Privacy Policy

Last updated: February 2026

This policy explains how Shoulders collects, uses, and protects personal data. See also our Terms of Service.

1. Local-First Architecture

Shoulders is a desktop application. Your documents, references, and project files are stored locally on your machine. We do not have access to them unless you use features that connect to external services.

2. Data We Collect

Without an account (bring-your-own-keys mode): we collect no personal data. AI requests go directly from your machine to the provider you configured. We are not involved in that exchange.

With a Shoulders AI subscription:

• Account data: email address, password (stored as a secure hash), display name (optional)
• AI requests: messages and document context sent through our infrastructure to AI providers
• Usage data: cost tracking, request counts, model used. Message content is not stored on our servers
• Technical data: access logs (IP, timestamps) for security

Analytics: Shoulders may collect anonymised usage data (e.g. feature usage, error reports) to improve the software. This can be disabled in Settings. We do not use advertising cookies, or third-party analytics services. We do not sell data to anyone. We do not use your data for training or inference.

3. How We Use Your Data

• Service delivery: processing AI requests, managing your subscription
• Security: protecting against unauthorised access and fraud
• Communication: essential notifications (password reset, important updates)

4. Legal Basis (GDPR Art. 6)

• Contract (Art. 6(1)(b)): account, subscription, AI features
• Legitimate interests (Art. 6(1)(f)): security, fraud prevention
• Consent (Art. 6(1)(a)): optional features requiring explicit consent
• Legal obligation (Art. 6(1)(c)): compliance with applicable law

5. Data Sharing

When you use AI features, document context and messages are sent to the AI provider. This applies whether you use your own API keys or the Shoulders AI subscription.

Account data is stored on servers in Frankfurt, Germany (EU).

No training on your data. AI providers process data for inference only. Under their API terms of service, your content is not used to train models.

6. International Transfers

Subscription data is stored in the EU (Frankfurt). AI providers are based in the US. Transfers are protected by Standard Contractual Clauses, data processing agreements, and encryption in transit.

7. Data Retention

• Account data: until you delete your account
• AI request logs: retained for billing; deletable on request
• Security logs: 90 days, then deleted

Local files are never sent to us and remain under your control.

8. Your Rights

Under the GDPR, you have the right to:

• Access (Art. 15): request a copy of your data
• Rectification (Art. 16): correct inaccurate data
• Erasure (Art. 17): delete your data
• Restriction (Art. 18): limit processing in certain cases
• Portability (Art. 20): receive your data in a portable format
• Object (Art. 21): object to processing based on legitimate interests

To exercise these rights, email contact@shoulde.rs. We respond within 30 days. You may also file a complaint with a supervisory authority (in Germany: LDI NRW).

9. Cookies

We use only essential cookies (session authentication). Editor preferences are stored in local storage on your machine. No tracking cookies.

10. Security

All connections use TLS encryption. Passwords are securely hashed. Database policies ensure users can only access their own data.

11. Policy Changes

We may update this policy. Material changes are communicated via email or in-app notification. Continued use after notice constitutes acceptance.