Back to ShikoShiko

Privacy Policy

Last updated:

1. Introduction

Shiko ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered mind mapping platform.

We are based in Poland and operate under the European Union's General Data Protection Regulation (GDPR). We also comply with the California Consumer Privacy Act (CCPA) for our users in California.

By using Shiko, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address — Required for account identification and communication
  • Password — Stored in encrypted (hashed) form; we never have access to your plain-text password
  • Display name — Optional name shown to collaborators
  • Profile information — Optional bio and preferences you choose to provide

2.2 OAuth Information

If you sign in using Google or GitHub, we receive:

  • Your email address
  • Your name (as provided by the OAuth provider)
  • Your profile picture URL

We do not receive or store your OAuth provider passwords. Authentication is handled securely by the respective providers.

2.3 Content You Create

We store the content you create within Shiko:

  • Mind maps — Including titles, descriptions, and organizational structure
  • Nodes — All node types (text, tasks, code, images, questions, etc.) and their content
  • Connections — Relationships between nodes
  • Comments — Discussion threads and messages on shared maps

2.4 Usage Data

We automatically collect certain information about how you use our service:

  • AI feature usage — We track how many AI suggestions you use for billing purposes
  • Subscription status — Your plan type and billing period

2.5 Technical Data

For security and service operation, we may collect:

  • Browser type and version
  • IP address (for rate limiting and abuse prevention)
  • Device information

2.6 Information We Do NOT Collect

We want to be clear about what we don't collect:

  • Payment card details (handled entirely by our payment processor, Polar)
  • Phone numbers or physical addresses
  • Location or GPS data
  • Device fingerprints for tracking
  • We do not use analytics services like Google Analytics, Mixpanel, or similar tracking tools

3. How We Use Your Information

We use the information we collect to:

  • Provide our service — Store and sync your mind maps across devices, enable real-time collaboration
  • Process AI features — Send relevant content to our AI provider (OpenAI) to generate suggestions and answers
  • Process payments — Manage subscriptions through our payment processor
  • Communicate with you — Send service-related emails (account verification, password resets, billing notifications)
  • Improve our service — Understand how features are used to make improvements
  • Ensure security — Detect and prevent fraud, abuse, and security threats
  • Comply with legal obligations — Respond to legal requests and enforce our terms

4. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

4.1 Contract Performance

Processing necessary to provide you with our service, including account management, content storage, and collaboration features.

4.2 Legitimate Interests

Processing necessary for our legitimate interests, including service security, fraud prevention, and service improvements, where these interests are not overridden by your rights.

4.3 Consent

For optional features or communications, we rely on your consent, which you can withdraw at any time.

4.4 Legal Obligation

Processing necessary to comply with legal requirements, such as tax and accounting laws.

5. Information Sharing

We do not sell your personal data. We share information only in the following circumstances:

5.1 Service Providers (Subprocessors)

We use trusted third-party services to operate Shiko:

ProviderPurposeLocationData Shared
SupabaseDatabase, Authentication, Real-time syncEUAll user data and content
Polar.shPayment processingUSEmail, name, billing information
OpenAIAI featuresUSNode content for AI processing
VercelHostingUS (Global CDN)Application code only
Google OAuthSocial loginUSAuthentication tokens
GitHub OAuthSocial loginUSAuthentication tokens

5.2 Collaborators

When you share a mind map, collaborators can see your display name, avatar, and real-time activity (cursor position, selected nodes). Your email is not shared with collaborators unless you explicitly include it in your profile.

5.3 Legal Requirements

We may disclose your information if required by law, court order, or government request.

5.4 Business Transfers

If Shiko is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

6. Data Retention

We retain your information as follows:

  • Active accounts — Your data is retained for as long as your account is active
  • Deleted accounts — When you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal purposes
  • AI chat history — Chat conversations with AI are ephemeral and are not stored on our servers after your session ends
  • Backups — Backups may retain deleted data for up to 90 days for disaster recovery purposes

7. Your Rights

Under GDPR and CCPA, you have the following rights regarding your personal data:

7.1 Right to Access

You can request a copy of the personal data we hold about you. We provide data export functionality in your account settings.

7.2 Right to Rectification

You can update or correct your personal information at any time through your account settings.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and associated data. This can be done through your account settings or by contacting us.

7.4 Right to Data Portability

You can export your mind maps and data in standard formats (JSON) for use with other services.

7.5 Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time. This will not affect the lawfulness of processing before withdrawal.

7.6 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO).

7.7 California Residents (CCPA)

California residents have additional rights:

  • Right to know what personal information is collected and how it is used
  • Right to delete personal information
  • Right to opt-out of the sale of personal information (note: we do not sell your data)
  • Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us at support@shiko.app. We will respond within 30 days (or 45 days for CCPA requests).

8. International Data Transfers

Some of our service providers are located in the United States. When we transfer your data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) — Our agreements with US-based providers include EU-approved contractual safeguards
  • Adequacy decisions — Where applicable, we rely on EU adequacy decisions

You can request a copy of the safeguards we use by contacting us at support@shiko.app.

9. Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit — All data is transmitted over HTTPS/TLS
  • Password hashing — Passwords are hashed using industry-standard algorithms (bcrypt)
  • Row-level security — Database access is controlled at the row level to ensure you can only access your own data
  • Access controls — We limit employee access to personal data on a need-to-know basis
  • Regular updates — We keep our systems and dependencies updated to address security vulnerabilities

While we strive to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to support@shiko.app.

10. Children's Privacy

Shiko is not intended for children under 16 years of age (or 13 in jurisdictions where the GDPR does not apply). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@shiko.app. We will take steps to delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Notify you by email (for significant changes)
  • Post a notice on our website

We encourage you to review this policy periodically. Your continued use of Shiko after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

For GDPR-related inquiries, you can also contact your local data protection authority.

Read our Terms of Service →