TightShip Privacy Policy

Last updated: May 8, 2026

TightShip ("we", "us", "the service") is operated by Cody James Photography ("the company"), based in Wyoming, United States.

This policy explains what data we collect, how we use it, and your rights.

Note: This document is a starting point for closed beta and early paid US customers. Before any enterprise/agency customer or any EU/UK/CA customer, have it reviewed by a lawyer and add jurisdiction-specific clauses + an Anthropic DPA.

What we collect

Account information

• Email address (for sign-in and communication)
• Workspace + profile names you create

Content you create

• Quote drafts, line items, client names, vendor names, rates
• Call sheet contents (crew names, contacts, schedules)
• Receipts (vendor, amount, date, photos)
• Crew database entries

Automatically collected

• Browser type, IP address, timestamps (for security and abuse monitoring)
• Pages you visit and actions you take (for product analytics)
• Per-IP access logs for public share links (`/b/`, `/c/`, `/i/`, `/cs/`) — used to rate-limit abuse and forensics if a token is leaked

We do NOT collect:

• Government-issued ID numbers
• Health data
• Children's data (service is for adults only)

Where your data is stored (subprocessors)

| Provider | Region | What it processes | |---|---|---| | Supabase | United States | Database (account, projects, all content) and object storage (receipt photos, brand assets) | | Vercel | United States | Application code execution + hosting | | Anthropic | United States | AI features only — see "AI processing" below | | Resend | United States | Outbound email (call sheet dispatches, password resets, feedback acknowledgements) | | Google Maps Platform | United States | Address autocomplete + map embeds for shoot locations only — no account data sent |

If we add a new subprocessor that handles your content, we'll update this list and notify account holders by email.

AI processing (important)

When you use TightShip's AI features (drafting quotes, parsing receipts, extracting contacts), the relevant content is sent to Anthropic's Claude API for processing. This includes:

• Quote briefs (your shoot description, scope, rates)
• Receipt photos
• Contact text (signatures, screenshots, PDFs)

About Anthropic:

• Anthropic does NOT train its models on your data when sent through the commercial API.
• Anthropic retains API request data for up to 30 days for abuse monitoring, then deletes it.
• You can review Anthropic's privacy practices at anthropic.com/privacy.

If you do not want your content sent to Anthropic, do not use AI features. Manual quote drafting, manual receipt entry, and manual crew entry do not involve AI processing.

How we use your data

• Provide the service (your quotes, call sheets, receipts)
• Send essential account communications (login codes, password resets, dispatched call sheets)
• Improve the product (anonymized usage analytics)
• Comply with legal obligations
• Detect and prevent abuse (rate limit logs, IP-based throttling on public share links)

We do NOT:

• Sell your data
• Share it with advertisers
• Use it to train AI models

Your rights

You can:

• Access all your data via the app
• Export quotes (PDF), receipts (CSV/PDF), crew (CSV)
• Delete your account and all associated data via Settings → Delete account, or email cody@codyjamesphoto.com to request manual deletion
• Correct inaccurate data via the app at any time

If you exercise the delete right via the in-app flow, all your workspace data — quotes, call sheets, receipts (including photos), crew records, invoices, and access logs — is permanently deleted within minutes.

Cookies

We use essential cookies for keeping you signed in. We do not use advertising or tracking cookies.

Data retention

• Active accounts: data retained as long as the account exists
• Closed accounts: deleted within 30 days of cancellation; immediately if you use the in-app delete flow
• Receipt photos: retained as long as the linked project exists, unless you delete them earlier
• Public share links: quotes and invoices keep working until you revoke them; call sheet links (`/c/`, `/cs/`) automatically expire 30 days after the shoot date. Records remain in your account regardless — only the public URL stops working
• Soft-deleted records: when you delete a quote, call sheet, receipt, or invoice, it's removed from your dashboard immediately but retained in our backend for up to 90 days in case of accidental deletion. After 90 days it's permanently purged.

Changes to this policy

If we materially change this policy, we'll email account holders at least 14 days before the change takes effect.

Contact

Privacy questions or data deletion requests: cody@codyjamesphoto.com