1. Introduction
Shiftline AI Ltd ("we", "us", "our", or "the Company") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we handle personal data across Shiftline websites, products, services, and customer-controlled data-processing arrangements.
This policy is intended to provide clear public information. It does not replace a signed customer agreement, order form, statement of work, or data processing addendum, which will control if there is any conflict.
2. Our role
For customer-controlled workflow data, Shiftline AI Ltd usually acts as a processor under UK GDPR and EU GDPR. The customer determines the purposes and means of processing and is responsible for ensuring that it has a lawful basis, notices, consents, and internal authority for the data and systems it connects to Shiftline.
For limited business operations, such as website enquiries, supplier administration, contracting, billing, account management, security, and legal compliance, Shiftline may act as an independent controller. We limit this processing to what is necessary for those business purposes.
3. Processing principles
We process customer personal data only to provide, secure, support, monitor, and improve the contracted services; to follow documented customer instructions; to comply with law; and to establish, exercise, or defend legal claims. We do not sell customer personal data, use it for advertising, or use customer workflow content for unrelated commercial profiling.
4. AI model processing and Google Cloud Vertex AI
Shiftline uses Google Cloud Platform, including Vertex AI, for managed model inference and related cloud services where appropriate for a customer deployment. Customer content submitted to managed model services is processed to provide the requested service output, subject to the customer’s configuration, the applicable agreement, and Google Cloud’s data-processing terms.
We do not permit customer content submitted through Shiftline-managed Vertex AI model calls to be used to train or fine-tune foundation models unless the relevant customer expressly instructs or agrees to that use in writing. Optional request-and-response logging is not enabled by default for customer deployments unless required by the agreed solution, security investigation, support need, or customer-approved configuration.
Some transient processing, abuse-prevention logging, service-performance caching, or feature-specific retention may occur under Google Cloud terms and service configuration. Where a customer requires specific residency, retention, or zero-retention controls, those requirements should be agreed in the order form, statement of work, DPA, or security schedule before production use.
5. Security measures
We implement appropriate technical and organisational measures designed to protect personal data. These include access controls, least-privilege permissions, authentication controls, encryption in transit, environment segregation where appropriate, vendor review, staff confidentiality obligations, incident-response procedures, and security monitoring appropriate to the nature of the service.
No online service can guarantee absolute security. Customers remain responsible for configuring their own systems, user permissions, connected applications, data minimisation, endpoint security, and internal approval processes.
6. Sub-processors
We may use vetted sub-processors to provide cloud hosting, model inference, storage, monitoring, support, communications, and operational services. We require sub-processors to protect personal data under appropriate contractual, security, and confidentiality obligations. Our current public sub-processor summary is available on the Legal & Compliance page.
| Provider | Typical location / scope | Purpose |
|---|---|---|
| Google Cloud Platform, including Vertex AI | Region depends on customer configuration, service availability, and agreed deployment requirements | Cloud infrastructure, managed model inference, storage, logging, security, and related platform services |
| Amazon Web Services | Region depends on configuration | Cloud infrastructure and related services where used for a customer deployment |
| Operational service providers | UK, EEA, United States, or other locations depending on service | Email, support, monitoring, analytics, contracting, and business operations, limited to the relevant service need |
7. International data transfers
Where personal data is transferred outside the UK or EEA, we use appropriate safeguards such as adequacy regulations, the UK International Data Transfer Addendum, Standard Contractual Clauses, or another lawful transfer mechanism. Specific transfer commitments can be documented in the customer DPA or order form.
8. Data subject rights
Because Shiftline usually acts as a processor for customer workflow data, data subjects should direct rights requests to the relevant customer. We will provide reasonable assistance to customers for access, correction, deletion, portability, objection, and restriction requests where required by applicable law and our agreement.
9. Retention and deletion
Customer personal data is retained for the period required to provide the contracted services, comply with documented customer instructions, meet legal obligations, resolve disputes, secure the service, and maintain business records. On termination or customer instruction, we will delete or return customer personal data in accordance with the relevant agreement, technical feasibility, backup cycles, and applicable law.
10. Compliance, audits, and assistance
We assist customers with reasonable security, DPIA, transfer, and procurement reviews. Any audit rights are subject to reasonable notice, confidentiality, scope limitations, security requirements, and measures designed to protect other customers, systems, trade secrets, and commercially sensitive information.
11. Changes to this policy
We may update this Privacy Policy to reflect changes in our services, vendors, security practices, or applicable law. Material changes will be communicated to affected customers where required by contract or law.
12. Contact
Shiftline AI Ltd
Company No. 15046282 · ICO Registration: ZB916195
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Privacy and DPA enquiries: privacy@shiftline.ai
Commercial and procurement enquiries: hello@shiftline.ai
ICO: ico.org.uk
This Privacy Policy is governed by the laws of England and Wales and is designed to support compliance with UK GDPR, EU GDPR, and the UK Data Protection Act 2018.