GDPR Compliance
Last updated: February 1, 2026
Effective Date: February 1, 2026
Summary: ShadowPhone is committed to compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR). This page explains our role as a data controller, the legal bases on which we process personal data, your rights as a data subject, and how to exercise those rights. For full detail on what data we collect and how, see our Privacy Policy.
1. Data Controller
ShadowPhone Inc. is the data controller for personal data processed through the ShadowPhone platform, website, and associated services. As the controller, we determine the purposes and means of processing personal data.
Where customers use ShadowPhone to process data on behalf of their own users or clients, ShadowPhone acts as a data processor for that data. This relationship is governed by our Data Processing Agreement (DPA).
2. Legal Bases for Processing
Under GDPR Article 6, we must have a lawful basis for each category of personal data we process. The following table maps our primary processing activities to their legal basis.
Account registration, billing, service delivery, license management
Service security, fraud prevention, product improvement, system monitoring
Tax records, regulatory compliance, law enforcement requests where legally required
Marketing emails, optional analytics, cookies beyond functional necessity
3. Your Rights as a Data Subject
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under GDPR. To exercise any of these rights, contact us at privacy@shadowphone.io. We will respond within 30 days.
You may request a copy of the personal data we hold about you, along with information about how we process it.
You may request correction of inaccurate personal data or completion of incomplete data we hold about you.
You may request deletion of your personal data where there is no legitimate reason for us to continue processing it.
You may request that we restrict processing of your personal data in certain circumstances, for example while accuracy is contested.
You may request a copy of your personal data in a structured, machine-readable format to transfer to another controller.
You may object to processing of your personal data where we rely on legitimate interests as the legal basis.
4. International Data Transfers
ShadowPhone uses third-party infrastructure providers that may process personal data outside the European Economic Area. Where this occurs, we rely on appropriate safeguards:
- Standard Contractual Clauses (SCCs): We enter into EU SCCs (Commission Implementing Decision 2021/914) with processors handling EEA personal data in third countries.
- Adequacy decisions: Where the receiving country has a European Commission adequacy decision, we rely on that as the transfer mechanism.
Our primary sub-processors include Vercel (web hosting), Railway (cloud orchestration), Supabase (database), Clerk (authentication), and Stripe and PayPal (payments). Each has applicable data processing agreements in place.
5. Data Retention
We retain personal data only as long as necessary for the purpose for which it was collected or as required by law.
- Account data: retained for the duration of the account and deleted within 30 days of account closure on request
- Billing records: retained for 7 years as required by applicable tax and accounting law
- Usage logs: retained for 90 days for security and troubleshooting purposes
- Support correspondence: retained for 2 years after the last interaction
6. Complaints
If you believe we have not processed your personal data in compliance with GDPR, you have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for ShadowPhone is determined by our place of establishment.
We ask that you contact us first at privacy@shadowphone.io so we can address your concern directly. We take all privacy complaints seriously and aim to resolve them promptly.