Privacy Policy

1. Introduction

ShadowPhone Inc. ("ShadowPhone," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (shadowphone.com), desktop application, and related services (collectively, the "Services").

By using our Services, you consent to the data practices described in this policy. If you do not agree with this policy, please do not access or use our Services.

2. Data Controller

ShadowPhone Inc. is the data controller for the personal data we collect through our Services. For questions regarding data processing, contact our Data Protection contact at privacy@shadowphone.com.

3. Information We Collect

3.1 Information You Provide Directly

• Account registration data: Name, email address, and password (managed via Clerk authentication)
• Billing information: Payment method details are processed and stored exclusively by Stripe, Inc. -- we never store your full credit card number
• Support communications: Messages, attachments, and metadata from support interactions
• User preferences: Application settings, notification preferences, and UI configurations

3.2 Information Collected Automatically

• Device information: Operating system, browser type, screen resolution, and device identifiers
• Log data: IP address, access times, pages viewed, referring URL
• Usage analytics: Features used, session duration, interaction patterns (anonymised and aggregated where possible)
• Error and crash reports: Technical logs for debugging and service improvement

3.3 Information We Do NOT Collect

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Contractual necessity: Processing required to provide our Services and fulfil our obligations under the Terms of Service
• Legitimate interests: Improving our Services, fraud prevention, security, and marketing (where not overridden by your rights)
• Consent: Where you have given explicit consent for specific processing (e.g., marketing emails)
• Legal obligation: Processing required to comply with applicable laws

5. How We Use Your Information

• Providing, operating, and maintaining the Services
• Processing transactions and managing your subscription
• Authenticating your identity and managing your account
• Communicating with you about your account, updates, and security alerts
• Responding to support requests and inquiries
• Analysing usage patterns to improve the Services (using aggregated, anonymised data where possible)
• Detecting, preventing, and addressing fraud, abuse, and security issues
• Complying with legal obligations and enforcing our Terms
• Sending marketing communications (only with your opt-in consent; you can unsubscribe at any time)

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share data only in the following circumstances:

• Service providers: Trusted third parties that assist in operating our business (Stripe for payments, Clerk for authentication, Supabase for database hosting, Vercel for hosting). Each is contractually obligated to protect your data.
• Legal requirements: When required by law, subpoena, court order, or governmental regulation
• Safety and rights: To protect the safety, rights, or property of ShadowPhone, our users, or the public
• Business transfers: In connection with a merger, acquisition, or sale of assets (you would be notified in advance)
• With your consent: For any other purpose disclosed to you and with your explicit consent

7. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards to protect your data:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Secure authentication via Clerk with multi-factor authentication support
• Regular security assessments and code reviews
• Access controls limited to personnel who require access for their job functions
• Incident response procedures for data breaches

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain your data as follows:

• Account data: Retained for the duration of your account plus 30 days after deletion
• Billing records: Retained for 7 years as required by tax and financial regulations
• Support communications: Retained for 2 years after resolution
• Usage analytics: Anonymised and aggregated data may be retained indefinitely
• Log data: Retained for up to 90 days for security and debugging purposes

9. International Data Transfers

Your data may be processed in countries other than your country of residence, including the United States. Where we transfer data outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate legal mechanisms, to ensure adequate data protection.

10. Your Privacy Rights

10.1 Rights for All Users

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Opt-out: Unsubscribe from marketing communications at any time
• Account closure: Close your account and request data deletion

10.2 Additional Rights for EEA/UK Residents (GDPR)

• Right to restrict processing
• Right to data portability (receive your data in a machine-readable format)
• Right to object to processing based on legitimate interests
• Right to withdraw consent at any time
• Right to lodge a complaint with your local Data Protection Authority

10.3 Additional Rights for California Residents (CCPA/CPRA)

• Right to know what personal information is collected, used, and shared
• Right to request deletion of personal information
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your rights
• Right to correct inaccurate personal information
• Right to limit the use and disclosure of sensitive personal information

To exercise any of these rights, email us at privacy@shadowphone.com. We will respond within 30 days (or sooner as required by applicable law).

11. Children's Privacy

ShadowPhone is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under 18, we will delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@shadowphone.com.

12. Third-Party Links and Services

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party service you interact with.

13. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. There is currently no industry standard for how to respond to DNT signals. We do not currently respond to DNT signals, but you can manage cookies and tracking through our Cookie Policy and your browser settings.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice within the Services at least 30 days before taking effect. Your continued use of the Services after the effective date of any changes constitutes acceptance of the updated policy.