ShadowText

Related documents

Privacy Policy

Effective date: 2026-04-26

This Privacy Policy explains what personal information ShadowText collects, why we collect it, how we share it, and what choices you have. shadowtext.ai is the controller of personal data processed in connection with the Service.

1. Scope of this Policy

This Policy applies to personal data we process when you visit shadowtext.ai, create or use a ShadowText account, contact our support team, or otherwise interact with the Service. It does not apply to third-party websites or services that we do not operate, even if we link to them.

Where we offer the Service in different languages, the English version of this Policy is the controlling version. Translations are provided for convenience.

2. What We Collect

We collect the following categories of personal data:

Account information
Email address, hashed password (where you sign in with email), display name, account preferences, and the OAuth identity claims we receive when you sign in with Google.
Billing information
Plan and billing period, the country and postal code Stripe collects at checkout, the last four digits of the card or the masked Alipay account identifier, transaction amounts, and invoice metadata. We never see or store your full payment-card number; that information is held by Stripe in their PCI-DSS compliant environment.
Submitted text
The text and any documents you submit to the Service for editorial assistance, plus the corresponding output. We treat submitted text as confidential and only use it to deliver the Service to you, to detect and prevent abuse, and to comply with our legal obligations.
Usage and device data
Pages visited, features used, request timestamps, IP address, user-agent, browser language, time zone, and high-level device fingerprint signals (used to detect signup abuse and account sharing). We use this data to operate, secure, and improve the Service.
Communications
Messages you send to us through email, in-app support widgets, and any feedback you submit. We retain these for support and quality purposes.
Cookies and similar technologies
Strictly-necessary cookies for authentication and session management, and a small number of preference cookies (for example, your UI language). We do not use third-party advertising cookies. See Section 8 below.

3. How We Use Your Information

We process the categories of data above for the following purposes and on the following legal bases:

  • To provide the Service you have asked for, including processing the text you submit and returning the output to you (legal basis: performance of our contract with you).
  • To bill you, manage your subscription, send you renewal reminders and receipts, and resolve payment problems (legal basis: performance of our contract; compliance with tax and accounting law).
  • To detect, prevent, and respond to fraud, abuse, account sharing, security incidents, and breaches of our Terms (legal basis: our legitimate interest in protecting users and the Service; compliance with law).
  • To provide customer support, including answering your questions and investigating issues you report (legal basis: performance of our contract; our legitimate interest in delivering quality support).
  • To improve the Service in aggregate, for example by tracking which features are used and where errors occur. We use de-identified or aggregated data for this purpose wherever possible (legal basis: our legitimate interest in improving the Service).
  • To communicate important service updates, security advisories, and changes to our Terms or this Policy (legal basis: performance of our contract; our legitimate interest in keeping you informed).
  • To comply with legal obligations and to enforce our Terms (legal basis: legal obligation; our legitimate interest in protecting our rights).

We do not sell your personal information. We do not use your submitted text to train new public foundation models, and we do not share your submitted text with third parties for their own marketing or model-training purposes.

4. Sub-Processors and How We Share Information

We share personal data with the third-party providers listed below (our sub-processors), each of whom is contractually bound to use the data only to provide their service to us. We may also share data where required by law, in response to a lawful request from a public authority, to protect our rights or the safety of users, or in connection with a corporate transaction such as a merger or sale of assets (subject to appropriate safeguards).

Stripe, Inc. — United States
Payment processing, subscription billing, fraud screening. Email address, billing country, IP address at checkout, transaction amounts. We never see or store full card numbers.
Cloudflare, Inc. — Global edge
Hosting, content delivery network, DDoS and bot mitigation. Standard request metadata (IP, user-agent, request paths) for routing, caching, and abuse prevention.
Resend, Inc. — United States
Transactional email (account verification, password reset, billing receipts, renewal reminders). Email address and the body of the relevant transactional message.
Anthropic, OpenAI, DeepSeek, and similar large-language-model providers — United States and provider-controlled regions
Processing of user-submitted text to generate the editorial output you request. We rotate among providers based on availability and cost. Only the text you submit for processing in a given request, plus minimal routing metadata. We do not send account identifiers, payment information, or your contact details.
Google LLC (Google Sign-In) — United States
Optional sign-in / authentication for users who choose Google as their identity provider. OAuth identity claims (email, name, account ID) for users who sign in with Google.
Fingerprint, Inc. — United States
Device verification for fraud prevention and account security on signup and high-risk events. Browser and device signals (screen, fonts, hardware concurrency, IP). No content is shared.

5. Data Retention

We keep account data for as long as your account is active, and for 12 months after closure, after which the account record is deleted or fully de-identified. You can ask us to delete your account sooner; see Section 7.

Text you submit for processing is retained on a sliding window of up to 30 days and is then automatically and irreversibly deleted from our active systems. We retain only what is necessary to deliver the Service, support you when you ask for help, investigate abuse, and comply with our legal obligations.

Billing and tax records are retained for 7 years to comply with applicable tax and accounting law. Security and audit logs are retained for up to 90 days.

6. International Data Transfers

We are based in the United States and our sub-processors operate primarily in the United States and on global edge networks. Where personal data is transferred from the European Economic Area, the United Kingdom, Switzerland, China, or other jurisdictions to the United States, we rely on the appropriate transfer mechanisms permitted by applicable law (for example, the EU Standard Contractual Clauses and equivalent UK addenda) and we apply additional contractual and technical safeguards with our sub-processors.

If you are located in mainland China, please be aware that the Service is operated from the United States and that your personal data, including text you submit, will be transferred to and processed in the United States and other jurisdictions where our sub-processors operate. By using the Service you acknowledge this transfer.

7. Your Rights

Depending on where you live, you may have the following rights in respect of your personal data:

  • Access — to obtain confirmation of whether we process personal data about you and a copy of that data.
  • Rectification — to ask us to correct personal data that is inaccurate or incomplete.
  • Deletion — to ask us to delete your personal data, subject to limited exceptions where we are required or permitted to keep it.
  • Portability — to receive a machine-readable copy of personal data you have provided to us, where this right applies under your local law.
  • Restriction or objection — to ask us to restrict or to object to certain processing, including processing based on our legitimate interests.
  • Withdrawal of consent — where we rely on consent, to withdraw it at any time without affecting prior processing.
  • Lodging a complaint — to lodge a complaint with your local data-protection authority. We would appreciate the chance to address your concern first.

Residents of the European Economic Area and the United Kingdom may exercise the rights provided by the GDPR and the UK GDPR. Residents of California may exercise the rights provided by the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know what personal information is collected and to limit the use of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising. Residents of mainland China may exercise the rights provided by the Personal Information Protection Law (PIPL), including the right to access, copy, correct, and delete personal information, and the right to withdraw consent.

To make a request, email support@shadowtext.ai. To protect your data, we will need to verify your identity before we act. You may also use an authorised agent where local law permits.

8. Cookies and Analytics

We use a small number of strictly-necessary cookies and similar storage to run the Service. These keep you signed in, remember your UI language preference, protect against cross-site request forgery, and let us deliver pages from our content-delivery network. Disabling these will break parts of the Service.

We use first-party analytics in aggregate to understand which features are used. We do not use third-party advertising cookies, we do not run cross-site tracking pixels, and we do not load fingerprinting libraries unless we need them to investigate suspected abuse on a particular sign-up or high-risk event.

9. Security

We protect personal data with industry-standard administrative, technical, and physical safeguards. These include TLS in transit, encryption at rest for sensitive fields, principle-of-least-privilege access controls, time-bound credentials for production access, code review for changes that touch authentication or billing, automated dependency scanning, and human review for high-risk changes.

No service is perfectly secure. If you become aware of a vulnerability or a possible incident, please report it to support@shadowtext.ai. We will investigate promptly and notify affected users and regulators as required by law.

10. Children

The Service is not intended for and may not be used by anyone under the age of 13 (under the age of 16 if you are in the European Economic Area or the United Kingdom). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us at support@shadowtext.ai and we will take steps to delete that data and close any related account.

11. Automated Decision-Making

We do not use your personal data to make decisions that produce legal effects on you, or that significantly affect you in a similar way, by purely automated means. account safety signals are reviewed by humans before suspension or termination of an account, except in obvious automated-attack scenarios where we may temporarily restrict access pending review.

12. Changes to this Policy

We may update this Policy from time to time. We will post the updated Policy at https://shadowtext.ai/privacy and update the effective date at the top. Where the change is material, we will give you advance notice in-product or by email.

13. Contact Us

For privacy questions, requests, or complaints contact shadowtext.ai at support@shadowtext.ai. For users in the European Economic Area or the United Kingdom, you may also lodge a complaint with your local supervisory authority. For users in mainland China, you may also contact the relevant authority under the PIPL.