is legally required.

International data transfers

We may process and store personal data in countries other than the one in which you reside. Where we transfer data across borders, we rely on appropriate safeguards recognised under applicable law (such as standard contractual clauses) to protect it.

Your data protection rights

Subject to applicable law (including the GDPR and the CCPA/CPRA), you have the right to exercise the following over your personal data — including any personal data we obtain through the LinkedIn Member Data Portability API:

  • Access — obtain a copy of the personal data we hold about you.
  • Correction — have inaccurate or incomplete data rectified.
  • Erasure — have your personal data deleted.
  • Restriction and objection — limit or object to certain processing.
  • Portability — receive your data in a structured, machine-readable format.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@shep.bot. We will verify your request and respond within the timeframe required by applicable law — and in any case within 30 days. We will not discriminate against you for exercising these rights. If you believe we have not handled your data properly, you also have the right to lodge a complaint with your local data protection authority.

Privacy governance and accountability

Shep maintains a designated privacy contact responsible for compliance with applicable privacy regulations — including the GDPR and CCPA/CPRA — and with industry-standard privacy practices. This function oversees how we collect, use, secure, retain, and delete personal data, manages our third-party and integration data-sharing terms, and handles data-subject requests. You can reach it at privacy@shep.bot.

Cookie consent and Global Privacy Control

Because the marketing website does not set tracking cookies or perform cross-context tracking, it does not show a cookie-consent banner — there is nothing to opt out of. In the same spirit, we honor Global Privacy Control (GPC) signals: we do not engage in the kind of cross-site tracking or data sale that GPC asks sites to stop.

Children's privacy

Shep is not directed to children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us personal data, contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide a more prominent notice. Continued use of Shep after an update means you accept the revised policy.

Contact

Questions about this policy, or want to exercise your rights? Email privacy@shep.bot (privacy and data-subject requests) or security@shep.bot (security reports). You can also open an issue on GitHub.