ShadowCMO Legal Documentation
Effective Date: November 13, 2025
Last Updated: November 13, 2025
ShadowCMO ("we", "us", "our") is committed to protecting your personal data and respecting your privacy.
This Privacy & Cookie Policy explains how we collect, use, and safeguard personal information when acting as: - A Data Controller for our own business operations (marketing, account administration, analytics, support) - A Data Processor when processing Customer Data on behalf of Customers using our Services, as governed by our Data Processing Agreement (DPA)
By using our website or Services, you consent to the practices described in this Policy.
ShadowCMO is owned and operated by ISW AI Venture, a sole proprietorship registered in the Netherlands.
We provide SaaS tools, AI-enabled features, analytics, and digital automation services globally (excluding embargoed countries).
Company Registration: Chamber of Commerce (KvK) number 98769723
VAT ID: NL005352781B94
Registered Address: Roosbergsweg 12A, 4854PM Bavel, Netherlands
Contact Information: - Email: dpo@shadowcmo.com - Website: www.shadowcmo.com
Data Protection Officer: dpo@shadowcmo.com
This Policy applies to: - Visitors to www.shadowcmo.com - Users who create accounts or use our Services - Customers who subscribe to paid plans - Prospects who contact us or request information
This Policy does NOT cover: - Customer Data processed on behalf of our customers (see Data Processing Agreement) - Third-party websites or services linked from our Platform
We process personal data under the following legal bases (GDPR Article 6):
| Purpose | Legal Basis |
|---|---|
| Account creation and service delivery | Contract performance (GDPR Art. 6(1)(b)) |
| Payment processing and billing | Contract performance (GDPR Art. 6(1)(b)) |
| Marketing communications (with consent) | Consent (GDPR Art. 6(1)(a)) |
| Analytics and service improvement | Legitimate interests (GDPR Art. 6(1)(f)) |
| Fraud prevention and security | Legitimate interests (GDPR Art. 6(1)(f)) |
| Legal compliance (tax, accounting) | Legal obligation (GDPR Art. 6(1)(c)) |
You have the right to object to processing based on legitimate interests.
Account Registration: - Name, email address - Password (stored as bcrypt hash only) - Company name, role/title (optional) - Profile photo (optional)
Payment Information: - Billing address, VAT number (if applicable) - Payment method details (processed securely by our payment provider)
Communications: - Support inquiries, feedback, survey responses - Chat messages with customer support
Content You Create: - Campaign names, brand guidelines, creative briefs - Images, logos, product photos uploaded to Asset Library - AI-generated outputs (images, videos, copy)
Technical Data: - IP address, browser type, device identifiers - Operating system, screen resolution - Cookies and similar tracking technologies (see Section 15)
Usage Data: - Pages visited, features used, time spent - Campaign creation history, export activity - Error logs and diagnostic information
Performance Data: - API response times, system performance metrics - Anonymised usage patterns for service optimization
OAuth Authentication (if enabled): - Name, email, profile picture from Google/Microsoft/LinkedIn
Payment Providers: - Transaction confirmations, payment status updates
We use personal data for the following purposes:
We do NOT sell, rent, or trade your personal data.
We share personal data only in the following circumstances:
We engage trusted third-party service providers to help deliver the Services. These providers process personal data on our behalf under strict contractual obligations.
Current Sub-Processors (full list at www.shadowcmo.com/subprocessors):
| Category | Purpose | Location |
|---|---|---|
| Cloud infrastructure provider | Hosting, compute, networking | USA |
| Managed database provider | PostgreSQL database services | USA |
| Object storage provider | File and media storage | USA |
| AI model providers | Natural language processing, image/video generation | USA |
| Media transformation provider | Image and video processing | Ireland/USA |
| Email service provider | Transactional email delivery | USA |
| Data enrichment provider | Web scraping for competitor analysis | USA |
All Sub-Processors are required to: - Implement GDPR-compliant security measures - Process data only as instructed by ShadowCMO - Enter into Data Processing Agreements (Article 28 GDPR) - Notify us of any data breaches within 72 hours
We may disclose personal data if required by law, including: - Court orders, subpoenas, or legal process - Requests from law enforcement or government authorities - To protect our rights, property, or safety - To enforce our Terms & Conditions
We will notify you of such requests unless legally prohibited.
If ShadowCMO is acquired, merged, or sells assets, personal data may be transferred to the acquiring entity. We will notify you and ensure equivalent privacy protections.
We may share personal data with third parties if you explicitly consent (e.g., integrating with third-party marketing tools).
Personal data may be transferred outside the European Economic Area (EEA) and United Kingdom to countries that do not provide an adequate level of data protection.
We safeguard international transfers using:
Details available in our Data Processing Agreement.
We retain personal data only as long as necessary for the purposes outlined in this Policy or as required by law.
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account data | Duration of subscription + 30 days | Contract performance |
| Customer Data | Duration of subscription + 90 days (backups) | Contract performance |
| Billing records | 7 years after last transaction | Legal obligation (tax laws) |
| Support communications | 2 years after case closure | Legitimate interests |
| Marketing consent | Until consent withdrawn + 30 days | Consent |
| Anonymised analytics | Indefinitely (no personal data) | N/A |
After retention periods expire, we permanently delete or anonymise personal data.
We implement industry-standard technical and organisational security measures to protect personal data, including:
Full security details in our Data Processing Agreement – Annex III.
If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:
You can request a copy of the personal data we hold about you.
You can request correction of inaccurate or incomplete personal data.
You can request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
You can request that we limit processing of your personal data in certain circumstances.
You can request your personal data in a machine-readable format (JSON, CSV).
You can object to processing based on legitimate interests or for direct marketing purposes.
Where processing is based on consent, you can withdraw consent at any time without affecting prior processing.
You can file a complaint with your local Data Protection Authority.
For the Netherlands:
Autoriteit Persoonsgegevens (Dutch DPA)
Bezuidenhoutseweg 30
2594 AV, The Hague, The Netherlands
Website: https://autoriteitpersoonsgegevens.nl
To exercise any of the rights above, contact us at:
Email: dpo@shadowcmo.com
Subject Line: "Data Subject Access Request - [Your Name]"
Include in your request: - Full name and email address associated with your account - Specific right you wish to exercise (e.g., access, deletion, rectification) - Description of the data or action requested
To protect your privacy and prevent unauthorized access, we follow a documented three-step identity verification workflow before fulfilling data subject requests:
Step 1: Email Confirmation - You must submit the request from the email address registered to your account - We send a verification link to confirm email ownership - The verification link expires after 24 hours - Audit log entry created: "Data Subject Request Initiated - Email Verification Sent"
Step 2: Account Verification - You must provide at least two of the following: - Your account username - Date of last login (approximate within 7 days) - Name of your most recent campaign or enriched asset - Subscription plan level - We verify these details match our system records - Audit log entry created: "Identity Verification - Account Details Matched"
Step 3: Enhanced Verification (for High-Risk Requests) - For account deletion, bulk data export, or administrative changes, we require: - Government-issued photo ID (passport, driver's license, national ID card) - ID must match the name on the account - ID documents are securely stored for 30 days, then permanently deleted - Alternative: Video verification call with our Data Protection Officer - Audit log entry created: "Enhanced Verification Completed - Government ID Validated" OR "Enhanced Verification Completed - Video Call"
Audit Trail: All identity verification steps are logged with timestamps and stored securely for 2 years to demonstrate GDPR Article 12 compliance.
Response Timeline: - Standard requests: 30 days from successful identity verification - Complex requests: Up to 90 days (we will notify you of the extension and reasons within the first 30 days) - Rejected requests: We will explain the reasons and your right to lodge a complaint with a supervisory authority
The Services are not intended for children under 16 (or applicable local minimum age).
We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided personal data, we will: - Delete the data immediately - Notify the account holder - Terminate the account
Parents/Guardians: If you believe your child has provided personal data, contact us at dpo@shadowcmo.com immediately.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
You can request disclosure of: - Categories of personal information collected - Sources of personal information - Business purposes for collection - Categories of third parties with whom we share data
You can request deletion of personal information we collected from you, subject to legal exceptions.
We do NOT sell personal information. We do not share personal information for cross-context behavioral advertising.
You have the right to non-discriminatory treatment for exercising your CCPA rights.
To exercise CCPA rights, contact: dpo@shadowcmo.com
Canadian residents have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), including access, correction, and complaint rights.
Brazilian residents have rights under the Lei Geral de Proteção de Dados (LGPD), including access, rectification, deletion, and portability.
Residents outside the EU/EEA: You may have additional privacy rights under laws such as CCPA (California), PIPEDA (Canada), LGPD (Brazil), or other local privacy regulations.
We respect all applicable privacy laws. To exercise your rights or learn more about how your local laws apply, contact us at dpo@shadowcmo.com or consult your local data protection authority.
Cookies are small text files stored on your device when you visit a website. They help us provide a better user experience.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, session management, security | Session / 30 days |
| Functional | Remember user preferences (language, timezone) | 1 year |
| Analytics | Understand usage patterns, improve performance | 2 years |
| Marketing (if applicable) | Personalized marketing, retargeting ads | 1 year |
We do NOT use third-party advertising cookies without explicit consent.
You can control cookies through your browser settings: - Google Chrome: Settings > Privacy and Security > Cookies - Firefox: Options > Privacy & Security > Cookies and Site Data - Safari: Preferences > Privacy > Manage Website Data
Note: Disabling strictly necessary cookies may affect Platform functionality.
We respect "Do Not Track" browser signals where technically feasible. However, there is no industry standard for DNT compliance.
We may update this Privacy & Cookie Policy to reflect changes in: - Our data practices - Legal or regulatory requirements - New features or services
We will notify you of material changes by: - Posting the updated Policy at www.shadowcmo.com/privacy - Updating the "Last Updated" date at the top of this Policy - Sending email notification for significant changes (if you have an account)
Your continued use of the Services after changes constitutes acceptance of the updated Policy.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Data Protection Officer
Email: dpo@shadowcmo.com
Website: www.shadowcmo.com
Registered Address: Roosbergsweg 12A, 4854PM Bavel, Netherlands
Postal Mail:
ISW AI Venture (ShadowCMO)
Roosbergsweg 12A
4854PM Bavel
Netherlands
For GDPR-related complaints:
You may also contact your local Data Protection Authority. For the Netherlands:
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30
2594 AV, The Hague, The Netherlands
Phone: +31 (0)70 888 8500
Website: https://autoriteitpersoonsgegevens.nl
END OF PRIVACY & COOKIE POLICY