Privacy Policy

Last Updated: 23 February 2026

Version: 1.0

1. Introduction

Shadow Intelligence Pty Ltd ("ShadowIQ", "we", "us", or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our threat intelligence platform and services.

This policy complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and the European Union's General Data Protection Regulation (GDPR).

2. Information We Collect

2.1 Personal Information

We collect the following types of personal information:

  • Account Information: Name, email address, organization name, Microsoft Azure AD tenant ID
  • Contact Information: Email addresses and phone numbers for security alerts
  • Location Data: Real-time GPS coordinates, altitude, speed, heading, accuracy (only with explicit consent)
  • Usage Data: IP addresses, browser type, device information, pages visited, time spent on platform
  • Payment Information: Processed securely by Stripe (we do not store full credit card details)
  • Emergency Information: Emergency contact details, medical information (voluntary)
  • Communication Data: Messages sent through our platform, support requests

2.2 Automatically Collected Information

  • Cookies and similar tracking technologies
  • Log files (IP address, timestamp, pages accessed)
  • Device information (operating system, browser version)

3. How We Use Your Information

We use your information for the following purposes:

  • Service Delivery: Provide threat intelligence, security alerts, and monitoring services
  • Safety & Security: Track traveler locations during operations, send emergency alerts
  • AI Analysis: Process alerts and data using OpenAI for risk assessment (with your consent)
  • Communication: Send service updates, security notifications, and marketing (opt-in only)
  • Payment Processing: Process subscriptions and payments via Stripe
  • Platform Improvement: Analyze usage patterns, fix bugs, develop new features
  • Legal Compliance: Comply with legal obligations, prevent fraud, protect our rights

Legal Basis for Processing (GDPR)

  • Consent: Location tracking, marketing communications, AI processing
  • Contract: Service delivery, account management, payment processing
  • Legitimate Interest: Security monitoring, fraud prevention, platform improvement
  • Legal Obligation: Compliance with laws, responding to legal requests

4. Data Sharing and Third Parties

We share your data with the following third parties:

Service ProviderPurposeData SharedLocation
Microsoft AzureAuthentication, hostingEmail, name, tenant IDAustralia/USA
OpenAIAI-powered risk analysisAlert content, queriesUSA
StripePayment processingEmail, payment infoUSA/EU
TwilioSMS notificationsPhone numbers, messagesUSA
Azure CommunicationEmail notificationsEmail addresses, contentAustralia/USA

International Transfers: We use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to countries outside the EU/EEA. All third parties are contractually obligated to protect your data.

5. Your Privacy Rights

5.1 GDPR Rights (EU/EEA Users)

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Delete your account and data ("right to be forgotten")
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Restrict Processing: Limit how we use your data
  • Right to Withdraw Consent: Revoke consent for location tracking, marketing, etc.

5.2 Australian Privacy Rights

  • Access your personal information held by us
  • Request correction of inaccurate information
  • Complain to the Office of the Australian Information Commissioner (OAIC)

5.3 How to Exercise Your Rights

To exercise any of these rights:

  • Email: privacy@shadowiq.io
  • In-App: Visit Settings → Privacy & Data
  • Data Export: Settings → Privacy & Data → Export My Data
  • Account Deletion: Settings → Privacy & Data → Delete My Account

We will respond to your request within 30 days (GDPR) or 30 days (Australian Privacy Act).

6. Data Retention

We retain your data for the following periods:

  • Account Data: Duration of account + 3 years after deletion
  • Alerts & Intelligence: 2 years from creation
  • Location Data: 30 days for active users, 7 days after inactivity
  • Audit Logs: 7 years (legal requirement)
  • Payment Records: 7 years (tax compliance)
  • Emergency Events: 5 years
  • Marketing Consents: Until withdrawn or 2 years of inactivity

After retention periods expire, data is either permanently deleted or anonymized.

7. Data Security

We implement industry-standard security measures:

  • Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access, Azure AD authentication with MFA
  • Monitoring: 24/7 security monitoring and intrusion detection
  • Audit Logging: All data access logged and monitored
  • Incident Response: Documented breach notification procedures
  • Vendor Security: All processors meet SOC 2 Type II or equivalent standards

Despite our security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

8. Cookies and Tracking

We use the following types of cookies:

  • Essential Cookies: Required for authentication and security (CSRF protection)
  • Analytical Cookies: Understand how you use our platform (requires consent)
  • Preference Cookies: Remember your settings (theme, language)

You can manage cookie preferences in our Cookie Consent banner or in your browser settings. Disabling essential cookies may affect platform functionality.

9. Children's Privacy

Our services are not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe we have collected data from a minor, please contact us immediately at privacy@shadowiq.io.

10. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you within:

  • GDPR: 72 hours of becoming aware of the breach
  • Australian Privacy Act: 30 days as required by the Notifiable Data Breaches scheme

Notifications will include the nature of the breach, data affected, potential consequences, and mitigation steps.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Material changes will be notified via email or platform notification.

Continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact Information

Shadow Intelligence Pty Ltd

Email: privacy@shadowiq.io

Data Protection Officer: dpo@shadowiq.io

Address: [Insert Australian Business Address]

ABN: [Insert ABN]

Complaints and Disputes

If you have concerns about how we handle your personal information:

  • Internal Complaint: privacy@shadowiq.io (we will respond within 30 days)
  • OAIC (Australia): www.oaic.gov.au
  • EU Data Protection Authority: Contact your local supervisory authority

Acknowledgment: By using ShadowIQ, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.

© 2026 Shadow Intelligence Pty Ltd. All rights reserved.