Privacy Policy
Effective Date: May 13, 2026

1. Who We Are

ShiftLoom ("ShiftLoom," "we," or "us") owns and operates an early-stage AI platform for startup execution, currently operating as a closed pilot. This policy reflects how we handle data during the pilot phase and will be updated as the product evolves. Access is by invitation only. shiftloom.io is informational only; the platform is accessible through a separate link provided on request. Contact: shiftloomhub@gmail.com

2. Who This Applies To

This policy applies to testers granted access to the ShiftLoom platform. Access is by invitation only and requires prior consent. shiftloom.io is informational only; the platform is accessible through a separate link provided on request.

3. What Data We Collect and Access

Account data: we store your email address, encrypted password, and organization name, used solely to authenticate you and scope your data to your organization. Integration data: when you connect your tools, ShiftLoom reads data from your connected integrations via OAuth. This covers project management tools, messaging platforms, and documents. The specific fields accessed depend on which tools you connect and are described within the platform at the time of connection. OAuth credentials are managed entirely by Nango, a credential proxy. Integration tokens never reach or are stored in ShiftLoom's application code.

4. What We Do With Your Data

Integration data is converted into vector embeddings using Voyage AI and stored in a private, organization-scoped vector store. This powers the AI insights feature. Insights are generated by Claude (Anthropic) based on retrieved chunks of your data. Storage is enforced with row-level security per organization in Supabase. No account can access another organization's data. We do not use your data to train AI models, share it with other customers, or use it for any purpose outside of generating your insights. ShiftLoom uses the Anthropic API under Anthropic's data processing terms; Anthropic does not use API-submitted data to train its models by default.

5. Data Retention and Deletion

When you log out, ShiftLoom stops reading your integration data and stops generating insights. Your data remains stored and is fully restored when you log back in. If you delete your account, all integration data, derived content, and account data are permanently deleted as soon as reasonably practicable, and in any event within 30 days. Raw integration data is not retained in its original form; it is converted to vector embeddings and the raw source data is discarded upon ingestion. You can request full deletion at any time by emailing shiftloomhub@gmail.com.

6. Subprocessors

Supabase: primary database with row-level security per organization. Nango: OAuth credential management; integration tokens never reach ShiftLoom application code. Voyage AI: converts integration data into vector embeddings. Redis: short-term caching of generated insights. Inngest: orchestrates background sync jobs. Anthropic (Claude): generates AI insights from your data; does not use API-submitted data to train its models by default. Vercel: hosts and serves the ShiftLoom application. Sentry: error monitoring and performance tracking.

7. Security

Data is isolated per organization using row-level security. OAuth credentials never touch application code. All data in transit and at rest is encrypted. Background sync jobs run in isolated functions with no shared state between organizations. Account passwords are stored encrypted and never exposed.

8. Your Rights

You may request access to, correction of, or deletion of your data at any time by emailing shiftloomhub@gmail.com. We will respond within one calendar month.

9. International Users

The platform is currently available to users in the United States and United Kingdom only. UK users acknowledge that ShiftLoom processes personal data as a data controller and will handle it in accordance with applicable UK data protection law. The lawful basis for processing personal data of UK users is performance of a contract (providing the platform) and, where applicable, legitimate interests. UK users may exercise data subject rights (access, correction, deletion, portability) by contacting shiftloomhub@gmail.com. UK users also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If ShiftLoom extends access to users in the European Economic Area or Switzerland, a Data Processing Agreement and related GDPR compliance documentation will be provided before such access is granted.

10. Changes to This Policy

For material changes, we will notify you by email at least 7 days before they take effect. Changes will also be posted at shiftloom.io with an updated effective date. Continued use after that date constitutes acceptance.

11. Contact

shiftloomhub@gmail.com shiftloom.io