Legal

GDPR Compliance

Last updated: February 1, 2026

Effective Date: February 1, 2026

Summary: ShadowPhone is committed to compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR). This page explains our role as a data controller, the legal bases on which we process personal data, your rights as a data subject, and how to exercise those rights. For full detail on what data we collect and how, see our Privacy Policy.

1. Data Controller

ShadowPhone Inc. is the data controller for personal data processed through the ShadowPhone platform, website, and associated services. As the controller, we determine the purposes and means of processing personal data.

Where customers use ShadowPhone to process data on behalf of their own users or clients, ShadowPhone acts as a data processor for that data. This relationship is governed by our Data Processing Agreement (DPA).

2. Legal Bases for Processing

Under GDPR Article 6, we must have a lawful basis for each category of personal data we process. The following table maps our primary processing activities to their legal basis.

Contract performanceArt. 6(1)(b)

Account registration, billing, service delivery, license management

Legitimate interestsArt. 6(1)(f)

Service security, fraud prevention, product improvement, system monitoring

Legal obligationArt. 6(1)(c)

Tax records, regulatory compliance, law enforcement requests where legally required

ConsentArt. 6(1)(a)

Marketing emails, optional analytics, cookies beyond functional necessity

3. Your Rights as a Data Subject

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under GDPR. To exercise any of these rights, contact us at privacy@shadowphone.io. We will respond within 30 days.

Right of accessArt. 15

You may request a copy of the personal data we hold about you, along with information about how we process it.

Right to rectificationArt. 16

You may request correction of inaccurate personal data or completion of incomplete data we hold about you.

Right to erasureArt. 17

You may request deletion of your personal data where there is no legitimate reason for us to continue processing it.

Right to restriction of processingArt. 18

You may request that we restrict processing of your personal data in certain circumstances, for example while accuracy is contested.

Right to data portabilityArt. 20

You may request a copy of your personal data in a structured, machine-readable format to transfer to another controller.

Right to objectArt. 21

You may object to processing of your personal data where we rely on legitimate interests as the legal basis.

4. International Data Transfers

ShadowPhone uses third-party infrastructure providers that may process personal data outside the European Economic Area. Where this occurs, we rely on appropriate safeguards:

  • Standard Contractual Clauses (SCCs): We enter into EU SCCs (Commission Implementing Decision 2021/914) with processors handling EEA personal data in third countries.
  • Adequacy decisions: Where the receiving country has a European Commission adequacy decision, we rely on that as the transfer mechanism.

Our primary sub-processors include Vercel (web hosting), Railway (cloud orchestration), Supabase (database), Clerk (authentication), and Stripe and PayPal (payments). Each has applicable data processing agreements in place.

5. Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected or as required by law.

  • Account data: retained for the duration of the account and deleted within 30 days of account closure on request
  • Billing records: retained for 7 years as required by applicable tax and accounting law
  • Usage logs: retained for 90 days for security and troubleshooting purposes
  • Support correspondence: retained for 2 years after the last interaction

6. Complaints

If you believe we have not processed your personal data in compliance with GDPR, you have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for ShadowPhone is determined by our place of establishment.

We ask that you contact us first at privacy@shadowphone.io so we can address your concern directly. We take all privacy complaints seriously and aim to resolve them promptly.

7. Contact

ShadowPhone Inc.

Data Protection Enquiries

privacy@shadowphone.io