Shiftline
Shiftline AI Ltd · Legal

Privacy Policy

How Shiftline AI Ltd handles personal data across Shiftline products, websites, services, and customer-controlled data-processing arrangements.

CompanyShiftline AI Ltd · Company No. 15046282
ICO RefZB916195
Last updatedJune 2025

1. Introduction

Shiftline AI Ltd ("we", "us", "our", or "the Company") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we handle personal data in our capacity as a Data Processor under the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

Key principle: Our customers own and control all personal data transmitted, stored, and processed on our systems. We act solely as a Data Processor, processing personal data only according to our customers’ instructions.

This policy applies to all products, websites, and services operated by Shiftline AI Ltd. One company. One privacy policy.

2. Our role as Data Processor

Shiftline AI Ltd acts as a Data Processor under GDPR and UK data protection law. Our customers act as Data Controllers who determine the purposes and means of processing personal data. We process personal data solely on behalf of and according to the documented instructions of our customers, and we do not determine the purposes for which personal data is processed.

Customers retain full ownership and control of all personal data submitted to our systems. We do not claim any ownership rights over customer personal data.

3. Data processing principles

We process personal data only:

  • As explicitly instructed by our customers through our services.
  • To provide the contracted services to our customers.
  • To comply with legal obligations where required by law.
  • For the establishment, exercise, or defence of legal claims.

We do not:

  • Use personal data for advertising purposes.
  • Sell personal data to third parties.
  • Process personal data for our own commercial purposes beyond service provision.
  • Share personal data with third parties except as instructed by customers or required by law.
  • Use personal data for profiling, marketing, or analytics beyond what is necessary for service delivery.

4. Data security

We implement appropriate technical and organisational security measures including encryption of personal data in transit and at rest, access controls and authentication systems, regular security assessments, staff training on data protection requirements, and incident response procedures.

In the event of a personal data breach, we will notify affected customers without undue delay and provide all relevant information to enable customers to fulfil their breach notification obligations.

5. Sub-processors

We may engage sub-processors to assist in providing our services. All sub-processors are bound by data protection obligations equivalent to those in this policy. Customers will be notified of any changes to sub-processors. The current sub-processor list is available at files.shiftline.ai/Shiftline_Sub-processors.pdf.

ProviderLocationActivity
Amazon Web ServicesRegion depends on configurationInfrastructure (IaaS)
OpenAIUSALLM API processing

6. International data transfers

When personal data is transferred outside the UK/EEA, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs). Copies of our SCCs are available on the Legal & Compliance page.

7. Data subject rights

Since we act as a Data Processor, data subjects should direct rights requests to the relevant Data Controller (our customer). We will assist customers in responding to data subject rights requests, including the right of access and data portability, right to rectification and erasure, right to restrict processing, and right to object to processing.

8. Data retention and deletion

Personal data is retained only as long as instructed by customers. We do not retain personal data for our own purposes beyond service provision. We will delete or return personal data upon customer instruction or termination of services, using secure deletion procedures.

9. Compliance and audit rights

We cooperate with data protection authorities as required and assist customers with data protection impact assessments when applicable. Customers have the right to audit our data processing activities subject to confidentiality agreements.

10. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated to customers with reasonable advance notice.

11. Contact

Shiftline AI Ltd
Company No. 15046282 · ICO Registration: ZB916195
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

Data Protection Officer: [email protected]
Privacy enquiries: [email protected]
ICO: ico.org.uk

This Privacy Policy is governed by the laws of the United Kingdom and is designed to comply with GDPR and the UK Data Protection Act 2018.