Privacy Policy.

This Privacy Policy describes how ShadowIQ Inc. (“ShadowIQ”, “we”) handles personal data collected through shadow-iq.com, related marketing properties, and the ShadowIQ product when it processes personal data on our own behalf (as a controller).

When we process personal data contained in Customer Data on behalf of a business customer, we act as a processor and our obligations are set out in the Data Processing Addendum.

We collect the following categories of personal data:

• Contact details: name, business email address, job title, organization.
• Communications: messages you send us by email or via our website.
• Product and account data: account credentials, audit logs, usage metrics of our product.
• Website telemetry: IP address, device and browser metadata, referrer, pages visited — used to operate and secure the site.

We do not collect special categories of data, government identifiers, or children's data through our website.

We process personal data for the following purposes and lawful bases:

• Responding to enquiries (legitimate interests / performance of a contract);
• Administering the product and delivering support (performance of a contract);
• Protecting the security and integrity of our Services (legitimate interests);
• Sending relevant product and compliance updates (legitimate interests, with easy opt-out);
• Meeting legal obligations (legal obligation).

We do not sell personal data, and we do not use Customer Data to train our AI models.

We share personal data with a narrow set of subprocessors — cloud hosting (AWS, Cloudflare), email delivery, and support tooling — each bound by written data-protection terms. A current list is available on request. We do not share personal data with advertising networks.

We may disclose personal data to comply with a legally binding request, protect our rights, or in connection with a corporate transaction (we will give notice where permitted).

We retain personal data only for as long as is necessary for the purposes described above, after which we delete or anonymize it. Typical retention windows:

• Contact-form messages: up to 24 months
• Customer account data: duration of the contract + 90 days
• Web telemetry: up to 13 months
• Billing records: 7 years (tax / accounting obligations)

We maintain administrative, technical, and physical safeguards aligned to SOC 2 Type II and ISO 27001 practices — including encryption in transit (TLS 1.3) and at rest (AES-256), role-based access control, signed container builds, and regular third-party penetration testing. No system is perfectly secure; if an incident affects your data we will notify you without undue delay.

Personal data may be processed in the United States and the European Union. We rely on Standard Contractual Clauses, the UK International Data Transfer Agreement, and equivalent mechanisms where required, and we conduct transfer impact assessments for sensitive transfers.

Depending on your location you may have rights to access, correct, delete, port, restrict, or object to our processing of your personal data, and to withdraw consent where processing is based on consent. To exercise these rights, email Info@shadow-iq.com — we respond within 30 days. You also have the right to lodge a complaint with a supervisory authority.

For details on cookies and similar technologies, see our Cookies Policy.

We may update this policy from time to time. Material changes will be communicated by email or an in-product notice. The current version will always be published at this URL, with the “last updated” date at the top.

Questions about this policy or our privacy practices? Email Info@shadow-iq.com. Data subjects in the EU may reach our Data Protection Officer at the same address.