This Privacy Policy describes how Shape AI Ltd. (“Shape AI”, “we”, “our” or “us”) collects, stores, uses and discloses the following categories of personal data:
(i) Customer Data: personal data that we collect, process and manage on behalf of our business customers (“Customers”), submitted to the ShapeAI API (collectively, the “API”). We process such Customer Data on behalf and under the instruction of the respective Customer in our capacity as a “data processor” in accordance with our Data Processing Addendum with them. For more information, please refer to Section 9 below. Accordingly, this Privacy Policy – which describes ShapeAI’s independent privacy and data processing practices as a “data controller” – does not apply to the processing of Customer Data. If you have any questions or requests regarding Customer Data, please contact the relevant Customer directly.
(ii) User Data: personal data concerning individuals engaging with ShapeAI on behalf of our Customers who are authorized users of the API (collectively, “Users”);
(iii) Prospect Data: data relating to visitors of our websites (including https://shape-ai.com), participants at our events, and any other prospective customer, user or partner (collectively, “Prospects”) who visits or otherwise interacts with our websites,
Specifically, this Privacy Policy describes our practices regarding:
1. Data Collection
2. Data Uses
3. Data Location
4. Data Retention
5. Data Disclosure
6. Cookies and Tracking Technologies
7. Communications
8. Data Security
9. Data Subject Rights
10. Data Controller/Processor
11. Additional Information and Contact Details
If you are a Customer, User or Prospect, please read this Privacy Policy carefully and make sure that you fully understand and agree to it.
You are not legally required to provide us with any personal data and may do so (or avoid doing so) at your own free will. If you do not wish to provide us with your personal data or to have it processed by us or any of our Service Providers
(per Section 5 below), please avoid any interaction with us or any use of our Services.
1. Data Collection
When we use the term “personal data” or “personal information” in this Privacy Policy, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual. It does not include aggregated or deidentified information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual. Sometimes we collect personal data automatically when an individual interacts with our Services and sometimes we collect personal data directly from an individual. We may also collect personal data about an individual from other sources and third parties (such as our business customers, partners and Service Providers), even before our first direct interaction with you. We may collect or generate the following types of personal data about individuals in relation to the Services:
- Contact data: contact and business details of Users such as name, e-mail, phone number, position, workplace and related business insights; as well as any needs, preferences, attributes and insights relevant to our relationship;
- Account data: e-mail address, nickname, user ID, hashed password or other information used for authentication and access control.
- Customer data: our API allows Customers to submit queries to be run by us through large language models (such as OpenAI’s ChatGPT) and receive responses back. In addition, our Customers (in their sole discretion) may allow their customers (“End-Users”) to submit queries via our API (either directly or indirectly via the Customer). To the extent that the query and/or response contain personal data, this will be collected and processed by us.
- Interactions and communications data: correspondence with us (e.g., for user experience, support and training purposes) via the Services or our social media pages (such as Twitter, Facebook), as well as chats, surveys, feedback, calls and video recordings, transcriptions, and analyses thereof.
- Usage and analytics data: connectivity, technical and behavioral usage data, user agent, IP addresses, device data (such as type, OS, device ID, browser version, locale and language settings used), activity, communication and performance logs, session
recordings, issues and bugs, and the cookies and pixels installed or utilized on your device as you access or otherwise use the Services. - Prospect Data: data relating to visitors of our website (https://shape-ai.com), participants at our events, and any other prospective customer, user or partner who visits or otherwise interacts with our website, online ads and content, emails, sales and
marketing channels, and integrations or communications under our control.
For the purposes of the California Consumer Privacy Act (“CCPA”), specifically, in the last twelve (12) months, we have collected the following categories of Personal Information: Identifiers; Professional or Employment-Related Information; Internet or other Electronic Network Activity Information. We do not use or disclose sensitive personal information as defined in the CCPA.
ShapeAI processes the personal data described in Section 1 as necessary for the provision of our Services (“Performance of Contract”); to comply with our legal and contractual obligations (“Legal Obligation”); and to support our legitimate interests in maintaining, improving and advertising our Services, e.g. in understanding how our Services are used and how our
campaigns are performing, and gaining insights which help us dedicate our resources and efforts more efficiently; in marketing, advertising and selling our Services; providing customer service and technical support; and protecting and securing our Customers, Users, Prospects, ourselves and our Services (“Legitimate Interest”).
ShapeAI operates in various countries around the world. If you reside or are using the Services in a territory governed by privacy laws under which “consent” is the only or most appropriate legal basis for the processing of personal data in the manner described in this Policy (in general, or specifically with respect to the types of personal data you expect or elect to be or have processed by or via the Services), your use of the Service will be deemed as your consent to the processing of your personal data for the purposes detailed
Specifically, we use your personal data for the following business and commercial purposes:
ShapeAI processes the personal data described in Section 1 as necessary for the provision of our Services (“Performance of Contract”); to comply with our legal and contractual obligations (“Legal Obligation”); and to support our legitimate interests in maintaining, improving and advertising our Services, e.g. in understanding how our Services are used and how our
Users and Prospects
| Purpose | Legal basis for processing |
|---|---|
| To facilitate, operate, enhance, and provide our Services | Performance of Contract Legitimate Interest |
| To authenticate the identity of our Users, and to allow them to access our Services | Performance of Contract, Legitimate Interest |
| To provide our Users and Prospects assistance and support | Performance of Contract Legitimate Interest |
| To perform, facilitate and optimize our marketing campaigns, ad management and sales operations, as well as promotional messages and to manage and deliver advertisements for our products and services more effectively | Legitimate Interest Consent |
| To perform, facilitate and optimize our marketing campaigns, ad management and sales operations, as well as promotional messages and to manage and deliver advertisements for our products and services more effectively | Legitimate Interest Consent |
We do not sell or share your personal information for the intents and purposes of the California Consumer Privacy Act (CCPA).
3.Data Location
We and our authorized Service Providers (per Section 5 below) maintain, store and process personal data in the United States and other locations, as reasonably necessary for the proper performance and delivery of our Services, or as may be required by law.
While privacy laws may vary between jurisdictions, ShapeAI and its Service Providers are each committed to protect personal data in accordance with this Privacy Policy, customary industry standards, and such appropriate lawful mechanisms and contractual terms requiring adequate data protection, regardless of any lesser legal requirements that may apply in the jurisdiction where the data may be processed.
To the extent we transfer personal data from the European Economic Area (EEA), UK, or Switzerland to countries which that are not considered to offer an adequate level of data protection, we rely on appropriate data transfer mechanisms as established under applicable law, such as the standard contractual clauses (SCCs) adopted by the EU (available here) and the
UK (available here). You can request a copy of these SCCs by contacting us as indicated in Section 11.
4.Data Retention
We may disclose your data for a business purpose with certain third parties, including law enforcement agencies, our Service Providers and our affiliates, in accordance with this Policy and as described below:
Service Providers: we engage selected third-party entities or individuals as “Service Providers” to perform services complementary to our own. Such Service Providers may include hosting and server co-location services, communications and content delivery networks (CDNs), data analytics services, marketing and advertising services, data and cyber security services, fraud detection, investigation and prevention services, e-mail, video conferencing and communication services, session or activity recording services, social and advertising networks, support and customer relation management systems, third-party customer support providers, and our legal, compliance and financial advisors and auditors. These Service Providers may have access to your personal data, depending on each of their specific roles and purposes in facilitating, supporting and enhancing our Services, and may only use it for such purposes.
Customers and End-Users: If you are an End-Users, using the services of one of our Customers, your personal data may be shared with the Customer owning the account to which you are subscribed as a user. Your personal data and activity within the Services may also be monitored, processed and analyzed by the Customer. This includes instances where you contact us for help in resolving an issue specific to a team of which you are a member (and which is managed by the same Customer).
Legal Compliance: in exceptional circumstances, we may disclose or allow government and law enforcement officials access to your personal data, in response to a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations, with or without notice to you. Such disclosure or access may occur if we believe in good faith that: (a) we are legally compelled to do so; (b) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or (c) such disclosure is required to protect our legitimate business interests, including the security or integrity our Users, Prospects and our Services.
Protecting Rights and Safety: we may disclose personal data with others if we believe in good
faith that this will help protect the rights, property or personal safety of ShapeAI, our Customers,
Users, Prospects, or any members of the general public.
Change of control or ownership: If ShapeAI undergoes any change in control, including by means of merger, acquisition or purchase of any of its assets, your personal data may be shared with the parties involved in such an event. If we believe that such an event might materially affect your personal data then stored with us, we will notify you of this and the choices you may have via e-mail or prominent notice on our Services.
Additional sharing: For the avoidance of doubt, we may disclose personal data in additional manners, pursuant to your explicit approval, or if we are legally obligated to do so, or if we have successfully rendered such data non-personal, non-identifiable and anonymous. For the purposes of the CCPA, in the past twelve (12) months, we have disclosed Identifiers, Internet or other Electronic Network Activity Information, Professional or Employment-Related Information, and Commercial Information to government and law enforcement officials, Service Providers, subsidiaries and affiliates, and in the context of a change of control.
5. Data Disclosure
We may disclose your data for a business purpose with certain third parties, including law enforcement agencies, our Service Providers and our affiliates, in accordance with this Policy and as described below:
Service Providers: we engage selected third-party entities or individuals as “Service Providers” to perform services complementary to our own. Such Service Providers may include hosting and server co-location services, communications and content delivery networks (CDNs), data analytics services, marketing and advertising services, data and cyber security services, fraud detection, investigation and prevention services, e-mail, video conferencing and communication services, session or activity recording services, social and advertising networks, support and customer relation management systems, third-party customer support providers, and our legal,
compliance and financial advisors and auditors. These Service Providers may have access to your personal data, depending on each of their specific roles and purposes in facilitating, supporting and enhancing our Services, and may only use it for such purposes.
Customers and End-Users: If you are an End-Users, using the services of one of our Customers, your personal data may be shared with the Customer owning the account to which you are subscribed as a user. Your personal data and activity within the Services may also be monitored, processed and analyzed by the Customer. This includes instances where you contact us for help
in resolving an issue specific to a team of which you are a member (and which is managed by the
same Customer).
Legal Compliance: in exceptional circumstances, we may disclose or allow government and law enforcement officials access to your personal data, in response to a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations, with or without notice to you. Such disclosure or access may occur if we believe in good faith that: (a) we are legally compelled to do so; (b) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or (c) such disclosure is required to protect our legitimate business interests, including the security or integrity our Users, Prospects and our Services.
Protecting Rights and Safety: we may disclose personal data with others if we believe in good faith that this will help protect the rights, property or personal safety of ShapeAI, our Customers, Users, Prospects, or any members of the general public.
Change of control or ownership: If ShapeAI undergoes any change in control, including by means of merger, acquisition or purchase of any of its assets, your personal data may be shared with the parties involved in such an event. If we believe that such an event might materially affect your personal data then stored with us, we will notify you of this and the choices you may have via e-mail or prominent notice on our Services.
Additional sharing: For the avoidance of doubt, we may disclose personal data in additional manners, pursuant to your explicit approval, or if we are legally obligated to do so, or if we have successfully rendered such data non-personal, non-identifiable and anonymous.
For the purposes of the CCPA, in the past twelve (12) months, we have disclosed Identifiers, Internet or other Electronic Network Activity Information, Professional or Employment-Related Information, and Commercial Information to government and law enforcement officials, Service Providers, subsidiaries and affiliates, and in the context of a change of control.
6. COOKIES AND TRACKING TECHNOLOGIES
We and our Service Providers use cookies and other technologies for performance, tracking, analytics and personalization purposes. We may share non-identifiable / aggregated extracts of such information with our partners for our legitimate business purposes.
Cookies are small text files that are stored through the browser on your computer or mobile device (for example, Google Chrome or Safari) when you visit a website. Some cookies are removed when you close your browser session – these are the “session cookies”. Some last for longer periods and are called “persistent cookies”. We use both types of cookies to facilitate the use of the Services’ features and tools. While we do not change our practices in response to a “Do Not Track” signal in the HTTP header from a browser or mobile application, you can manage your cookies preferences, including whether or not to accept them and how to remove them, through your browser settings. Please bear in mind that disabling cookies may complicate or even prevent you from using the Site. For more information regarding cookies, you may find the following websites useful: www.allaboutcookies.org, www.youronlinechoices.co.uk.
To learn more about our cookie practices, please visit our Cookie Policy.
We also use web analytics tools, including Google Analytics. These tools help us understand User and Prospect behavior on our Services, including by tracking page content, and click/touch, movements, scrolls and keystroke activities. Further information about the privacy practices of our analytics service provider is available at: www.google.com/policies/privacy/partners/. Further information about your option to opt-out of these analytics services is available at: https://tools.google.com/dlpage/gaoptout.
Please note that if you get a new computer, install a new browser, erase or otherwise alter your browser’s cookie file (including upgrading certain browsers), you may also clear the opt-out cookies installed once you opt-out, so an additional opt-out will be necessary to prevent additional tracking.
7. COMMUNICATIONS
We may engage in service and promotional communications through any of the means available to us (e.g., e-mails, text messages and notifications).
Service Communications: we may contact you with important information regarding our Services. For example, we may send you notifications (through any of the means available to us) of changes or updates to our Services (such as login attempts or password reset instructions, alerts and notifications concerning anomalies detected by our Services, surveys, etc.). You can control your communications and notifications in accordance with the instructions included in the communications sent to you. Please note that you will not be able to opt-out of receiving certain service communications which are integral to your use.
Notifications and Promotional Communications: we may also notify you about new features, additional offerings, events, webinars, special opportunities or any other information we think you may find valuable. We may provide such notices through any of the contact means available to us (e.g., e-mail), through the Services, or through our marketing campaigns on any other sites or platforms. Furthermore, if you contact us with an inquiry, we may respond with promotional e-mails related to your inquiry. For example, if you contact us with an inquiry about a feature you would like to see on one of our Services, we will use your contact information to later inform you once our Services have been updated to include features similar to those you inquired about or other features you may be interested in. To control your notifications settings, please follow the instructions included in the promotional communications sent to you. If you do not wish to receive such communication, you may also notify us by sending an e-mail to privacy@shapeai1stg.wpenginepowered.com or opt-out of these e-mail updates by following the “unsubscribe”, “stop”, “opt-out” or “change e-mail preferences” link located at the bottom of the e-mail.
8. DATA SECURITY
In order to protect your personal data held with us, we use industry-standard physical, procedural and technical security measures to secure your personal data, in to minimize the risks of theft, damage, loss of information, or unauthorized access or use of personal data.
However, please be aware that regardless of any security measures used, we cannot and do not guarantee the absolute protection and security of any personal data stored with us or with any third parties as described in Section 5 above.
9. DATA SUBJECT RIGHTS
If you wish to exercise your privacy rights under any applicable law, including the EU or UK General Data Protection Regulation (GDPR), the CCPA or any similar US state law, please contact us by email at privacy@shapeai1stg.wpenginepowered.com. Such rights may include (to the extent available to you under the laws which apply to you), the right to know / request access to (specific pieces of personal information collected; categories of personal information collected; categories of sources from whom the personal information was collected; purpose of collecting personal information; categories of third parties with whom we have shared personal information), to request rectification or erasure of, your personal data held with ShapeAI; to restrict the processing of such data and to object to its processing (including, for California residents, the right to direct us not to sell or share your personal information to third parties now or in the future, as indicated below); to port such data; or the right to equal services and prices (each to the extent available to you under the laws that apply to you).
If you would like to opt out of the “sale” or “sharing” (as such terms are defined under the CCPA) of your personal information for cross-context behavioral advertising, please contact us at privacy@shapeai1stg.wpenginepowered.com.
Please note that we may require additional information, including certain personal data, in order to authenticate and process your request. Such additional information may be then retained by us for legal purposes (e.g., as proof of the identity of the person submitting the request), in accordance with Section 4 above. We may redact from the data which we make available to you, any personal data related to other individuals.
If your request relates to personal data that may be processed on our Customer’s behalf, as their “data processor” or “service provider” (as further explained in Section 10 below), note that such Customer exclusively determines how such data is processed, as well as if and how your request should be handled – so we advise you to submit your request directly to them. We will not fulfill your request unless you have provided sufficient information that enables us to reasonably verify that you are the individual about whom we collected the personal data, and that such data is processed on behalf of any of our Customers, so that we may forward it to such Customer for their further handling. Such additional information will be then retained by us for legal purposes (e.g. as proof of the identity of the person submitting the request, and of how each request was handled), in accordance with Section 4 above.
Additionally, you have a right to lodge a complaint with a competent authority, such as the
supervisory authority in the EU Member State of your habitual residence, place of work, or of the
alleged GDPR infringement, the UK’s Information Commissioner’s Office, or your State’s Attorney
General (as applicable).
10.DATA CONTROLLER/PROCESSOR
Certain data protection laws and regulations, such as the GDPR or the CCPA, typically distinguish between two main roles for parties processing personal data: the “data controller” (or under the CCPA, “Business”), who determines the purposes and means of processing; and the “data processor” (or under the CCPA, “Service Provider”), who processes such data on behalf of the data controller (or Business). Below we explain how these roles apply to our Services, to the extent that such laws and regulations apply.
ShapeAI is the “data controller” of its Prospects’ personal data, as detailed in Section 1 above. Accordingly, we assume the responsibilities of a data controller (solely to the extent applicable under law), as set forth in this Privacy Policy.
ShapeAI is the “data processor” of its Users’ personal data, as well as personal data contained in Customer Data, as submitted by our Customers and their End-Users via the Services. We process such data on behalf of our Customer (who is the “data controller” of such data) and in accordance with its reasonable instructions, subject to our terms and conditions, our Data Processing Addendum (to the extent applicable) and other commercial agreements with such Customer.
Our Customers are solely responsible for determining whether and how they wish to use our Services, and for ensuring that all individuals using the Services on the Customer’s behalf or at their request, as well as all individuals whose personal data may be included in Customer Data processed through the Services, have been provided with adequate notice and given informed consent to the processing of their personal data, where such consent is necessary or advised, and that all legal requirements applicable to the collection, use or other processing of data through our Services are fully met by the Customer. Our Customers are also responsible for handling data subject rights requests under applicable law, by their Users and other individuals whose data they process through the Services.
If you would like to make any requests or queries regarding personal data we process as a data processor on our Customer’s behalf, including accessing, correcting or deleting your data, please contact the Customer directly.
11.ADDITIONAL INFORMATION AND CONTACT DETAILS
Updates and Amendments: we may update and amend this Privacy Policy from time to time by posting an updated version on our Services. The amended version will be effective as of the date it is published. We will provide prior notice if we believe any substantial changes are involved via any of the communication means available to us or via the Services. Your continued use of the Services after the changes have been implemented will constitute your acceptance of the changes.
External Links: While our Services may contain links to other websites or services, we are not responsible for their privacy practices. We encourage you to pay attention when you leave our Services for the website or application of such third parties, and to read the privacy policies of each and every website and service you visit. This Privacy Policy applies only to our Services.
Requirements under US State Privacy Laws: This Privacy Policy describes the categories of personal information we may collect and the sources of such information (in Section 1 above), and our retention and deletion (Section 4) practices. We also included information about how we may process your information (in Sections 1 through 7), which includes “business purposes” under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) and similar US state laws, as applicable. We do not “sell” or “share” your personal information for the intentions and purposes of the CCPA or CPRA, nor disclose personal information that we “control” to any third party for their direct marketing purposes. We may disclose personal data to third parties or allow them to collect personal data from our Services as described in Sections 5 and 6 above, if those third parties are our Customers (in respect of Customer Data processed on their behalf), or our authorized Service Providers or business partners who have agreed to our contractual limitations as to their retention, use, and disclosure of such personal data, or if you integrate the Services of third parties with our Services, or direct us to disclose your personal data to third parties, or as otherwise described in Section 5 above. You may also designate an authorized agent, in writing or through a power of attorney, to request to exercise your privacy rights on your behalf. The authorized agent may submit a request to exercise these rights by emailing us. We will not discriminate against you by withholding our Services from you or providing a lower quality of service to you for requesting to exercise your rights under the law.
If you have any questions or would like to exercise your rights under any applicable US State privacy laws, you can contact privacy@shapeai1stg.wpenginepowered.com.
Children: Our Services are not directed to children under the age of 16. We do not knowingly collect personal data from children and do not wish to do so. If we learn that a child under this age is using the Services, we will attempt to prohibit and block such use and will make our best efforts to promptly delete any personal data stored with us with regard to such child. If you believe that we might have any such data, please contact us by e-mail at privacy@shapeai1stg.wpenginepowered.com.
Questions, concerns or complaints: if you have any comments or questions regarding our Privacy Policy, or if you have any concerns regarding your personal data held with us, or if you wish to make a complaint about how your personal data is being processed by ShapeAI, you can contact us at privacy@shapeai1stg.wpenginepowered.com.
Last updated: 2 September, 2023.
