01Who we are
Growth Forging Limited is the data controller for Shadow AI. We're a company registered in the Republic of Cyprus.
If you have a privacy question or want to exercise any of the rights described below, write to us at support@shadowai.cc.
02What we collect
Information you give us
| Category | Examples | Why we have it |
|---|---|---|
| Account data | Email, name, and the account identifier returned by Apple or Google when you sign in | To create and secure your account, and contact you about your service |
| Journal content | Your reflections, responses to prompts, dreams, notes, and any free-text you write into the Service | To generate reflections and surface patterns to you |
| Onboarding answers | Quiz responses, this-or-that choices, body-map answers, sentence completions | To determine your shadow archetype and personalize your reflections |
| Subscription data | Subscription status, plan, billing period | To give you the right access level. Apple or Google processes payment data, so we don't see your card details. |
A note on what you write: journal entries, dreams, body-map answers, and sentence completions are free-text fields. You may choose to write about mental or physical health, trauma, relationships, sexuality, beliefs, or other sensitive topics. We treat all of this content with the same care described in this policy.
Information we collect automatically
| Category | Examples | Why we have it |
|---|---|---|
| Anonymous app-instance identifier | A random ID assigned to your install by our subscription management tool | To distinguish your subscription state from other users without tying it to a personal identifier |
We do not currently collect crash reports, analytics, or usage telemetry. We do not embed any analytics, ad, attribution, or crash-reporting tools in the Service. If this changes in the future, we will update this policy before any new collection begins.
What gets sent to our AI provider per reflection
When the app generates a reflection on a journal entry, we send the following to OpenAI through our own backend service:
- The full text of the current entry
- Your shadow archetype name and current phase
- Up to the top 10 themes from your prior entries, with how often each appeared
- Short snippets (up to 80 characters each) from your most recent 7 entries
- For multi-turn reflections, the full history of that conversation thread
We send this context so the AI can generate a reflection that builds on your prior pattern, rather than treating each entry in isolation. Your name and email are never included in the prompt.
The AI also generates signals about each entry, including an intensity classification and a safety flag, which help the app respond appropriately to entries that suggest acute distress. These signals are stored alongside your entry.
03How we use what we collect
We use your data to:
- Provide the Service. Generate reflections, save your entries, manage your account, deliver your subscription.
- Personalize your experience. Determine your shadow archetype, recognize patterns in your entries, tailor prompts.
- Maintain the Service. Investigate problems you report to us, fix bugs, and keep the Service running.
- Communicate with you. Respond to support requests, send service announcements such as changes to these terms.
- Meet our legal obligations. Comply with applicable law, respond to lawful requests, enforce our terms.
We do not use your individual journal content to train AI models that serve other users, sell your data to anyone, or share your content with advertisers.
04Legal basis for processing (EEA / UK users)
If you're in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases under the GDPR:
- Performance of a contract (GDPR Article 6(1)(b)), to provide the Service you signed up for;
- Legitimate interests (GDPR Article 6(1)(f)), to maintain and secure the Service, where these interests don't override your rights;
- Consent (GDPR Article 6(1)(a)), for optional things like marketing emails, which you can withdraw at any time;
- Legal obligation (GDPR Article 6(1)(c)), to comply with applicable law.
If you voluntarily share information that falls under special categories of personal data (such as information about your mental or physical health) by writing it into your journal entries or onboarding answers, we process that information only to provide and personalize the Service for you. By choosing to write such content into the Service, you understand that this content is processed by us and by our AI provider as described in this policy. You can delete any entry at any time, and you can delete your account to remove all such content.
05Who we share data with
We share data only with service providers we need to run Shadow AI, and only what they need to do their job. These are:
| Provider | Role | Data shared |
|---|---|---|
| Supabase | Database and authentication hosting | Account data, journal entries, onboarding answers (stored encrypted at rest on Supabase's servers) |
| OpenAI | AI provider for generating reflections | The journal content and context described in Section 02. Processed under OpenAI's API data processing terms. OpenAI retains API request data for up to 30 days for abuse monitoring purposes and then deletes it. Not used to train OpenAI's models. |
| Apple | App distribution, in-app payments, and Sign in with Apple | Your in-app purchase data (handled by Apple's payment system) and, if you sign in with Apple, the identity token and account identifier Apple returns, plus name and email on first sign-in if you choose to share them |
| Sign in with Google | If you sign in with Google, the ID token Google returns to the app, which contains your Google account identifier, email, name, and profile picture URL | |
| Superwall | Paywall and subscription management | Anonymous app-instance identifier, subscription events, paywall interactions |
Each of these providers operates under its own terms and data processing commitments. We don't sell your data to anyone.
We may also disclose data if required to do so by law, court order, or other valid legal process; to protect the rights, safety, or property of Growth Forging Limited, our users, or others; or in connection with a merger, acquisition, or sale of business assets, in which case we will notify you.
06International transfers
Some of our service providers are located outside of your country. When we transfer your data internationally (for example, to OpenAI in the United States), we rely on appropriate safeguards under applicable law, including Standard Contractual Clauses approved by the European Commission, where required.
07Data retention
We keep your data for as long as your account is active. When you delete your account:
- Your journal entries and personal data are removed from our active systems immediately;
- Your data may persist in daily disaster-recovery backups maintained by our database provider for up to 7 days, after which it is overwritten by newer backups that no longer contain your data;
- Content that was sent to OpenAI for reflection generation may persist in OpenAI's abuse-monitoring logs for up to 30 days after the request, after which OpenAI deletes it;
- We may retain limited information longer if required by law (for example, for tax or accounting purposes) or to resolve disputes.
08Your rights
Depending on where you live, you have the following rights over your personal data. You can exercise these by emailing support@shadowai.cc.
Everyone
- Access: request a copy of the personal data we hold about you;
- Correction: ask us to correct inaccurate or incomplete data;
- Deletion: ask us to delete your data (subject to legal retention requirements);
- Portability: receive your data in a structured, machine-readable format.
EEA / UK residents (under GDPR)
- Restrict processing in some circumstances;
- Object to processing based on legitimate interests;
- Withdraw consent at any time, where processing is based on consent;
- Complain to a supervisory authority. In Cyprus, the Office of the Commissioner for Personal Data Protection.
California residents (under CCPA / CPRA)
- Know what personal information we've collected, used, disclosed, or sold;
- Delete personal information we've collected from you;
- Correct inaccurate personal information;
- Opt out of "sale" or "sharing". We don't sell or share personal information for targeted advertising purposes;
- Limit use of sensitive personal information;
- Non-discrimination for exercising your rights.
We aim to respond to all valid requests within 30 days. We may ask you to verify your identity before processing a request.
09Apple App Privacy
The data types we collect, as declared in our Apple Privacy Manifest, are:
- Contact info: name and email (linked to your account, used for app functionality);
- User content: journal entries and reflections (linked to your account, used for app functionality and to personalize your experience);
- Identifiers: user ID (linked to your account, used for app functionality);
- Purchases: subscription history (linked to your account, used to grant feature access).
We do not track you across apps or websites owned by other companies, and we share no data with data brokers or advertisers.
10Security
We protect your data with industry-standard measures, though specific protections vary by where the data lives:
- In transit: all data sent between the app and our servers is encrypted with TLS.
- On our servers (Supabase): journal entries and account data are encrypted at rest. Access is limited to authorized staff on a need-to-know basis.
- On your device: sensitive credentials (such as Apple authorization codes used for account deletion) are stored in iOS's encrypted secure storage (Keychain). Journal entries and onboarding answers cached locally on the device for offline use are protected by the operating system's app sandbox, which prevents other apps from reading them, and by device-level encryption when your device is locked with a passcode. Shadow AI does not additionally encrypt this cached content at the application layer. As with any locally cached app data, someone with privileged access to your device (for example, through forensic tools or a jailbroken device) could potentially extract this information.
No system is 100% secure. If you believe your account has been compromised, contact us immediately at support@shadowai.cc.
11Children
Shadow AI is recommended for adult readers. We do not knowingly collect personal data from children in violation of applicable children's privacy laws (such as COPPA in the United States or GDPR provisions for children in the EEA / UK). If you believe a child has provided us with personal data, contact us at support@shadowai.cc and we will delete it.
12Changes to this policy
By creating an account or using Shadow AI, you agree to this Privacy Policy as it exists at that time.
We may update this Privacy Policy from time to time. When we do, we will update the "last updated" date at the top of this page. For material changes, we will notify you through the app or by email before the changes take effect. Continued use of the Service after the updated policy takes effect means you accept the updated policy. If you don't agree with a material change, you can delete your account before it takes effect.
13Contact us
Questions, requests, or complaints about how we handle your data: