Privacy policy.

Last Updated: June 18th, 2025

1. INTRODUCTION

SHIFTLINE AI LTD ("we," "us," "our," or "the Company") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we handle personal data in our capacity as a Data Processor under the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

Key Principle: Our customers own and control all personal data transmitted, stored, and processed on our systems. We act solely as a Data Processor, processing personal data only according to our customers' instructions.

2. OUR ROLE AS DATA PROCESSOR

2.1 Data Processing Relationship

  • SHIFTLINE AI LTD acts as a Data Processor under GDPR and UK data protection law

  • Our customers act as Data Controllers who determine the purposes and means of processing personal data

  • We process personal data solely on behalf of and according to the documented instructions of our customers

  • We do not determine the purposes for which personal data is processed

2.2 Customer Data Ownership

  • Customers retain full ownership and control of all personal data submitted to our systems

  • Customers are responsible for ensuring lawful basis for processing and compliance with applicable data protection laws

  • We do not claim any ownership rights over customer personal data

3. DATA PROCESSING PRINCIPLES

3.1 Processing Limitations

We process personal data only:

  • As explicitly instructed by our customers through our services

  • To provide the contracted services to our customers

  • To comply with legal obligations where required by law

  • For the establishment, exercise, or defense of legal claims

3.2 Prohibited Uses

We DO NOT:

  • Use personal data for advertising purposes

  • Sell personal data to third parties

  • Process personal data for our own commercial purposes beyond service provision

  • Share personal data with third parties except as instructed by customers or required by law

  • Use personal data for profiling, marketing, or analytics beyond what is necessary for service delivery

4. DATA SECURITY AND PROTECTION

4.1 Technical and Organizational Measures

We implement appropriate technical and organizational security measures including:

  • Encryption of personal data in transit and at rest

  • Access controls and authentication systems

  • Regular security assessments and monitoring

  • Staff training on data protection requirements

  • Incident response procedures

4.2 Data Breach Notification

In the event of a personal data breach:

  • We will notify affected customers without undue delay

  • We will provide all relevant information to enable customers to fulfill their breach notification obligations

  • We will cooperate with customers' breach response efforts

5. SUBPROCESSORS AND THIRD PARTIES

5.1 Subprocessor Engagement

  • We may engage subprocessors to assist in providing our services

  • All subprocessors are bound by data protection obligations equivalent to those in this policy

  • Customers will be notified of any changes to subprocessors

  • Current subprocessors are listed here

5.2 Third Party Disclosures

Personal data may only be disclosed to third parties:

  • With explicit customer instruction or authorization

  • When required by applicable law or legal process

  • To protect our legitimate interests, rights, or property (limited to what is necessary and proportionate)

6. INTERNATIONAL DATA TRANSFERS

6.1 Transfer Safeguards

When personal data is transferred outside the UK/EEA:

  • We implement appropriate safeguards such as Controller to Processor Standard Contractual Clauses

  • We ensure adequate level of protection as required by applicable law

  • Customers are informed of transfer mechanisms and destinations

7. DATA SUBJECT RIGHTS

7.1 Facilitating Rights Requests

Since we act as a Data Processor:

  • Data subjects should direct rights requests to the relevant Data Controller (our customer)

  • We will assist customers in responding to data subject rights requests

  • We will provide necessary information and cooperation to enable customers to fulfill their obligations

7.2 Supported Rights

We support customers in facilitating:

  • Right of access and data portability

  • Right to rectification and erasure

  • Right to restrict processing

  • Right to object to processing

8. DATA RETENTION AND DELETION

8.1 Retention Periods

  • Personal data is retained only as long as instructed by customers

  • We do not retain personal data for our own purposes beyond service provision

  • Customers control retention periods through their account settings and instructions

8.2 Data Deletion

  • We will delete personal data upon customer instruction

  • We will return or delete personal data upon termination of services (as instructed by customer)

  • Secure deletion procedures ensure data cannot be recovered

9. COMPLIANCE AND COOPERATION

9.1 Regulatory Cooperation

  • We cooperate with data protection authorities as required

  • We assist customers with data protection impact assessments when applicable

  • We maintain records of processing activities as required by law

9.2 Audit Rights

  • Customers have the right to audit our data processing activities

  • We provide necessary information to demonstrate compliance with data protection obligations

  • Third-party audits may be conducted subject to confidentiality agreements

10. CONTACT INFORMATION

10.1 Data Protection Officer

For data protection inquiries, contact our Data Protection Officer:

  • Email: dpo@shiftlineai.com

  • Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

10.2 Customer Support

For service-related data processing questions:

11. CHANGES TO THIS POLICY

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated to customers with reasonable advance notice.

12. GOVERNING LAW

This Privacy Policy is governed by the laws of the United Kingdom and is designed to comply with GDPR and UK Data Protection Act 2018 requirements.

Shiftline AI LTD is registered with the UK ICO for UK GDPR Compliance

SHIFTLINE AI LTD
 Company Number: 15046282
Registered Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

This Privacy Policy forms part of our Data Processing Agreement with customers and should be read in conjunction with our Terms of Service.