Privacy Policy

Last Updated: January 4, 2026

Shadow AI Labs LLC ("Shadow AI Labs," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website shadowailabs.com (the "Site"), use our assessment tools, purchase our products, or engage our consulting services.

Please read this Privacy Policy carefully. By using our Site or services, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide to Us

We collect information you voluntarily provide when you:

Contact Information:

Name
Email address
Company name
Job title
Phone number (optional)

Assessment Responses:

Answers to our AI risk assessment questionnaire
Information about your organization's AI usage, data practices, and security posture
Industry and company size information

Payment Information:

When you make a purchase, payment is processed by Stripe. We do not store your credit card number, CVV, or full card details. We receive only:
- Last four digits of your card
- Card type and expiration date
- Billing address
- Transaction confirmation

Communications:

Content of emails, chat messages, or other communications with us
Feedback and survey responses

Account Information:

Username and password (if you create an account)
Account preferences and settings

1.2 Information Collected Automatically

When you visit our Site, we automatically collect certain information:

Device and Browser Information:

IP address
Browser type and version
Operating system
Device type (desktop, mobile, tablet)
Screen resolution

Usage Information:

Pages visited and time spent on pages
Referring website or source
Click patterns and navigation paths
Date and time of visits

Cookies and Similar Technologies:

Essential cookies for Site functionality
Analytics cookies (with your consent)
See Section 8 for our Cookie Policy

1.3 Information from Third Parties

We may receive information about you from:

Payment processors (Stripe) regarding transaction status
Analytics providers regarding Site usage patterns
Marketing platforms if you interact with our advertisements

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 To Provide Our Services

Deliver your AI risk assessment results and reports
Process purchases and deliver digital products
Provide consulting services you've engaged
Send transactional emails (purchase confirmations, product delivery)
Respond to your inquiries and support requests

2.2 To Improve Our Services

Analyze assessment data in aggregate to improve our assessment methodology
Understand how users interact with our Site to improve user experience
Develop new products and features based on user needs
Conduct research and analysis (using anonymized data only)

2.3 To Communicate With You

Send product updates and new feature announcements (if you've opted in)
Share educational content, guides, and resources (if you've opted in)
Notify you of changes to our policies or services
Respond to your questions and requests

2.4 To Protect Our Business

Prevent fraud and unauthorized access
Enforce our Terms of Service
Comply with legal obligations
Protect the rights, property, and safety of Shadow AI Labs and our users

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

Contract Performance: Processing necessary to fulfill our contract with you, including delivering assessment results, products, and services you've purchased.

Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services, preventing fraud, and ensuring security, where these interests are not overridden by your rights.

Consent: Processing based on your explicit consent, such as receiving marketing communications. You may withdraw consent at any time.

Legal Obligation: Processing necessary to comply with legal requirements, such as tax reporting or responding to lawful requests from authorities.

4. How We Share Your Information

We do not sell your personal data. We share your information only in the following circumstances:

4.1 Service Providers

We share information with third-party vendors who perform services on our behalf:

Provider	Purpose	Data Shared
Stripe	Payment processing	Payment and billing information
Vercel	Website hosting	IP address, usage data
Supabase	Database hosting	Account and assessment data
Resend	Email delivery	Email address, name
Google Analytics	Site analytics	Anonymized usage data

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

Court orders, subpoenas, or legal process
Requests from government authorities
To protect the rights, property, or safety of Shadow AI Labs, our users, or others
To investigate potential violations of our Terms of Service

4.3 Business Transfers

If Shadow AI Labs is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

4.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data Type	Retention Period	Reason
Assessment responses	2 years from completion	Service delivery, improvement
Purchase records	7 years	Legal and tax requirements
Account information	Until account deletion	Service provision
Marketing preferences	Until you unsubscribe	Consent-based communication
Support communications	3 years	Quality assurance, dispute resolution
Analytics data	26 months	Service improvement

After the retention period, data is securely deleted or anonymized for aggregate analysis.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

6.1 All Users

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate or incomplete data
Deletion: Request deletion of your personal data (subject to legal retention requirements)
Opt-Out: Unsubscribe from marketing communications at any time

6.2 EEA, UK, and Swiss Residents (GDPR)

In addition to the above, you have the right to:

Data Portability: Receive your data in a structured, machine-readable format
Restriction: Request restriction of processing in certain circumstances
Object: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent at any time (without affecting lawfulness of prior processing)
Lodge a Complaint: File a complaint with your local data protection authority

6.3 California Residents (CCPA/CPRA)

California residents have the right to:

Know what personal information we collect, use, and disclose
Request deletion of personal information
Opt-out of the "sale" of personal information (we do not sell your data)
Non-discrimination for exercising your privacy rights
Correct inaccurate personal information
Limit use of sensitive personal information

To exercise these rights, contact us at privacy@shadowailabs.com

We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Technical Measures:

Encryption in transit (TLS/SSL) and at rest
Secure cloud infrastructure with SOC 2 compliant providers
Regular security assessments and vulnerability testing
Access controls and authentication requirements
Automated threat detection and monitoring

Organizational Measures:

Limited employee access on a need-to-know basis
Employee security training
Vendor security assessments
Incident response procedures
Regular policy reviews and updates

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Cookie Policy

8.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our Site. They help us provide a better experience and understand how you use our Site.

8.2 Types of Cookies We Use

Essential Cookies:

Required for Site functionality
Cannot be disabled
Examples: Session management, security features

Analytics Cookies:

Help us understand how visitors use our Site
Used only with your consent
Provider: Google Analytics (anonymized)

Preference Cookies:

Remember your settings and preferences
Used only with your consent
Examples: Language preference, display settings

8.3 Managing Cookies

You can manage cookies through:

Our cookie consent banner (shown on first visit)
Your browser settings (block or delete cookies)
Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout

Note: Disabling certain cookies may affect Site functionality.

9. International Data Transfers

Shadow AI Labs is based in the United States. If you are located outside the United States, your information will be transferred to, stored, and processed in the United States.

For EEA, UK, and Swiss residents, we ensure appropriate safeguards for international transfers through:

Standard Contractual Clauses approved by the European Commission
Data processing agreements with our service providers
Compliance with applicable data protection laws

10. Children's Privacy

Our Site and services are not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately at privacy@shadowailabs.com, and we will delete such information.

11. Third-Party Links

Our Site may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes by:

Posting the updated policy on our Site with a new "Last Updated" date
Sending an email notification (for registered users)

Your continued use of our Site or services after changes become effective constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Shadow AI Labs LLC

Email: privacy@shadowailabs.com

For EEA residents, you may also contact your local data protection authority if you have concerns about our data practices.

14. Additional Disclosures

14.1 Do Not Track

Some browsers have a "Do Not Track" feature. Our Site does not currently respond to Do Not Track signals.

14.2 Nevada Residents

Nevada residents may opt out of the sale of personal information. We do not currently sell personal information as defined under Nevada law.

14.3 Virginia Residents (VCDPA)

Virginia residents have similar rights to California residents under the VCDPA, including the right to access, correct, delete, and opt out of targeted advertising. Contact privacy@shadowailabs.com to exercise these rights.

Shadow AI Labs LLC
Bringing Shadow AI Into the Light