Shadow Privacy Policy
Last updated: May 28, 2026
EthosXYZ Technologies Inc, doing business as “Shadow” (“Shadow,” “we,” “us,” or “our”), provides an always-on AI platform for marketing teams. This Privacy Policy explains what data Shadow collects, how we use and protect it, and the choices and rights you have. It applies to our website at www.shadow.co and to the Shadow application.
By using Shadow, you agree to the practices described here. If you do not agree, please do not use Shadow.
How Shadow works — and why that matters for your data. Shadow is an AI agent that works on your behalf. Much of the data Shadow handles isn’t data we go out and collect — it’s data you already own in tools like Meta Ads, Shopify, or Slack, which Shadow accesses only after you explicitly connect and authorize that tool. For that connected data you stay in control: you choose what to connect, and disconnecting an integration stops Shadow’s access. We act as your agent and processor for that data — not as an independent owner of it.
The short version
- We collect the account information you give us and the data from the tools you choose to connect.
- We use it to answer your questions, generate analysis, and power the reports and skills you set up.
- We send relevant data to AI providers (Anthropic Claude, OpenAI) to generate responses, governed by their data-processing agreements.
- We do not sell your data, and we do not use it to train AI models unless you explicitly opt in.
- You can disconnect any integration, delete your data, or close your account at any time.
- Privacy questions? Email security@shadow.co.
This summary is for convenience only; the full sections below govern.
1. Who we are
- Company: EthosXYZ Technologies Inc, doing business as “Shadow.” We are a Delaware corporation headquartered in New York, USA.
- Product: Shadow — the always-on AI platform for marketing teams.
- Privacy inquiries: security@shadow.co
- Data security representative: jackson@shadow.co
If you have any question about this policy or how your data is handled, contact us at security@shadow.co.
2. What data Shadow collects
Shadow collects two main categories of data, plus limited technical data needed to run the service.
2.1 Account data (collected directly from you)
- Name and email address
- Password (always stored hashed — we never store it in plain text)
- Workspace name
- Billing details (processed by our payment processor; we do not store full card numbers)
2.2 Connected source data (accessed via integrations you explicitly authorize)
Shadow accesses the data below only after you connect the relevant tool and authorize access (typically through OAuth). Shadow accesses it on your behalf, uses it only to provide the features you request, and never uses it for its own independent purposes. You remain the owner of this data and can revoke access at any time by disconnecting the integration.
- Paid social / ad platforms — Meta Ads, Google Ads, TikTok Ads, Amazon Ads: campaign names, spend, impressions, clicks, ROAS. No personally identifiable consumer data.
- E-commerce — Shopify: orders, revenue, product names, cohort metrics, refunds. No individual customer PII beyond what the brand already owns.
- Email / SMS — Klaviyo: campaign names, open rates, revenue attribution. No individual subscriber PII.
- Analytics — Google Analytics: sessions, page views, conversion events. Aggregated only.
- Workplace — Slack: message content from the channels you connect. You control which channels Shadow can see.
- Meetings: meeting transcripts and summaries from connected calendar / recording tools.
- Files — Google Drive: documents you explicitly share with Shadow.
- Knowledge base: documents you upload or create inside Shadow.
Amazon advertising and Selling Partner data. Where you connect an Amazon account, Shadow accesses Amazon-provided data (including advertising metrics and, where available to your account, Selling Partner / Brand Analytics reports) only for accounts that explicitly authorize Shadow, and only to provide the features you request. We do not aggregate or combine Amazon data across different authorized sellers to create benchmarks or comparative datasets, we do not share insights about Amazon’s business derived from Amazon data, and we do not use Amazon-derived data for our own business purposes outside of providing the service to you.
2.3 Usage and device data (collected automatically)
To keep Shadow reliable and secure, we automatically collect limited technical data such as feature-usage analytics, device and browser information, IP address, and server/error logs. We do not use this data to build profiles for advertising.
3. How Shadow uses your data
We use your data to:
- Answer your questions and generate analysis using AI (Anthropic Claude and OpenAI models).
- Store workspace context so Shadow’s responses stay relevant to your business over time.
- Power scheduled reports and saved skills you configure.
- Operate, support, and secure the service — including troubleshooting, preventing abuse, and meeting legal obligations.
What we do not do:
- We do not sell your data to third parties.
- We do not use your data to train AI models without your explicit opt-in.
4. AI and LLM data processing
This section describes how Shadow works with large language model (LLM) providers.
- To generate responses, Shadow sends relevant workspace data to large language model APIs — Anthropic (Claude) and OpenAI.
- Data sent to these APIs is governed by those providers’ data processing agreements. Under Anthropic’s and OpenAI’s commercial/API terms, data submitted through their APIs is not used to train their models.
- What the AI reads vs. what we store: data sent to an LLM is used to generate your response in the moment and is not retained by our LLM providers beyond that request under their API terms. To operate, debug, and secure Shadow, we retain logs of agent activity — which can include LLM inputs and outputs — in our observability systems for up to 30 days, after which they are automatically deleted. Content you explicitly save (into a workspace, report, or knowledge base) is retained until you delete it. We do not use this data to train AI models.
- You can request deletion of all stored workspace data at any time (see Your rights).
5. How Shadow shares data
We do not sell your personal information. We share data only in these limited circumstances:
- Sub-processors / service providers: trusted vendors that help us operate Shadow — including our LLM providers (Anthropic, OpenAI), cloud hosting, and payment processing. They are bound by confidentiality and data-protection obligations and may use data only to provide services to us. A current list of sub-processors is available on request.
- Acting as your agent: for connected source data (Section 2.2), Shadow accesses and processes data under your authorization and on your behalf — you are the controller of that data, and Shadow acts as your processor/agent. We pass that data only to the sub-processors needed to deliver the features you request.
- Legal: where required to comply with law, regulation, or a valid legal request, or to protect the rights, safety, or property of Shadow, our users, or the public.
- Business transfers: if Shadow is involved in a merger, acquisition, financing, or sale of assets, data may be transferred as part of that transaction. We will notify you where required.
6. Data retention
We retain data only as long as needed to provide the service:
- Account & organization metadata (name, email, workspace configuration, billing records): retained for the life of your account. On account or organization closure, this is purged within 30 days — basic organization and billing metadata may be kept for up to 30 days to allow reinstatement, then deleted.
- Connected source data (e.g., cached ad metrics and creative assets): retained only while the integration is connected. If you remove an integration, that platform’s data is permanently deleted within 24 hours. If a connection expires but is not removed, cached data is purged after 30 days unless you reconnect.
- Conversation and prompt history, and saved artifacts (reports, knowledge base): retained per workspace until you delete them or close your account; deletable by you at any time.
- LLM and observability logs (which may include prompts and model outputs): retained for up to 30 days, then automatically deleted. Never used to train AI models.
- Backups: deleted data expires from our rolling backups within 35 days.
- Deletion requests: verified deletion requests are honored within 30 days, consistent with GDPR and CCPA.
We remove deleted data from active systems and from backups on the cycle described above, except where we are required to retain it for legal or security reasons.
7. Your rights and choices (GDPR / CCPA)
Wherever you are located, you can:
- Access the data Shadow holds about you.
- Delete your account and all associated data.
- Disconnect any integration at any time, which stops Shadow from accessing that source going forward.
For users in the EEA / UK (GDPR): our lawful bases for processing are contractual necessity (to provide the service you signed up for) and legitimate interest (to operate, secure, and improve Shadow). You also have rights to rectification, restriction, objection, and data portability, and the right to lodge a complaint with your local supervisory authority.
For California residents (CCPA/CPRA): you have the right to know what personal information we collect, to delete it, to correct it, and to non-discrimination for exercising your rights. We do not sell or “share” your personal information as those terms are defined under California law.
To exercise any of these rights, email security@shadow.co. We respond within the timeframes required by law.
8. Data security
- Encryption in transit: TLS 1.3.
- Encryption at rest: AES-256.
- Credential protection: OAuth access tokens and other integration secrets are encrypted at the application layer, in addition to disk-level encryption, before they are stored.
- Authentication: sessions are secured with JWT tokens and short-lived OAuth authorization codes.
- Access controls: access to your workspace data is limited to a small number of authorized personnel, and only for debugging, support, operating, and securing the service. Access is role-based, restricted, logged, and monitored.
No system is perfectly secure, but we use commercially reasonable, industry-standard measures to protect your data.
9. Cookies
Shadow uses session cookies for authentication only — to keep you signed in and secure your session. We do not use advertising or cross-site tracking cookies.
10. International data transfers
Shadow is operated from the United States, and your data is stored and processed in the United States. If you access Shadow from outside the U.S., your data will be transferred to and processed in the U.S. Where required, we rely on appropriate safeguards (such as the EU Standard Contractual Clauses) for international transfers.
11. Children’s privacy
Shadow is not intended for individuals under 18, and we do not knowingly collect data from children. If you believe a child has provided us data, contact security@shadow.co and we will delete it.
12. Changes to this policy
We may update this policy from time to time. For material changes, we will notify users by email. The “Last updated” date at the top reflects the latest version. Continued use of Shadow after notice of a material change constitutes acceptance of the updated policy.
13. Contact us
EthosXYZ Technologies Inc (dba “Shadow”)
767 Broadway, #1098, New York, NY 10003, USA
- Privacy & security: security@shadow.co
- Data security representative: jackson@shadow.co
- Website: https://www.shadow.co