Privacy policy

Data Controller

Shadow SAS, a simplified joint stock company (société par actions simplifiée) registered in the Paris Trade and Companies Register under number 891 586 299 ("Shadow" or the "Company"), is responsible for the processing of personal information collected and processed via the Company's websites (the "Websites"), the Shadow devices, products, services, online stores and applications referring to this privacy policy (hereinafter together the "Shadow Services"). All relevant information concerning the Company, including its address, is indicated on the legal notices page.

All relevant information concerning the Company, including its address, is indicated on the legal notices page.

Scope and purpose

This privacy policy (the “Privacy Policy”) applies to all Shadow Services and their users (the “Users”). Its purpose is to inform Users about the way Shadow processes Personal Data.

Personal data

Personal data is any information that directly or indirectly identifies a User (“Personal Data”).

Anonymised information, which is understood as Personal Data that has been processed appropriately to make it irreversibly non-identifiable, is excluded from the definition of Personal Data.

Source of Personal Data

The Personal Data processed by Shadow comes from three sources:

  • Personal Data provided by the User: this is the data that the User sends us himself/herself, in particular when registering with the Shadow Services (whether or not theUser completed the subscription to any of the Shadow Services), in the context of communication that he/she sends to Shadow (for example, a request for assistance), or when he/she agrees to respond to a survey;
  • Personal Data collected via the use of the Shadow Services: this data is generated by or collected on the occasion of the use of the Shadow Services (for example, the identification and characteristics of the terminals used to access the Shadow Services, the generation of logs, etc.);
  • Input data collected through the use of the Shadow conversational tool (“Shadow Chatbot”): this is the data resulting from the conversation, which you have agreed to communicate to us. This data is anonymized.
  • Personal Data collected via other sources: this is data that is transmitted to us via third parties with whom we contract, in particular subcontractors and partners (for example, the terminal delivery data that is provided to us by our logistics partner).

Personal Data collected

Shadow does not collect any Personal Data relating to the use made by Users of their Shadow, unless the processing is necessary for the proper functioning of the Shadow Services or their optimization or if the User has explicitly given his or her consent.

Shadow may collect Personal Data when a User uses the Shadow Services, and in particular the following data (each category of data includes non-exhaustive examples enabling a better understanding of the type of data collected):

  • personal details and identification data (marital status, surname, first name, date of birth, address, telephone, email, pseudonym, Apple ID, Discord ID). This is the data that the User completes when he/she registers for the Shadow Services or that he/she completes on his/her customer space;
  • data concerning personal life (country of residence, language, habits, preferences). This data includes, notably, the country of residence, the language spoken by the User, responses to surveys, or the period of the day that the User prefers to use the Shadow Services;
  • economic and financial data (invoicing, bank data, payment status, subscription type). This is data relating to the invoicing and payment of Shadow Services when they are paid-for (amount due, amount paid, payment dates, etc.), as well as the payment method used (payment method, expiry date of the bank card, etc.);
  • connection data (user names, logs, IP address, identification and characteristics of the terminals used to access the Shadow Services, Internet provider, characteristics and quality of the Internet connection). This data includes, notably, but is not limited to, connections to Shadow Services, terminal identification and characteristics used to connect (e.g., Shadow Ghost, or Windows 10 PC with embedded graphics card), as well as connectivity-related data (e.g., Orange network, fibre, Ethernet connection, transfer speed, packet loss, etc.);
  • Internet data in connection with browsing on the Websites (currently shadow.tech) (browsing data on the Websites, cookies, tracers, audience measurements). For example, visit to the Community page of the shadow.tech Website, use of the social aspects (Youtube, Twitter, etc.) of the Website.
  • usage data (use and status of the Shadow Services, type and version of the applications used, version of the services used, degree of use and status of the hardware and connectivity, list, settings and times of use of installed programs and applications, including video games and game launchers). This data is, for example, the fact that a User’s Shadow is in use, the functional status of all services, the use of the MacOs application in production v1.0.2 version, the status of the graphics card (in operation, normal temperature), the status of the connectivity (unstable Internet connection at the User’s Internet service provider level, functional Internet connection at the Shadow level), etc.;
  • communication data (satisfaction of Users, messages to the Support Department, messages on social networks or forums, communications sent to the Company). Examples include tickets sent to the Support Department, messages posted on social networks or forums, or responses to satisfaction surveys.

The Personal Data collected varies according to the Shadow Users and the Services they use (for example, some data only concerns Shadow's Websites, others only the Shadow service). Furthermore, some of this data is only processed with the agreement of the User (see the “Legal basis for processing” section).

For the Shadow Chatbot, input data is not linked to any Personal Data. No Personal Data is requested at the beginning, during or at the end of the conversation. Input Data is only linked to a key that allows it to be identified. Shadow and its Partners collect only the Data entered.

Shadow does not process or collect sensitive data.

Purpose of processing

Shadow processes Personal Data for the purpose of operating, providing, improving and informing about Shadow Services. In particular, depending on the Shadow Services used, Personal Data may be processed for the purposes described below.

Firstly, we process part of your data in order to allow the proper functioning and provision of the Shadow Services, including the management of the contractual and commercial relationship (orders, subscriptions, invoicing, accounting, outstanding payments, etc.), the proper technical and administrative functioning of the Shadow Services, the provision of the Shadow Services, assistance with the use of the Shadow Services, the reply to requests and questions from Users as well as the sending of notifications in the event of a technical incident.

For example, Shadow processes your Personal Data to manage your subscription, to respond to support requests from Users, or to notify Users of maintenance or an incident.

 

Secondly, we process part of your Personal Data in order to improve and optimise the Shadow Services, which includes measuring and improving the quality of the Shadow Services and User satisfaction, following the navigation of the User, producing statistics on the Shadow Services and their use, managing and optimising the operation of the servers, providing Shadow Services in line with the needs of the Users, in particular on the equipment making up the servers, as well as defining User profiles to enable the improvement and optimisation of the Shadow Services.

For example, Shadow processes your Personal Data to measure the impact of an update through user satisfaction or the Shadow usage rate, to manage server cooling, or to determine whether a User is more likely to use Shadow in the morning or in the evening.

 

We also process part of your Personal Data for the purposes of communication and marketing, including providing information and news, managing the registration of Users for the newsletter and notifications, carrying out surveys, setting up contests and advertising games, by random draw or by any other means, communication relating to new Shadow Services, commercial or promotional offers, whether targeted or not, as well as the setting up of partnerships with third parties.

For example, Shadow processes your Personal Data to send Users a newsletter, to propose surveys or contests, or to offer a new service or an option

 

Finally, we also process part of your Personal Data for the purpose of verifying and ensuring the use of the Shadow Services in accordance with the Terms of Use  and the applicable laws, to ensure the security and integrity of the systems, to comply with our legal obligations, including the compliance of the contractual and commercial relationship with the obligations in force, as well as the response to requests from administrative authorities or legal requisitions, in accordance with current legislation.

For example, Shadow processes your Personal Data to ensure that you are the holder of a Shadow account, to prevent or stop a breach of the integrity of a server, or to process User requests relating to their Personal Data.

Storage duration

Depending on the processing carried out on Personal Data, retention periods may vary between 1 and 10 years:

  • Personal Data processed as part of the performance of a contract or pursuant to a legal obligation will be retained for a maximum of 10 years from the end of the contractual relationship;
  • Personal Data processed on the basis of consent will be kept for a maximum of 3 years from the date of consent, unless the User requests deletion;
  • Personal Data processed in the context of a legitimate interest will be kept for a maximum of 5 years from the end of the contractual relationship.

  • Typebot and Open AI keep the Input Data for a maximum of 30 days. Also, Shadow keeps the Input Data for a period of 30 days. This input data is anonymized by means of a key.

    Once the retention periods have expired, Shadow will delete or anonymize the Personal Data concerned.

    Sharing and transferring Personal Data

    In order to carry out the processing necessary for the purposes described in this Privacy Policy, Shadow may transfer Personal Data outside the European Union.

    These transfers are mainly due to the location of the subcontractors we have chosen. When these are established outside the European Union, Shadow ensures that the legal framework of the country in question provides a satisfactory level of security, or implements the procedures required to obtain the necessary guarantees for the security of transfers. Wherever possible, Shadow ensures that the service provider is certified by the Data Privacy Framework when established in the United States.

    You can also connect to your SHADOW account via:

    • When you authenticate with Google, you can use your Google account to log in to your SHADOW account. By logging in with Google, you authorize Google to share certain personal data, including your e-mail address, name and photo. SHADOW will not have access to your Google account data. For more information, please consult Google's privacy policy by following this link.
    • When you authenticate with Apple, you authorize Apple to give SHADOW your e-mail address. SHADOW has no access to your Apple account. Apple will have no access to your SHADOW account. SHADOW does not transmit any data to Apple. For more information, please consult Apple's privacy policy by following this link.
    • When you authenticate with Microsoft, you share with us only the data required for your authentication (e-mail address and name if necessary). For more information, please consult Microsoft's privacy policy by following this link.
    • When you authenticate with Discord, you share with us only the data required for your authentication (e-mail address). To learn more, please consult Discord's privacy policy by following this link.

    Cookies

    Use of the Websites also involves the use of Cookies, web beacons or other mechanisms such as pixels (“Cookies”). For more information about Cookies and their use, please refer to the Cookies Charter.

    Rights of Users

    Right of access, rectification and opposition

    The User has a right to access and correct the Personal Data concerning him/her, which he/she may exercise by going to his/her User Account.

    With regard to the right of opposition, the User may object to the processing of his/her Personal Data, within the limits of applicable law and with the exception of processing for which there are legitimate and compelling reasons for the processing of Personal Data (for example, the User may object to the processing of his/her Personal Data for marketing purposes).

    Right to restriction of processing

    The User may request the restriction of processing of his/her Personal Data in the following cases and according to the following procedures:

    • The User considers that the processing of his/her Personal Data is unlawful: he/she therefore opposes the erasure of the Personal Data and requires instead a restriction of its use (for example, in the event of identity theft);
    • The User disputes the accuracy of the Personal Data: he/she requests the restriction of processing for the period necessary to verify the accuracy of the Personal Data;
    • The User wishes his/her Personal Data to be retained for the establishment, exercise or defence of his/her legal rights: the Personal Data is no longer necessary for the provision of the Shadow Services, but we will store it at the User's request.

    In the event that a processing restriction has been put in place, the Personal Data will only be processed, with the exception of storage, with the User’s consent, except (i) for the protection of the rights of another natural or legal person, or (ii) for important reasons of public interest.

    In the event that the restriction on processing is lifted, the User shall be informed thereof by an appropriate means (email or letter, for example).

    Right to erasure of Personal Data

    Also called the right to be forgotten, the User may request the exercise of his or her right to erasure. By exercising this right, the User requests that his/her Personal Data be erased.

    In accordance with applicable law, this right applies to the following two categories of Personal Data:

    • Personal Data that is no longer necessary for the purposes for which it was collected or processed; and
    • Personal Data whose processing is based on the User’s consent (e.g. the sending of newsletters).

    Right to portability of Personal Data

    The User may request that he/she receives his/her Personal Data in a structured, commonly used and machine-readable format

    In accordance with applicable law, this right

    • applies if the data is processed automatically on the basis of consent or the execution of a contract;
    • is limited to the Personal Data provided by the relevant User; and
    • must not infringe the rights and freedoms of third parties.

    Right not to be subject to an automated individual decision

    The User may request not to be the subject of a fully automated decision.

    Exercise of rights

    To exercise any of these rights, the User is invited to send an email to the following address: [email protected].

    A reply will then be sent to the User in response within one (1) month of the request. This deadline may exceptionally be extended to two (2) months, depending on the complexity of the request or the number of requests to be processed. The User will then be informed of the extension of the deadline by email.

    For the purposes of confidentiality and protection of Personal Data, a copy of an identity document signed by the User must be included in the request.

    Any requests that are manifestly unfounded or excessive, in particular because of their repetitive nature, may give rise to a refusal to act on the requests or to subordinate the response to the payment of reasonable costs taking into account the administrative costs incurred to process the request.

    In the event of an unsatisfactory response, you can contact the CNIL.

    Updates

    Shadow reserves the right to modify this Privacy Policy at any time and to notify Users of this by any appropriate means. The last update date visible on this page indicates the date of the last changes.

    Date of last update: May 2024