Legal

Privacy Policy

Effective date:

1. Who We Are

ShadowPanel ("we," "us," or "our") operates the website shadowpanel.de and distributes the ShadowPanel self-hosted control panel software. For the purposes of the EU General Data Protection Regulation (GDPR) and applicable data protection laws, ShadowPanel is the data controller for personal data collected through this website.

ShadowPanel is a self-hosted product. We do not operate your server, and we have no access to data you store on it. This policy covers only data we collect through our website, account system, and licensing infrastructure.

2. Data We Collect

We collect the following categories of personal data:

Account data

When you register, we collect your email address and the password you choose (stored as an Argon2id hash — we never see your plaintext password). You may optionally provide a display name.

License & billing data

When you purchase a paid plan we record your license tier, subscription status, and the panel domain and installation ID (INSTALL_ID) you submit during license activation. Payment card details are collected and stored exclusively by Stripe — see §5.

Usage & technical data

Our web server logs standard HTTP request metadata: IP address, browser user-agent, referring URL, and timestamps. These logs are retained for 14 days for security and abuse-prevention purposes.

Communications

If you contact support at support@shadowpanel.de, we retain the correspondence to resolve your request and improve our service.

3. How We Use Your Data

We use the data we collect to:

  • Create and manage your account.
  • Issue, validate, and revoke software license keys.
  • Process payments and send billing receipts via Stripe.
  • Send transactional emails (purchase confirmations, password resets, material policy changes).
  • Detect and prevent fraud, abuse, and unauthorised license sharing.
  • Respond to support requests.
  • Comply with legal obligations (e.g., tax record-keeping).

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

For users in the European Economic Area (EEA) or the United Kingdom, our processing is based on the following lawful grounds:

  • Contract (Art. 6(1)(b) GDPR) — processing your account and license data to deliver the service you signed up for.
  • Legal obligation (Art. 6(1)(c) GDPR) — retaining billing records to comply with tax and commercial law.
  • Legitimate interests (Art. 6(1)(f) GDPR) — server logs and anti-abuse measures to protect our infrastructure and other users.
  • Consent (Art. 6(1)(a) GDPR) — optional analytics cookies, where you have explicitly opted in.

5. Payment Processing

All payment transactions are processed by Stripe, Inc. (a PCI DSS Level 1 certified payment processor). When you enter card details on our checkout page, that data is transmitted directly to Stripe — it never touches our servers.

We receive from Stripe only a masked card summary (last four digits, card brand, expiry month/year) for display in your dashboard. Stripe's own privacy policy is available at stripe.com/privacy.

6. Cookies & Analytics

We use a minimal set of cookies:

  • Session cookie (essential) — maintains your login state. Expires when you close your browser or after 2 hours of inactivity.
  • CSRF token (essential) — protects against cross-site request forgery. Set with every page load.
  • Locale preference (functional) — remembers your chosen language. Expires after 1 year.
  • Google Ads (marketing, opt-in only) — measures ad conversions and campaign performance. Only set if you grant marketing consent in the cookie banner.

Essential and functional cookies are always active. Analytics and marketing cookies are off by default and only activate once you opt in via the cookie banner or settings panel — you can withdraw consent at any time.

7. Data Retention

We retain personal data for the following periods:

  • Account data — for the lifetime of your account, plus 30 days after deletion to allow recovery.
  • Billing & license records — 10 years, as required by German commercial and tax law (§ 257 HGB, § 147 AO).
  • Server access logs — 14 days, then automatically purged.
  • Support correspondence — 3 years after the last interaction, then deleted.

You can request deletion of your account at any time by contacting support@shadowpanel.de. Account deletion removes your personal data immediately, subject to the retention obligations above.

8. Your Rights

Under the GDPR (and equivalent laws in the UK and other jurisdictions) you have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — request deletion of your data where we no longer have a lawful basis to retain it.
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is consent-based, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at support@shadowpanel.de. We will respond within 30 days. If you believe your rights have not been respected, you have the right to lodge a complaint with your national supervisory authority (in Germany: the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, bfdi.bund.de).

9. International Transfers

Our servers are located in the European Union (Hetzner Cloud, Germany). We do not routinely transfer personal data outside the EEA.

Stripe processes payments through servers in the United States and other countries. Such transfers are governed by Stripe's Standard Contractual Clauses with the European Commission, ensuring an equivalent level of data protection.

10. Third-Party Services

We integrate with the following third-party services:

  • Stripe — payment processing. Data transferred: billing details, subscription metadata.
  • Hetzner Cloud — server hosting (EU data centres). Data stored: all website and account data.
  • Email provider — transactional email delivery (receipts, password resets). Data transferred: your email address and the content of the message.

All processors are bound by Data Processing Agreements (DPAs) ensuring GDPR-compliant handling of personal data.

11. Children's Privacy

ShadowPanel is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact support@shadowpanel.de and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we do, we will revise the "Effective date" at the top of this page. For material changes, we will notify registered users by email at least 14 days before the change takes effect.

Your continued use of the Site after the effective date constitutes acceptance of the updated policy.

13. Contact

Questions, requests, or concerns about this Privacy Policy? Contact our data controller:

Back to home Effective May 25, 2026

We use cookies

We use cookies to improve your experience and remember your preferences. You can manage your choices below. Learn more.

ShadowPanel

Manage your cookie preferences below. Essential cookies are always active as they are required for the website to function.

Essential

Required for the site to work. These include session authentication and CSRF protection. Cannot be disabled.

Always on

Functional

Remembers your language preference so you do not need to reselect it on every visit.

Analytics

Helps us understand how visitors use the site so we can improve it. No personal data is sold.

Marketing

Used by Google Ads to measure ad conversions and improve campaign targeting. No personal data is sold.