Privacy Policy
Effective date: 2026-05-28 · Last updated: 2026-05-28
1. Who we are
Shelf Republic is a desktop application for macOS (with a Windows version coming soon) that helps comic collectors organize and browse their local comic library. The service is operated by Sei Dake (see section 14 for full legal identification).
This Privacy Policy explains what personal data we process, why, who we share it with, and how you can exercise your rights. It applies to the Shelf Republic desktop app, the website at shelfrepublic.com, and any related service we provide.
Contact for privacy questions: hello@shelfrepublic.com.
2. Scope
This policy covers (a) the Shelf Republic desktop application distributed directly from shelfrepublic.com as a signed .dmg for macOS (a signed .exe for Windows is coming soon), and (b) the marketing website at shelfrepublic.com. Use of the app is also governed by the Shelf Republic EULA.
3. Data we process
Shelf Republic is local-first by design. The app itself does not collect, transmit, or store any personal data about you. The only data processing that takes place is what is strictly required to (a) deliver and maintain your licence, (b) operate the website, and (c) keep your app up to date.
3.1 The app itself
The Shelf Republic desktop application does not:
- Create or require an account.
- Send telemetry, analytics, crash reports, or usage data to us or to any third party.
- Upload, copy, or transmit your comic files, folder structure, tags, ratings, or any other content from your library.
- Read or transmit any system identifier, MAC address, or hardware fingerprint.
Your library and all data about it stay exclusively on your local machine, in the folders you already chose.
3.2 Purchase data
When you buy Shelf Republic, the purchase is processed by Paddle.com Market Limited, which acts as the Merchant of Record. Paddle collects the data needed to complete the sale — email address, billing country, payment instrument, applicable taxes, and a transaction record — under its own privacy policy (paddle.com/legal/privacy).
Paddle shares with us a limited subset of this data: your email address, country, and the transaction reference. We use it to deliver your licence key, to provide support, to honour refund requests, and to keep a record of issued licences. This data lives inside Paddle's dashboard; we do not export it to any other system.
3.3 Licence key
After purchase, Paddle sends you a licence key by email. The key is a signed file containing the buyer's email address and entitlement metadata. Activation is verified locally by the app — there is no online check, no server call, no device registration phoning home.
3.4 Software updates
The app uses the official Tauri updater plugin to check for new versions. The updater fetches a release manifest from GitHub Releases (operated by GitHub, Inc.) and, if a newer version is available, downloads the signed binary from the same source. No identifier, email, or licence information is sent in these requests. As with any network request, GitHub's servers receive standard connection metadata (IP address, user agent, timestamp) according to GitHub's own privacy practices.
3.5 Website (shelfrepublic.com)
The website is hosted by Vercel Inc. Vercel records standard server-side request logs (IP address, user agent, timestamp, requested URL) to deliver the site and protect it from abuse. We do not run any analytics, tracking pixel, cookie banner, advertising tag, or session recorder on the website. No first-party cookies are set by us.
3.6 Support correspondence
If you write to us at hello@shelfrepublic.com, we receive and keep the content of your message and your email address for as long as needed to resolve your request and to defend a possible legal claim.
3.7 Windows waitlist
If you join the Windows waitlist on shelfrepublic.com, we store the email address you submit, with your consent, for the sole purpose of sending you a single notification when the Windows version is released. The address is kept in Vercel Blob (our existing hosting provider, see section 5), is never shared, and is used for nothing else. You can ask us to delete it at any time by writing to hello@shelfrepublic.com, and we remove the whole list once the Windows launch notice has gone out.
4. Why we process your data
Under Article 6 of the GDPR:
| Purpose | Legal basis |
|---|---|
| Deliver your licence and provide post-sale support | Performance of a contract, Art. 6(1)(b) |
| Process payments and issue invoices | Performance of a contract, Art. 6(1)(b); legal obligation, Art. 6(1)(c) |
| Distribute software updates | Legitimate interest, Art. 6(1)(f) — keeping your app secure and functional |
| Operate the website and protect it from abuse | Legitimate interest, Art. 6(1)(f) |
| Respond to support requests and legal claims | Legitimate interest, Art. 6(1)(f); performance of a contract, Art. 6(1)(b) |
Where a legitimate interest is invoked, we have carried out a balancing test. You can object to processing based on legitimate interest at any time (see section 10). We do not use your personal data for automated decisions with legal or similarly significant effects. We do not sell your personal data.
5. Sub-processors
Shelf Republic relies on a small set of providers. Each processes your data strictly on our instructions, under a data processing agreement.
| Sub-processor | Role | Data received | Location |
|---|---|---|---|
| Paddle.com Market Limited | Merchant of Record: payment, tax, licence delivery, refunds | Email, country, payment instrument, transaction record | United Kingdom + United States |
| Vercel Inc. | Website hosting | Standard server logs from website visits (IP, user agent, requested URL) | United States |
| GitHub, Inc. | Distribution of software updates | Standard connection metadata when the app checks for or downloads an update | United States |
6. International data transfers
Some sub-processors are established outside the European Economic Area, in the United States and the United Kingdom. Transfers rely on the European Commission's Standard Contractual Clauses (2021/914), the UK adequacy decision where applicable, and supplementary measures such as encryption in transit, strict access controls, and contractual commitments from providers.
You can request a copy of the safeguards by writing to hello@shelfrepublic.com.
7. How long we keep your data
- Licence records (email, country, transaction reference) in Paddle: kept for as long as your licence is valid, plus the retention period required for tax and accounting purposes under Spanish law (currently six years, Article 30 of the Spanish Commercial Code).
- Server logs (Vercel, GitHub): retained per the provider's own policy, typically days to a few weeks.
- Support correspondence: up to 24 months after the last message, or longer if needed to defend a legal claim.
8. Security
We apply measures proportionate to the risk:
- The macOS app is signed with an Apple Developer ID and notarized by Apple.
- When the Windows version ships, it will be signed with an Authenticode certificate.
- Updates are delivered as signed binaries and verified by the updater before installation.
- The licence key is cryptographically signed; tampering invalidates it.
- All network traffic uses TLS 1.2 or higher.
No online service is perfectly secure. If you believe your licence or any related data has been compromised, write to hello@shelfrepublic.com immediately.
9. Account deletion
Shelf Republic does not create accounts, so there is nothing to delete on the app side. To have your purchase data removed from Paddle and from our records, write to hello@shelfrepublic.com from the address associated with your purchase. We will action erasure within 30 days, subject to the legal retention obligations described in section 7 (we are required by Spanish tax law to keep invoices and transaction records for six years; this duty overrides erasure requests for those specific records).
10. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate or incomplete data (Art. 16).
- Erase your data, subject to the legal retention obligations in section 9 (Art. 17).
- Restrict processing in specific circumstances (Art. 18).
- Data portability in a structured, commonly used format (Art. 20).
- Object to processing based on legitimate interest (Art. 21).
To exercise any right, write to hello@shelfrepublic.com from the address associated with your purchase. We reply within 30 days and may request additional verification.
You also have the right to lodge a complaint with a supervisory authority. In Spain: Agencia Española de Protección de Datos (AEPD), www.aepd.es. If you reside in another EEA country you may contact your local authority.
11. Children
Shelf Republic is not directed at children under 14. Under Spanish law (Article 7, LOPDGDD) a minor must be at least 14 to consent to data processing; below that age, only a holder of parental responsibility can give consent.
If you believe a child under 14 has bought Shelf Republic without parental consent, write to hello@shelfrepublic.com and we will arrange a refund and erase the related records.
12. Changes to this policy
We may update this policy to reflect changes in the service, sub-processors, or applicable law. Material changes will be notified on shelfrepublic.com, by email, or both, before taking effect. The "Last updated" date at the top always reflects the current version.
13. Contact
For any privacy question or to exercise a right: hello@shelfrepublic.com.
14. Legal information
Sei Dake is a trade name of Bernardo Ortega, a sole trader (autónomo) established in Spain.
NIF: 50462476Q.
Postal address: Calle Bergantín 9, 3D, 28220 Majadahonda, Madrid, Spain.
Data protection contact: hello@shelfrepublic.com.
Supervisory authority: Agencia Española de Protección de Datos (www.aepd.es).