What we collect, and why.
Shru turns any link into a personal share page. The data we need to do that is small — and we'd rather tell you about it plainly than bury it in legalese. Pair with the terms of service for the full picture.
What we store about you
When you sign up we store your email address, display name, and avatar URL. Sign-in is handled by Clerk; OAuth provider tokens (Google, etc.) are stored by Clerk on our behalf. We store your display name + an optional bio in our own database so recipients see them on every share page you create.
What we store about your shares
For each share you create we store: the destination URL, the recipient's name (optional), your note, and any password gate setting. Shares live in our Upstash Redis store, keyed by a short random ID so URLs aren't guessable.
We don't inspect the destination URLs you send — we just render them inside a share page. The recipient's click eventually navigates them off to wherever you pointed.
Personal API tokens
If you create an API token from Settings → Token we store a salted SHA-256 hash, never the raw value. We can't recover a token after it's shown to you — if you lose it, generate a new one. Tokens can be revoked at any time.
AI processing — what goes to Claude
Shru uses Anthropic Claude (via the official Anthropic API) to help draft share notes when you compose via the MCP integration. What we send for each call: the immediate text you typed or the instructions a connected client (e.g. Claude.ai) sent on your behalf, plus the destination URL and recipient name.
We don't send your past share history or any other account data. Anthropic processes the request and doesn't train on it per their commercial terms.
Custom domains (Pro)
If you bring a custom domain we store the hostname and its verification status. DNS records on your registrar are yours — we don't touch them. We use Vercel's domains API to attach the domain to our project so TLS certificates can be issued.
Who we share data with
Shru relies on a small set of third-party services to operate. Each one receives only the data it needs:
- Clerk — authentication and session management. Stores your email, OAuth tokens, and sign-in metadata.
- Anthropic — AI processing (Claude API). Receives the text you type, the destination URL, and the recipient name for each AI-assisted share note. Does not receive account data or share history.
- Vercel — hosting and edge delivery. Processes HTTP requests and may collect basic request metadata (IP, user-agent) for operational purposes.
- Upstash — managed Redis database. Stores share records, API token hashes, and profile data.
We do not sell, rent, or otherwise disclose user data to any party not listed above.
How we protect your data
- Encryption in transit — all connections use TLS 1.2 or higher; plain HTTP is never accepted.
- Encryption at rest — data stored in Upstash Redis is encrypted at rest with AES-256 via the database provider.
- OAuth token security — provider tokens (Google, etc.) are stored and managed by Clerk's infrastructure, not in our own database.
- API token hashing — personal API tokens are salted and hashed with SHA-256 before storage. We never persist the raw token value.
- Access controls — all authenticated endpoints require a valid Clerk session. Shares and account data are scoped to the owning user.
How long we keep things
- Profile — until you delete your account.
- Shares — kept while your account exists. Deleting a share removes it from Redis immediately; we don't keep a soft-deleted copy.
- Tokens — until you revoke them.
- AI prompts + responses — sent to Anthropic per-request; we don't log the request bodies on our side.
Your rights
- Disconnect your OAuth provider from your Clerk account at any time.
- Delete any share from your dashboard.
- Revoke any API token from Settings.
- Request export or deletion of all your data — email hello@shru.ai and we'll come back within 30 days.
What we don't do
- Sell your data. Ever.
- Show ads.
- Train AI models on your data — neither us nor Anthropic (per their commercial API terms).
- Drop third-party tracking cookies or use cross-site fingerprinting.
Children
Shru isn't designed for users under 16. We don't knowingly collect data from children. If you think we have, email hello@shru.ai and we'll delete it.
Changes to this policy
We'll update this page whenever we change a third-party service or a data category. Material changes (new sub-processor, expanded data scope) will be flagged via email to your account address.
Contact
Privacy questions, data requests, or anything that smells off: hello@shru.ai. We're a small team and read every message.
Last updated: 11 June 2026