Privacy Policy

Effective date: April 19, 2026 · Last updated: April 19, 2026

This Privacy Policy explains what information Shadow AI Policy collects, how we use it, and the choices you have. Shadow AI Policy (the "Service") is operated by Simcha Fuchs ("we," "us," "our"), an individual operating a sole proprietorship doing business as Shadow AI Policy.

Quick summary: We collect the information you type into the policy generator and your email address. We do not use tracking cookies or analytics services. We share data only with the processors required to run the Service (Anthropic, Stripe, Resend, Netlify, Cloudflare). You can request deletion at any time by emailing info@shadowaipolicy.com.

1. Information we collect

Information you provide

When you use the policy generator, you voluntarily provide:

Your work email address (required for delivery)
Your company name, industry, company size band, and your role (e.g., HR manager, Legal)
Categories of AI tools your team uses (e.g., ChatGPT, Microsoft Copilot)
Categories of sensitive data your company handles (e.g., Customer PII, Protected Health Information)

You choose what to enter. You may use generic or fictional values in any field except your email, which is required to deliver the generated policy kit.

Payment information

When you purchase, payment details (card number, billing address) are collected and processed directly by Stripe. We never see or store your full card number. We receive only: your name, email, country, and the amount paid.

Server logs

Our hosting provider (Netlify) automatically logs basic request information (IP address, user agent, timestamp, requested URL) for security and abuse prevention. These logs are retained by Netlify per their privacy policy.

2. Information we do not collect

The Service does not use any of the following on the main site:

Google Analytics, Fathom, Plausible, or any other web analytics
Tracking cookies or cross-site tracking pixels
Social media tracking (Facebook Pixel, LinkedIn Insight, etc.)
Session replay or heatmap tools (Hotjar, FullStory, Clarity, etc.)
Advertising networks or retargeting

Stripe may set its own cookies on its hosted checkout pages; that processing is governed by Stripe's Privacy Policy linked above.

3. How we use your information

To generate your policy kit. Your inputs are passed to Anthropic's Claude API to produce the tailored policy documents.
To deliver your policy kit. We send the generated documents to the email address you provided, using Resend as our email provider.
To process payment. We pass payment instructions to Stripe; Stripe handles the transaction.
To provide subscription services. If you subscribe to the Monitor plan, we store your company profile so we can generate monthly refreshed policy kits and email them to you.
To send occasional product updates. One-time buyers may receive an email approximately once per quarter when significant AI-policy changes warrant an update. You can unsubscribe at any time.
To prevent abuse. We may review server logs to detect fraud, spam, or technical issues.

4. Third-party processors

The Service relies on the processors below. Your data is shared with them only as necessary to provide the Service:

Anthropic (privacy policy) — receives your policy inputs via the Claude API to generate the policy text. Per Anthropic's commercial terms, inputs submitted via the API are not used to train their models.
Stripe (privacy policy) — processes payments. Stripe is a PCI-DSS Level 1 certified payment processor.
Resend (privacy policy) — delivers policy kits and subscription updates to your email.
Netlify (privacy policy) — hosts the website and stores form session data (Netlify Blobs).
Cloudflare (privacy policy) — email obfuscation on our site, preventing email scraping.

We do not sell your data, share it with advertisers, or use it for marketing purposes outside of the Service.

5. Data retention

Unpaid form sessions: your inputs are stored for up to 24 hours while you complete checkout, then automatically deleted.
Monitor plan subscribers: your company profile is retained for the duration of your subscription so we can generate monthly refreshes. It is deleted within 30 days of subscription cancellation.
One-time buyers: your email, company name, and industry are retained so we can send occasional product updates (approximately quarterly). You can request deletion at any time.
Payment records: retained by Stripe per their retention policy, which we cannot override.
Server logs: retained by Netlify per their retention policy (typically 30 to 90 days).

6. Your rights

All users

You can request at any time, by emailing info@shadowaipolicy.com:

A copy of the data we hold about you (access)
Correction of any inaccurate data
Deletion of your data (subject to any records we are legally required to keep)
Opt-out from any marketing emails

We respond to all requests within 30 days.

California residents (CCPA / CPRA)

If you are a California resident, you have the rights listed above plus the right to know what categories of personal information we collect, sell, or share. We do not sell or share personal information for cross-context behavioral advertising. California residents can contact us at the email above to exercise these rights.

European Union / UK residents (GDPR / UK GDPR)

If you are in the EU or UK, you have the rights listed above plus:

The right to data portability (receive your data in machine-readable form)
The right to object to processing based on legitimate interest
The right to lodge a complaint with your local data protection authority

Our legal basis for processing is (a) performance of a contract (generating and delivering your policy), and (b) legitimate interest (fraud prevention and occasional product updates, which you may opt out of at any time).

7. Security

Data in transit is protected by HTTPS/TLS. Data at rest is encrypted by Netlify and Stripe using industry-standard encryption. Despite reasonable precautions, no internet transmission or storage is 100% secure; we cannot guarantee absolute security.

8. Children

The Service is intended for businesses, not individuals. It is not directed to people under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided data, contact us and we will delete it.

9. International data transfers

Our processors are located in the United States and European Union. If you use the Service from outside these regions, your data will be transferred to and processed in those jurisdictions. By using the Service, you consent to this transfer.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, for users on our mailing list, notify you by email. Continued use of the Service after an update constitutes acceptance.

11. Contact

For any privacy question, concern, or request:

Email: info@shadowaipolicy.com
Response time: typically within 2 business days.