Plain-English Privacy

Privacy.

Shiny is built so that we can't spy on you, even if we wanted to. Here's exactly what that means, written to satisfy UK GDPR without losing the plain English.

Last updated: 18 May 2026

✓No telemetry. Shiny does not phone home about how you use it.

✓No in-app analytics. Shiny the app collects no usage data. The website uses cookieless, self-hosted analytics — see below.

✓No account. No sign-up, no login, no profile.

✓No cloud. Shiny never uploads anything from your Mac.

✓No file access. Shiny doesn't ask for, or have, permission to read your documents, photos, or downloads.

Who is the data controller?

The data controller for any personal data we hold about you is:

TJH/CO LIMITED (trading as THEODOREHQ)
A company registered in England and Wales
Company number: 16589593
Registered office:
Fairway House, Links Business
Fortran Rd, St. Mellons
Cardiff, CF3 0LT
United Kingdom
Email: support@theodorehq.com

What information does Shiny collect from inside the app?

None. Shiny runs entirely on your Mac. It does not record what you click, when you launch it, which apps it pauses, how much memory it freed, or anything else about how you use it.

Does Shiny make any network requests?

Yes, exactly two kinds.

Once a day, an update check against https://www.theodorehq.com/shiny/appcast.xml. The request contains your current Shiny version and your macOS version (so we can serve the right update). It does not contain a unique identifier. The request is signed by Apple's Sparkle framework. You can disable update checks in Settings.

Once at first launch, a license-key activation check against Polar's licensing server, to verify your purchase. After activation, Shiny caches the verification locally and runs entirely offline; it does not re-check on every launch. See "International transfers" below for where this data goes.

What personal data do we hold, and on what lawful basis?

Three categories. We list each one with the lawful basis under Article 6 of the UK GDPR, because the law requires us to.

1Your purchase email and licence-key record. Lawful basis: contractual necessity (Art 6(1)(b)). Without this, we cannot deliver your licence.

2Newsletter subscription (the same email, used for product updates). Lawful basis: soft opt-in under PECR Regulation 22(3). You consent at checkout, and every email contains a one-click unsubscribe.

3Licence-activation logs (timestamp, country, IP address from the activation request). Lawful basis: legitimate interests (Art 6(1)(f)) in fraud prevention and licence-abuse detection.

How long do we keep your data?

Purchase email and licence record: while your licence is active, plus seven years after your last purchase, for HMRC tax-record requirements (Schedule 11 of the VAT Act 1994 and corresponding income-tax rules).
Newsletter subscription: until you unsubscribe, plus thirty days while we process the unsubscribe.
Licence-activation logs: twelve months from activation, then automatically deleted by Polar.
Support emails: two years, then deleted, unless you ask us to keep them as a reference for an open issue.

Crash reports

Shiny never sends crash reports automatically. If Shiny crashes, the next time you open it you'll see a calm dialog explaining what happened, with a button to read the full report and a button to send it to support. Nothing leaves your Mac unless you choose to send it — you see the entire report first, and the email goes out from your own mail client so you remain in control of the message.

If macOS itself shows a separate "Send to Apple" dialog after a crash, that's Apple's standard system, not us, and you control it in System Settings → Privacy & Security → Analytics & Improvements.

Cookies and local storage on this website

No cookies. No third-party trackers. No advertising scripts. No fingerprinting.

Two small things are stored locally in your browser's localStorage, only on your machine:

Your light/dark theme preference (key: shiny-theme-cache). Purely functional, no personal data. Exempt from PECR consent under Regulation 6(4) ("strictly necessary for the requested service").
A short-lived analytics session token used by Umami (our self-hosted website analytics — see below) to count one visit as one visit. Not a personal identifier.

Website analytics (Umami)

We use Umami, a privacy-friendly analytics tool we self-host on our own server at analytics.theodorehq.com. The server is located in Manchester, United Kingdom, so no international transfer is involved. We installed it in May 2026 because flying completely blind on what people read on this site made it impossible to write better articles and improve the pages people actually visit.

Umami records: page URL, page title, page referrer, country (derived from your IP, then immediately discarded), browser, operating system, device type, and screen size. It does not set cookies, does not fingerprint your device, does not follow you across other websites, and shares nothing with any third party. The analytics server is run by us alone.

Lawful basis: legitimate interests (Art 6(1)(f) UK GDPR) in understanding aggregate site traffic in a way that does not identify individual visitors. Retention: aggregated forever, raw event records 12 months.

How to opt out. Any standard content blocker (uBlock Origin, Ghostery, Brave's built-in shields) blocks our analytics by default. Or, in your browser's developer console on this site, paste localStorage.setItem('umami.disabled', '1') — Umami treats that as a permanent opt-out for this domain.

International transfers

Polar.sh, our payment and licensing processor, is based in the United States. When you buy a licence, your email and country of purchase are processed by Polar in the US. Polar handles this transfer under Standard Contractual Clauses (UK IDTA — the International Data Transfer Agreement), the UK government's approved transfer mechanism. You can read Polar's own data-processing agreement at polar.sh/legal/dpa.

No other international transfers occur. THEODOREHQ does not transfer your data to any other third country.

Your rights under UK GDPR

You have the following rights with respect to the personal data we hold about you:

Right of access — ask us for a copy of the data we hold (Art 15).
Right to rectification — correct any data that is inaccurate (Art 16).
Right to erasure — ask us to delete your data, subject to our HMRC retention obligation above (Art 17).
Right to restrict processing — pause our processing while a dispute is resolved (Art 18).
Right to data portability — receive your data in a structured, common format (Art 20).
Right to object — object to processing based on legitimate interests, including direct marketing (Art 21).
Right to withdraw consent — for the newsletter, at any time, via the unsubscribe link or by emailing us (Art 7(3)).
Right not to be subject to automated decision-making — we do not make any such decisions about you (Art 22).

To exercise any of these rights, email support@theodorehq.com. We respond within thirty days, free of charge.

Right to complain to the ICO

If you think we have handled your data improperly, you have the right to lodge a complaint with the UK Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
ico.org.uk/make-a-complaint

We'd much rather you email us first so we can put it right, but the right to escalate to the ICO is yours regardless.

Children

Shiny is not directed at children under 13 (the UK age of digital consent under section 9 of the Data Protection Act 2018). We do not knowingly collect any personal data from anyone under 13. If you believe we hold such data in error, email us and we will delete it promptly.

Changes to this policy

If we ever change this policy, we'll update the date at the top, and email anyone on the customer list a plain-English summary of what changed at least fourteen days before the changes take effect. We will not retroactively start collecting more from existing users without telling them first.

Contact

Questions, concerns, or anything that smells off: support@theodorehq.com. A real human (Theodore) reads every email.