Privacy policy

This is our privacy policy. It explains the small amount of data Shenas servers hold about you, why we hold it, what we do with it, and how you can control it.

It is written for you, the person whose data this is. It is not written for lawyers. Where European law requires us to use a specific phrase, we use it once, plainly, and we explain what it means.

The most important thing about Shenas's privacy posture is at the top, in §2, because it is unusual and we want you to read it: your personal data does not live on Shenas servers. shenas — the software that holds your personal data — runs on your own hardware. We provide a small set of services around it (an account, a community chat, and a way for your own devices to find each other), and that is all.

If something here is unclear, write to us. Our address is in §1.

1. Who we are

The company responsible for this service is shenas ai, Inc., a Delaware corporation. For postal correspondence about this policy, use our registered agent:

Email: [email protected]
Postal: shenas ai, Inc., c/o Legalinc Corporate Services Inc. (Registered Agent), 131 Continental Drive, Suite 305, Newark, DE 19713, United States, Attn: Privacy.

We use our Delaware registered-agent address as the public mailing address for privacy correspondence so that mail to "shenas ai, Inc., Attn: Privacy" reaches us through a stable corporate channel rather than a residential address.

We have not yet engaged an Article 27 representative in the Union. If you are an EEA or UK resident and need to contact a representative directly, please contact [email protected] in the meantime, and complain to your local supervisory authority via §7 if needed.

In European law terms, we are the data controller for the data described in this policy. That means we decide what data is collected and what it is used for, and we are accountable for those decisions.

2. The most important thing — what we do not have

Shenas's architecture is deliberately narrow. The personal data you keep in shenas — your calendar, your email, your activity records, your photos, your notes, anything your shenas node has sourced from a third-party service like Google, Strava, Withings, Garmin, Spotify or any other — lives only on the hardware you control. Not on Shenas servers. Not on any server we operate. We do not see it. We do not store it. We do not have access to it.

shenas is a personal-analytics tool. When you connect a third-party service (for example Strava) to shenas, your node sources a copy of your data from that service into your own storage and uses it locally for analytics on your behalf. The data is not flowing between services — it is pulled from each service you choose into one place that you control, where you can look at it. The access token is held by your node. The data is held by your node. Shenas is not in the path. We do not need a "we are sorry we got hacked" letter ready for your Strava data, because we do not have your Strava data.

What Shenas servers do hold is described in §3 — and it is much less than you might expect.

3. What this policy covers, and the small set of data we do hold

This policy applies to the Shenas centralised services:

The Shenas account at auth.shenas.net, which is your single sign-on to the two services below.
The community chat at matrix.shenas.net, where Shenas users and developers talk to each other.
The mesh-discovery and relay coordination service, which helps your own shenas devices find each other across the internet and, when a direct connection is not possible, holds an encrypted message between your devices until the receiving device picks it up.
The marketing site at shenas.ai.
Customer support correspondence you send us.

This policy does not apply to:

Your shenas data. shenas runs on your hardware. It sources data from the services you connect, stores it on your hardware, and uses it for analytics on your behalf. None of that is sent to us. The data on your node is governed by your own choices and by any disclosures the shenas software shows you at the time you grant a third-party connection.
The open-source Shenas project at shenas.org. The OSS project does not, by itself, collect personal data from end users.
Third-party services your shenas node sources data from (Strava, Google, Spotify, Withings, Garmin, and others). Those services have their own privacy policies and process your data under those policies, not ours.

3.1 Your Shenas account

We hold:

Your email address, used to identify you and to send security and account messages.
Your chosen display name for community chat.
A salted hash of your password (never the password itself). If you sign in via a third-party identity provider, we hold the linkage but not their credentials.
Multi-factor authentication enrolments if you enable them (the registered factor, not the secrets you keep on your device).
Sign-in event records (when, from where in broad terms, success or failure), kept for security and to help you spot abuse of your account.

Stored at auth.shenas.net.

3.2 Community chat (`matrix.shenas.net`)

The community chat is a Matrix server. When you participate, we hold:

The messages you send in public rooms and in private rooms you participate in.
Room and channel membership — which rooms you are in.
Presence and typing indicators while you are connected.
Display name and avatar you set for chat.

Matrix is a federated protocol. If you join a room that includes users on other Matrix servers, your messages reach those servers as part of the protocol. We cannot retract messages from other servers; you can ask them directly, and we can help with the request.

3.3 Mesh-discovery and relay coordination

The mesh-discovery service is what lets the shenas devices on your own account find each other across the internet — for example, your laptop's node finding your home server. (Cross-account mesh — for example, granting a family member's node access to yours — is not in the deployed service today; if and when it ships, we will update this policy.)

To make device-to-device discovery work, we hold, per device that you register against your Shenas account:

A device identity record — the Ed25519 public key you generated on the device, the device name you chose (which defaults to a randomly generated, non-identifying string like "calm-ridge-47"), the device type (laptop, desktop, mobile, server), and the time we last saw the device online.
Reachability endpoints — for each device, a short list of network addresses we should hand to your other devices when they try to connect: any LAN addresses the device sees itself on, and a STUN-discovered public address learned from a public STUN server. Stale entries are overwritten as new endpoints replace them; the list reflects current reachability, not history.
Sync cursors — a small bookkeeping record per pair of your devices noting which event id each device has last received from the other, used to avoid replaying old events.
Connection-attempt records, kept short-term for abuse detection and to help you debug a connectivity problem.

When two of your devices cannot reach each other directly (different networks, restrictive NAT), the coordination service acts as an encrypted relay: the sending device pushes an opaque encrypted payload addressed to the receiving device; the server holds it until the recipient polls and picks it up. The server cannot read these payloads — only your devices hold the keys. Delivered messages are deleted on pickup. Undelivered messages are deleted after 30 days (see §5). The server retains the sender-device and recipient-device identifiers, the size, and the time, but not the contents.

Who can see your device presence and reachability. Endpoint and last-seen information for a device is visible to: (a) you, via your own Shenas account; and (b) Shenas operators when investigating an abuse or operational incident on the coordination service. It is not visible to other Shenas users. The mesh-topology administrative view is restricted to Shenas operators with admin role.

3.4 Marketing site (`shenas.ai`)

The marketing site is mostly static. We log basic web-server access (request URL, response code, broad geographic region from the IP address) for operational reasons and to spot abuse. We do not use third-party analytics or advertising trackers. Cookies are covered in §13.

3.5 Customer support correspondence

Anything you send us by email, in-product message, or other channel — including attachments — we hold for as long as we need to resolve your issue (see §5).

3.6 What Shenas servers do NOT hold

To be explicit, because it is the point of the architecture:

No data your shenas node has sourced from third-party services. Not your Google Calendar, not your Gmail, not your Strava activities, not your Withings weight, not your Garmin heart rate, not your Spotify history, none of it. Your node sources it directly from each service and analyses it on your hardware; we never see it.
No plaintext file contents from your shenas node. The encrypted relay payloads described in §3.3 are ciphertext we cannot decrypt; we do not hold the keys.
No backups of your shenas data.

If we ever change that — for example, if we offer an optional cloud backup service in the future — we will update this policy, ask you to opt in before the change takes effect for you, and describe the new processing in detail.

4. Why we are allowed to process the data we do hold

European law requires us to identify a lawful basis for each thing we do with your data. Here is the map for the small set of data in §3.

What we do	Why we are allowed to do it
Run your Shenas account; let you sign in to chat and to register devices	We need to do this to deliver the service you signed up for (GDPR Article 6(1)(b), contract).
Operate the community chat	We need to do this to deliver the service you joined (Article 6(1)(b), contract).
Operate the mesh-discovery and encrypted-relay service for your own devices	We need to do this to deliver the service you signed up for (Article 6(1)(b), contract).
Reply to your support emails	Article 6(1)(b), contract.
Keep sign-in event records, connection-attempt logs, and audit records	We have a legitimate interest in protecting the service and our users against abuse and attack (Article 6(1)(f), legitimate interests). Our balancing test is on file and available on request.
Comply with a valid legal order	We are required to (Article 6(1)(c), legal obligation). See §10.
Send you transactional messages (e.g. password reset, security alert)	Article 6(1)(b), contract.
Send you marketing about new features (if you opted in)	You asked to receive these (Article 6(1)(a), consent). You can stop them with one click.

We do not rely on legitimate-interest grounds for anything other than security and abuse prevention. We do not rely on consent for anything we could do under contract.

There is no entry in this map for "process the data you have on your shenas node" or "process data you import from third-party services" because Shenas servers do not do those things. See §2 and the list in §3.6.

5. How long we keep the data we do hold

We keep your data only as long as we have a reason to.

Account data — for as long as your account exists, plus 30 days after deletion to allow recovery from accidental deletion.
Community chat messages in public rooms — kept for as long as the room exists, so that scrollback is available to other members. You can request deletion of your own messages at any time; we will action it in our local store, and we will pass the redaction request to other federated servers (we cannot guarantee they will honour it, but we will try, and we will tell you what happened).
Community chat messages in private rooms — kept for as long as the room exists. Same deletion path as above.
Device identity records (public key, device name, type, last-seen) — kept while the device is registered; deleted when you deregister the device.
Mesh reachability endpoints — overwritten on each refresh from the device; the record reflects current reachability, not history. Deleted when the device is deregistered.
Sync cursors — kept while the device pair is in use; deleted when either device is deregistered.
Encrypted relay payloads — deleted immediately when the recipient device picks them up. Undelivered payloads are deleted no later than 30 days after they were posted; the server enforces this on every relay write and poll.
Connection-attempt logs — 90 days, then deleted.
Sign-in event records and security audit logs — 13 months, then deleted, unless we are required to keep them longer by law.
Support correspondence — 24 months from the last reply, then deleted.
Web-server access logs (marketing site) — 30 days, then deleted.
Billing and tax records (if you are on a paid plan) — for the period required by United States federal and Delaware state tax law (typically 7 years).
Backups of the data above — backups roll off on their own schedule (no more than 35 days). When you delete data, it is gone from active systems immediately and from backups within 35 days.

If a legal order requires us to preserve specific data for longer, we do so for the scope of the order and no longer.

6. Your controls

You are in charge of your data.

In the product: you can edit your profile, change your password, enrol or remove MFA, deregister devices, leave chat rooms, and delete your account.
In chat: you can redact your own messages and leave rooms. We will help with cross-server redaction requests where possible.
Export. Download all the data we hold about you in a structured, machine-readable form. Available in product settings.
Delete your account. Closes the account and deletes the data on the schedule in §5.

To disconnect a third-party service like Strava from your shenas node, use the shenas software on your node — the Shenas account does not control those connections, because we do not hold them. If a third-party-service control is broken or unclear in shenas, the project's issue tracker at shenas.org is the place to flag it.

If a control in the Shenas account or chat is broken or unclear, email [email protected] and we will fix it and reply.

7. Your rights under European law

If you are in the EEA, the UK, or another jurisdiction with similar law, you have the following rights, no matter what the product UI offers:

Access — ask us what data we hold about you, and get a copy (GDPR Article 15).
Rectification — ask us to correct data that is wrong (Article 16).
Erasure — ask us to delete your data ("right to be forgotten") (Article 17).
Restriction — ask us to stop using your data while we resolve a question about it (Article 18).
Portability — get your data in a machine-readable format, or have us send it directly to another service (Article 20).
Object — object to processing we do under legitimate interests (Article 21).
Withdraw consent — for anything we do under consent, change your mind at any time (Article 7(3)). Withdrawal does not affect what we did before you withdrew, but stops anything ongoing.
Not be subject to automated decisions — we do not make automated decisions about you that produce legal or similarly significant effects (Article 22). If we ever do, we will tell you and you will have the right to a human review.

These rights apply to the data Shenas holds, as listed in §3. Because Shenas does not hold the data on your shenas node, an access or erasure request to us will not retrieve or delete it. To exercise those rights against the data on your shenas node, use shenas directly.

To exercise any of these rights with respect to Shenas-held data, email [email protected]. We will reply within 30 days. If the request is complex, we may extend by up to 60 more days and tell you why.

You can also complain to a supervisory authority. Because shenas ai, Inc. is established in the United States (Delaware) and does not currently have an EU establishment, there is no single EU lead supervisory authority for our processing under the GDPR's one-stop-shop rule. You can complain to the supervisory authority in your own EU country; the full list is at edpb.europa.eu/about-edpb/about-edpb/members_en. In the United Kingdom you can complain to the Information Commissioner's Office at ico.org.uk.

Residents of California and other US states with similar laws

If you are a California resident, you have similar rights under the California Consumer Privacy Act / California Privacy Rights Act: to know, to access, to delete, to correct, to opt out of sale or share (we do not sell or share your personal information), and not to be retaliated against for exercising those rights. To exercise them, email [email protected].

We do not "sell" personal information under California law. We do not "share" it for cross-context behavioural advertising.

Residents of other US states with comprehensive privacy laws (currently including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and a growing list) have similar rights. The same email address is the place to send the request.

8. Where the data we hold is stored

Our production services run on Google Cloud Platform (Google Kubernetes Engine) in the United States. Our development and pre-production environment runs on Hetzner virtual servers in the European Union; this environment does not hold real end-user production data. We are evaluating a Swiss managed-Kubernetes provider for a future move of the production tier.

When data has to move from the EEA or UK to the United States (or another country without an adequacy decision), we use the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and the UK International Data Transfer Addendum. We have done a transfer impact assessment for each receiving country and can share a redacted version on request.

Sub-processors who handle Shenas-held data on our behalf are bound by the same SCCs and the same data-handling commitments as we are. We will publish our sub-processor list at shenas.ai/legal/subprocessors when that page is live, and will update this policy to add the link before any sub-processor change takes effect. We update that list before adding a new sub-processor, and you can object before the change takes effect.

The data on your shenas node is stored on your own hardware in a location you choose. That part is not on us.

9. What we never do with your data

These commitments cover both the small amount of data Shenas servers hold and, where we have a way to enforce it, the architecture choices that keep your shenas data off our servers in the first place.

We do not train artificial-intelligence or machine-learning models on your data. Not on chat messages, not on discovery metadata, not on anything else we hold. We do not train models on shenas data either, because we do not have it.
We do not sell your personal data. No exceptions.
We do not share your personal data for advertising. Not cross-context behavioural advertising, not contextual ad targeting, none of it.
We do not analyse the data we hold for marketing or customer-insight reports we sell to third parties.
We do not profile you for advertising purposes anywhere.
We do not silently expand what we collect. If we decide we need to add a new processing activity that affects you, we will update this policy, give you advance notice, and where European law requires it, ask for your consent before the change takes effect.

If you find a place where our practice does not match this list, write to us. That is a bug, not a policy.

10. Government and law-enforcement requests

When law enforcement, a court, or a government agency asks us for data we hold, our default is:

We require valid legal process. A court order, a search warrant, or the equivalent under the law of the requesting jurisdiction. We do not honour informal requests.
We respond with the minimum data required by the order. No more.
We notify you that the request happened, unless we are legally prohibited from doing so. When the prohibition lifts, we tell you.
We do not proactively share data with governments. We do not run programmes that send data to law enforcement before they ask.
We push back on requests that are over-broad, vague, or unlawful. Where we have grounds to object, we object.
We cannot give them what we do not have. Requests for data that lives on your shenas node will get the answer that we do not hold it. Requests for the contents of end-to-end encrypted relay payloads or device-to-device connections will get the answer that we cannot read them.

We are working on a public transparency report that will describe (in aggregate, without identifying you) the requests we receive and how we respond. When it is live, you will find it at shenas.ai/legal/transparency; we will update this policy to add the link when that page is published.

11. Security

All connections to Shenas services use TLS 1.2 or better. Data Shenas servers hold is encrypted at rest (AES-256 or equivalent).
Authentication is handled by a dedicated identity service (Kanidm at auth.shenas.net) that supports strong second factors.
Access to production systems is limited to a small number of named operators, governed by least privilege, and audited.
Mesh-relay payloads are encrypted by your devices before transmission; Shenas does not hold the keys and cannot read them.
We test our defences and patch promptly. We do not claim that any system is unbreakable; nothing on the internet is.

If something does happen — a breach that puts your Shenas-held data at risk — we will tell you. European law gives us 72 hours from awareness to notify the supervisory authority of a personal-data breach; we will also notify you directly without undue delay when the breach is likely to result in a high risk to your rights and freedoms. We will say what happened, what data was affected, what we have done, and what you should do.

A breach of your shenas node is something we cannot detect for you, because we are not in the path. The shenas software is built to help you secure that node; please do not skip the parts of the documentation that explain how.

To report a security vulnerability in Shenas services, see github.com/shenas-org/shenas/security/advisories/new or email [email protected].

12. Children

Shenas is not intended for users under 18. We do not knowingly create accounts for children. If we learn that we have collected personal data from a child under 18 without parental consent (or 16 in jurisdictions with a higher digital-age threshold), we will delete it.

If you are a parent or guardian and believe your child has signed up for Shenas, contact [email protected] and we will resolve it.

13. Cookies and similar technologies

The marketing site at shenas.ai uses only strictly necessary cookies — the cookies the site needs to load, route requests, and remember whether you accepted this notice. We do not use advertising cookies, tracking pixels, or third-party analytics on the marketing site.

The community chat and account services store a session token after you sign in. That is what lets you stay signed in. No third-party trackers run inside our services.

If the marketing site starts using non-essential cookies in the future, we will publish a separate cookies notice and ask you to accept them before they run.

14. Changes to this policy

When we change this policy in a way that materially affects you, we will:

Send an email to the address on your account.
Show a notice the next time you sign in.
Give you at least 30 days' notice before the change takes effect, unless the change is required immediately by law.

When the change is purely editorial (typos, clarifications), we will update the date at the top and add an entry to the revision history below.

Revision history

Version	Date	Summary
v1	2026-05-17	Initial draft revision (subject to change).

15. How to reach us

For anything in this policy, including exercising your rights:

Email: [email protected]
Post: shenas ai, Inc., c/o Legalinc Corporate Services Inc. (Registered Agent), 131 Continental Drive, Suite 305, Newark, DE 19713, United States, Attn: Privacy.
Security disclosures: [email protected] or GitHub private advisory.
In the EEA / UK, our Article 27 representative: We have not yet engaged an Article 27 representative in the Union; in the meantime, please contact [email protected] or your local supervisory authority (see §7).

We aim to reply within five working days, and always within 30 days for formal requests under the rights listed in §7.