Legal
Privacy Policy
Effective 2026-05-19 · Last updated 2026-05-19
This page explains what data Shumi (shumi.ai) collects, why, who we share it with, and what rights you have. Shumi is operated by two natural persons based in Bulgaria. We do this work independently, so the data practices here are the actual practices — not aspirational copy from a compliance template.
We collect as little as we can get away with while still running the product. If you have questions, email hello@coinrotator.app.
1. Who's responsible
Shumi is operated by two natural persons working jointly as a two-founder indie team — publicly known as mayrsascha and pxeodev, both based in Bulgaria. We are joint controllers of the personal data described below. There is no separate legal entity. Contact for any data question is hello@coinrotator.app.
2. What we collect
Account identifiers. When you sign in via Dynamic, we receive the identifier(s) you authenticated with: typically a wallet address and, if you signed in via email or social login, an email address and a public display name. We store these to associate your queries with your entitlement tier.
Chat queries and responses. Your queries and our responses are stored to (a) provide the chat history within a conversation, (b) help us improve the product's quality, and (c) debug errors. Queries are processed by an LLM provider (Anthropic or OpenAI) under their zero-retention or short-retention agreements.
Usage data. When you use the service, we log standard request metadata: IP address (truncated when possible), browser user-agent, timestamp, the endpoint hit, and the result. This is used for security, abuse prevention, rate-limiting, and aggregated analytics.
Billing data. Payments are handled by Lemon Squeezy as our merchant of record. We never see your credit card. We do receive: the fact that you bought a tier, the variant ID, the amount, the customer ID, the email Lemon Squeezy associates with the purchase, and the country (for VAT purposes). We do not receive card details, bank account details, or full billing addresses.
Wallet balance lookups. If you connect a wallet, we periodically check your $SHUMI balance on the Base blockchain via Alchemy RPC. This involves sending your wallet address to Alchemy. Wallet addresses on a public blockchain are public information, so this is not a personal-data disclosure beyond what is already visible on-chain.
Cookies. We use functional cookies for authentication and session management, and a single cookie to track whether your device has used its one anonymous free query. We use first-party analytics cookies (PostHog, Mixpanel) to understand product usage in aggregate. No third-party advertising trackers, no cross-site behavioral profiling, no data brokers.
3. Why we collect it
- • To provide the service — answering your queries requires routing them through an LLM, looking up data, and remembering your entitlement tier.
- • To process payments — Lemon Squeezy needs the customer record to send you receipts and let you manage your subscription.
- • To improve the product — we look at aggregated query patterns to decide what features to build and what data sources to add. We don't train models on your data.
- • To prevent abuse — rate-limiting, fraud detection, and identifying scraping attempts.
- • To debug — when something breaks, we look at the request that triggered the error. Bugsnag receives stack traces with redacted payloads.
- • To meet legal obligations — tax compliance via Lemon Squeezy, lawful requests, financial-record retention.
Our legal basis under GDPR depends on the activity: contract performance for delivering paid features, legitimate interest for security and product analytics, legal obligation for tax and accounting records, and consent for anything else (we'll ask before relying on consent).
4. How long we keep it
- • Account record: until you ask us to delete it, or 24 months after your last login (whichever is sooner).
- • Chat history: 90 days, then aggregated and stripped of identifiers.
- • Server logs: 30 days at the hosting layer.
- • Billing records: 10 years as required by Bulgarian tax law (held by Lemon Squeezy on our behalf).
- • Error reports (Bugsnag): 30 days.
5. Who we share it with
We share data only with the subprocessors below, only as needed to run the service, and only under contractual data-protection terms with each. We do not sell data, we do not rent it, we do not share it with advertisers.
| Subprocessor | Role |
|---|---|
| Dynamic Labs | Wallet + social authentication, JWT issuance |
| Lemon Squeezy | Payment processing (merchant of record), subscription management, tax compliance |
| Render | Hosting (chat backend, shumi.ai landing, Telegram bot, Postgres database) |
| Vercel | Hosting (coinrotator.app) |
| Anthropic | LLM provider for chat responses (Claude) |
| OpenAI | LLM provider for some chat responses (GPT) |
| Langfuse | Prompt observability and quality monitoring |
| PostHog | Product analytics and session replay |
| Mixpanel | Event analytics on chat interactions |
| Bugsnag | Error monitoring |
| Alchemy | Public blockchain RPC (Base network, for $SHUMI hold checks) |
Some subprocessors (LLM providers, Render, Vercel, analytics tools) operate primarily from the United States. Where we transfer EU/UK personal data to the US, the transfer is covered by the EU-US Data Privacy Framework or by standard contractual clauses, as applicable.
6. Your rights
Under GDPR (if you're in the EU/UK) and equivalent rights in many other jurisdictions, you can:
- • Access — ask what we hold about you.
- • Correct — fix anything that's wrong.
- • Delete — have your account and associated data removed.
- • Port — get your data in a machine-readable format.
- • Object — ask us to stop processing for a specific purpose (analytics, marketing emails).
- • Withdraw consent — for anything we relied on consent for.
- • Complain — to the Bulgarian Commission for Personal Data Protection (cpdp.bg) or your local equivalent.
Email hello@coinrotator.app to exercise any of these. We'll respond within a reasonable time, typically under 30 days. We may ask you to prove ownership of the wallet or email account in question before processing a delete or export.
7. Security
We use TLS everywhere, encrypt secrets at rest where supported by our hosting, scope access tokens narrowly, and rotate them when team membership or scope changes. We're a small team, so the practical defense is having a small attack surface — fewer subprocessors, fewer custom services, and no third-party advertising trackers.
If you find a vulnerability, please report it to hello@coinrotator.app and give us a reasonable window to fix it before public disclosure. We don't have a bug bounty program but we'll credit responsible disclosures.
8. Children
Shumi is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have, email us and we'll delete it.
9. Changes to this policy
We'll update the "Last updated" date at the top when this policy changes. Material changes get an announcement on the website and an email to subscribers (when we have an address). Continued use after the effective date means you accept the new policy.
10. Contact
hello@coinrotator.app — for any privacy question, data request, or complaint. We answer real emails.