Privacy Policy

1. Introduction

Shadow Mountain AI ("Company," "we," "us," or "our") is committed to protecting your privacy and the security of your personal data. This Privacy Policy explains how we collect, use, disclose, transfer, and safeguard your information when you use our technology solutions.

Effective Date: January 2026

This Privacy Policy applies to all individuals whose personal data we process, including residents of the European Economic Area (EEA), United Kingdom, Switzerland, California, New York, and other jurisdictions with data protection laws. We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the New York SHIELD Act, and other applicable data protection laws.

If you are a California resident, please see the California Privacy Rights section below for additional disclosures about your privacy rights.

If you are a New York resident, please see the New York Privacy Rights section below for additional information about your privacy rights under the SHIELD Act.

2. Information We Collect

We collect several types of information to provide our services:

2.1 Information You Provide Directly

• Contact Information: Name, job title, company name, email address, phone number, mailing address
• Account Information: Username, password, security questions, and other authentication credentials
• Payment Information: Credit card details, billing address, and transaction history (processed through third-party payment processors)
• Business Information: Company details, project requirements, technical specifications, and organizational data
• Communications: Emails, messages, support tickets, and other correspondence with us
• Marketing Preferences: Your preferences for receiving promotional communications

2.2 Information Automatically Collected

• Log Data: IP address, browser type, device information, operating system, referring/exit pages, and timestamps
• Usage Data: Features used, actions taken, pages viewed, and time spent on our services
• Device Information: Device type, unique device identifiers, browser type, and mobile network information
• Location Data: General location based on IP address (we do not collect precise geolocation without your consent)

2.3 Information from Third Parties

• Technology Platform Data: When you use our services integrated with third-party technology platforms (OpenAI, Anthropic, Google, etc.), we may receive usage data and metadata from these platforms
• Public Sources: Professional information publicly available on business networking sites, company websites, or other public sources
• Identity Verification: Information from third-party verification services to prevent fraud and verify your identity

3. How We Use Your Information

We use your information for the following purposes, based on legal grounds including contract performance, legitimate interests, legal compliance, and your consent where required:

• Service Provision: To provide, maintain, and improve our technology solutions and technical services
• Communication: To respond to your inquiries, provide support, and send important service notices
• Marketing: To send promotional communications (with your consent where required) about our services, events, and updates
• Security: To detect, prevent, and address technical issues, fraud, abuse, and security threats
• Analytics: To analyze usage patterns, improve our services, and develop new features
• Legal Compliance: To comply with legal obligations, court orders, and government requests
• Business Operations: For accounting, auditing, and other internal business operations

Legal Bases for Processing (GDPR): We rely on the following legal bases to process your personal data under GDPR: (a) contract performance, (b) legitimate interests, (c) legal obligations, (d) vital interests, and (e) consent where required.

4. Third-Party Services and Subprocessors

4.1 Technology Platform Integrations

Our services integrate with leading technology platforms. When you use these integrations, your data may be processed by these third parties according to their own privacy policies:

• OpenAI - Privacy Policy
• Anthropic - Privacy Policy
• Google - Privacy Policy
• Amazon Web Services - Privacy Policy
• Microsoft Azure - Privacy Policy

Important: Some technology platforms may use data to improve their models by default. We configure these services to minimize data retention where technically feasible. For sensitive data, we recommend using enterprise versions of these services that offer stronger data protection guarantees.

4.2 Payment Processors

We use third-party payment processors to handle payments. Your payment information is processed by these services:

• Stripe - Privacy Policy
• Polar.sh - For certain subscription and payment services
• PayPal - Privacy Policy

These payment processors have access to your payment information only as necessary to process transactions. We do not store your complete credit card information on our servers.

4.3 Cloud Infrastructure and Hosting

Our services are hosted on and operated through cloud infrastructure providers:

• Amazon Web Services (AWS)
• Google Cloud Platform
• Microsoft Azure

4.4 Additional Subprocessors

We engage other third-party subprocessors to operate our business, including analytics, monitoring, communication, and development tools. We require these subprocessors to protect your personal data and limit their use to performing services on our behalf. We maintain appropriate safeguards for data processing and transfers.

For a complete and current list of our subprocessors, please contact us at hello@shadowmountain.ai.

Data Processing Agreement: We offer a Data Processing Agreement (DPA) to all customers whose use of our services involves processing personal data on our behalf. To request a DPA, please contact hello@shadowmountain.ai.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

• Service Providers: With trusted third-party vendors who perform services on our behalf under strict confidentiality obligations
• Business Transfers: In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business
• Legal Requirements: When we believe disclosure is necessary to comply with law, legal process, or government requests
• Rights and Safety: To protect our rights, property, or safety, or that of our users or the public
• With Your Consent: When you explicitly consent to the disclosure for a specific purpose
• Affiliates: With our corporate affiliates, with whom we share data under unified privacy standards

6. International Data Transfers

International Data Transfers from the EEA/UK/Switzerland. Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws than your jurisdiction.

When we transfer personal data from the EEA, UK, or Switzerland to other countries, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses for transfers of personal data from the EEA
• UK Addendum: We use the UK International Data Transfer Agreement (IDTA) and addendum for UK data transfers
• Swiss Safeguards: We rely on appropriate safeguards for Swiss data transfers
• Adequacy Decisions: Where applicable, we rely on Commission adequacy decisions

To obtain more information about the appropriate safeguards we use for international data transfers, or to obtain a copy of these safeguards, please contact hello@shadowmountain.ai.

7. Data Security and Retention

7.1 Security Measures

We implement appropriate technical and organizational measures designed to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption of data in transit (TLS/HTTPS) and at rest (AES-256)
• Secure authentication and access controls
• Regular security assessments and vulnerability scanning
• Employee training on data protection and security practices
• Incident response procedures and breach notification processes

However, no method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

7.2 Data Retention

We retain your personal data for different periods of time depending on the purpose for which it was collected and applicable legal requirements:

• Active Customer Data: While you are our customer or maintain an account with us
• Business Communications: Up to 3 years after your last interaction with us
• Transaction Records: As required by tax and commercial laws (typically 7 years)
• Marketing Data: Until you withdraw consent or request deletion
• Legal Requirements: As required by applicable law (e.g., to defend against legal claims)

Upon your request to delete your account, we will delete or anonymize your personal data unless retention is necessary for legal or legitimate business purposes.

8. Your Privacy Rights

Depending on your location and applicable law, you may have certain rights regarding your personal information:

8.1 GDPR Rights (EEA, UK, Switzerland)

• Right to Access: You have the right to request a copy of the personal data we hold about you and information about how we process it
• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data
• Right to Erasure: You have the right to request deletion of your personal data in certain circumstances
• Right to Restrict Processing: You have the right to request that we limit how we use your personal data
• Right to Data Portability: You have the right to receive your personal data in a structured, machine-readable format
• Right to Object: You have the right to object to certain processing activities based on legitimate interests
• Rights Related to Automated Decision-Making: You have the right not to be subject to solely automated decisions that produce legal or similarly significant effects
• Right to Withdraw Consent: Where we rely on consent, you have the right to withdraw that consent at any time
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your jurisdiction

8.2 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights regarding your personal information under the CCPA and CPRA:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
• Right to Correct: You have the right to request accurate personal information
• Right to Opt-Out: You have the right to direct us not to sell or share your personal information (note: we do not sell personal information)
• Right to Limit Use: You have the right to limit our use of your sensitive personal information
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your privacy rights
• Right to Authorize an Agent: You have the right to designate an authorized agent to make requests on your behalf

To exercise your California privacy rights, please contact us at hello@shadowmountain.ai. We will verify your identity before processing your request and respond within 45 days (extendable by an additional 45 days when reasonably necessary).

8.3 New York Privacy Rights (SHIELD Act)

If you are a New York resident, the New York SHIELD Act requires us to implement reasonable safeguards to protect your private information and to notify you in the event of a data breach. Your rights under New York law include:

• Right to Know: You have the right to know what private information we collect about you
• Right to Access: You have the right to access your private information we maintain
• Right to Correction: You have the right to request correction of inaccurate private information
• Breach Notification: You have the right to be notified in the event of a breach of your private information

We maintain reasonable administrative, technical, and physical safeguards to protect your private information from unauthorized access. To exercise your New York privacy rights, please contact us at hello@shadowmountain.ai.

8.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: hello@shadowmountain.ai
Address: Shadow Mountain AI, 73101 CA-111 Unit 5, Palm Desert, CA 92260, USA

We will respond to your request within the timeframe required by applicable law (typically 30 days for GDPR requests, 45 days for CCPA requests). We may need additional information to verify your identity before processing your request.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities and improve our services:

• Essential Cookies: Required for the operation of our services (authentication, security)
• Analytics Cookies: Help us understand how users interact with our services
• Functional Cookies: Remember your preferences and settings
• Marketing Cookies: Track engagement with our marketing campaigns

You can control cookie settings through your browser preferences. However, disabling cookies may affect the functionality of our services. For more information, please see our Cookie Policy.

10. Children's Privacy

Our services are not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@shadowmountain.ai. We will delete such information promptly upon verification.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay in accordance with applicable law. For EU residents, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR. For California residents, we will notify you in accordance with CCPA requirements. For New York residents, we will notify you in accordance with the SHIELD Act requirements.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a revised "Last Updated" date and the new version will be effective as soon as it is accessible. We will provide notice of material changes through email or prominent notice on our website.

Your continued use of our services after the effective date of the revised Privacy Policy constitutes acceptance of the changes. If you do not agree to the updated policy, you must discontinue use of our services.

For California residents, under California law, you may be entitled to notice of material changes in a manner reasonably designed to provide actual notice. We will provide notice by email (if provided) or through other reasonable means.

13. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law principles. Any legal action or proceeding arising under this Privacy Policy shall be brought exclusively in the federal or state courts located in Palm Springs, California, or Riverside County, California.

For individuals in the European Economic Area, United Kingdom, or Switzerland, you also have the right to lodge a complaint with your local data protection supervisory authority.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Shadow Mountain AI
73101 CA-111 Unit 5
Palm Desert, CA 92260
United States
Email: hello@shadowmountain.ai

For data protection inquiries, GDPR requests, CCPA requests, or New York SHIELD Act inquiries, please contact us at hello@shadowmountain.ai.