Privacy without pretending the product is bigger than it is.

Controller

The data controller for Shmery account infrastructure is Shmery Filip S., Poland.

For privacy, account deletion, data access or security questions, contact: [email protected].

Minimum age

Shmery accounts are intended for users aged 13 or older. By creating an account, you confirm that you are at least 13 years old.

If we learn that an account was created by a person below the minimum age, we may delete or restrict that account.

Data we process

When you create a Shmery account, the backend processes your e-mail address, display name, password hash, device identity, account sessions, trusted devices, avatar, profile banner, profile style, badges, subscription state and basic account security state such as e-mail two-factor authentication.

For social features, Shmery processes friend requests, friend lists, blocked users, direct messages, message delivery state and notifications related to direct messages, friend requests and mentions.

For server-related account features, Shmery may process server aliases, server avatars, registered-only access state, license state and identity-backed metadata needed to connect Shmery accounts with self-hosted servers.

Passwords are not stored as plain text. Password reset tokens and e-mail confirmation codes are stored as hashes or short-lived challenge records where implemented.

Purposes and legal bases

We process account and app data to provide Shmery accounts, authentication, desktop authorization, social features, direct messages, server aliases, badges, subscriptions and account-backed server access. The legal basis is performance of the service contract or steps requested before using the service.

We process security logs, rate limits, device/session metadata, abuse signals and update integrity data to keep the service reliable and prevent abuse. The legal basis is legitimate interest in protecting Shmery, users and self-hosted server operators.

We process billing and subscription information where needed to provide paid features, handle payment state and comply with tax, accounting or legal duties. The legal basis is contract performance and legal obligation.

Where an optional feature clearly asks for consent, you may withdraw that consent later. Shmery does not use third-party advertising trackers on the public website or account portal.

Processors and recipients

Shmery uses infrastructure and service providers needed to run the product, including hosting/VPS infrastructure, Cloudflare for DNS/proxy/security, Resend for transactional e-mail and Stripe for payments and subscription handling when paid features are used.

Self-hosted Shmery server operators process data stored on their own server instances. They are responsible for their own server databases, logs, backups, moderation rules and local retention decisions.

Some providers may process data outside the European Economic Area. Where that happens, we rely on the safeguards offered by those providers, such as standard contractual clauses or equivalent transfer mechanisms.

Voice and self-hosted servers

Voice servers are meant to be self-hosted. Voice traffic goes through the server you connect to, not through a mandatory Shmery hosted voice relay.

Text channels on self-hosted voice servers are stored by the server instance that owns those channels. Shmery account infrastructure can still be used for identity-backed features such as registered-only access, server avatars, aliases, badges and license checks.

Local device data

The desktop app stores local preferences, server bookmarks, cached server state, cached avatars, crash/error logs, audio settings and protected account/session material on your device. On Windows, sensitive desktop files are protected with Windows DPAPI where implemented.

Avatar caching is intentionally local-first so previously loaded avatars can remain visible when the backend is temporarily unavailable. Local cache files can be refreshed, overwritten or removed by the app as account/server data changes.

Retention and deletion

Account data is kept while your account exists or while it is needed for security, legal, accounting or dispute purposes. Old avatars and banners are removed when replaced. Expired sessions, reset tokens and e-mail confirmation challenges are invalidated or cleaned up by backend maintenance logic.

You can delete your Shmery account from the account/security settings. The flow requires an e-mail confirmation code before deletion is completed. Account deletion removes or anonymizes central Shmery account data where possible, including sessions, devices, profile assets and social data controlled by Shmery infrastructure.

Some records may remain for a limited period if required for legal compliance, payment records, fraud prevention, security investigations or backup integrity. Data stored on self-hosted servers is controlled by the operator of that server.

Your rights

If GDPR/RODO applies to you, you may request access to your data, correction, deletion, restriction, portability, objection to processing based on legitimate interest and withdrawal of consent where consent is used.

You also have the right to lodge a complaint with a supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO).

Contact

For privacy requests, account deletion support or security reports, contact [email protected]. Include enough context to identify your account or the issue, but do not send passwords, session tokens or private keys.