Privacy Policy

Account data. Your name, email, and organization membership, managed through Keystone — our identity layer. If your organization uses SSO, your identity provider remains the source of truth.

Usage metering. Session start events, runtime seconds by isolation class, and region — the minimum needed to bill per second and show you your own usage.

Activity history. Lifecycle actions (create, restart, snapshot, stop, wipe and similar) with timestamps and the acting identity, so your fleet has an audit trail.

Your sandbox contents are yours. We do not read, index, or train on the code or data inside your shells. Operators access instance internals only when you ask for support and grant it.

Credential material is never stored. Term credentials are short-lived and rendered masked; the activity history records that a mint happened, never the secret itself.

Wiped is wiped: wipe_state destroys filesystem state and we keep no shadow copy. Activity history and billing records are retained while your account is active and for up to 12 months after closure, then deleted. Free-tier shells reclaimed after idling are wiped on reclaim.

The console uses session cookies required for sign-in — nothing for cross-site tracking. This website sets no third-party advertising cookies and runs no fingerprinting.

We do not sell personal data. Data is shared only with infrastructure subprocessors needed to operate the service (compute, billing, email), each bound by data-processing agreements, or when the law genuinely requires it.

You can request a copy, correction, or deletion of your personal data at any time. Organization admins control member data within their tenant. Write to privacy@shells.sh — a human answers, typically within one business day.

If this policy changes in a way that matters, we will say so plainly in the changelog and by email before the change takes effect. The effective date above always reflects the current version.