Privacy Policy
How we collect, use, and protect your information when you use our platform.
Posted: May 9, 2025
1. Who we are
White Shoe AI, Inc. ("White Shoe AI," "we," "us," or "our") is a Delaware corporation that develops and operates the White Shoe AI software-as-a-service platform and the websites located at white-shoe.ai (collectively, the "Services").
2. Scope of this Policy
This Policy explains how we collect, use, disclose, and safeguard personal information when you visit our websites, create an account, or otherwise interact with the Services. It applies when we act as a "controller" under the EU General Data Protection Regulation ("GDPR") and a "business" under the California Consumer Privacy Act as amended by the CPRA ("CCPA"). It does not apply to content you upload that you expressly instruct us to share publicly.
3. Personal information we collect
| Category | Examples in our product | How we obtain it |
|---|---|---|
Account & profile data | E-mail address, first and last name, subscription tier, company-profile fields (industry, size, jurisdiction, preferred terms) | Provided by you during sign-up or profile edits |
Payment data | Stripe customer ID, subscription ID, partial card details | Collected by Stripe during checkout and returned to us via secure token |
User-generated content | Files uploaded to your contract repository, chat prompts, LLM outputs, handbook-analysis results | Provided by you when you use platform features |
API credentials (optional) | Slack token, Gmail API key | Provided by you in settings |
Usage & log data | IP address, device/browser type, request timestamps, recent feature interactions | Collected automatically by our servers, Vercel, and Upstash |
Cookies & similar tech | Session cookies (Supabase sb-access-token, sb-refresh-token), preference cookies | Set automatically when you use the Services |
We do not intentionally collect sensitive personal information (SPI) unless you choose to include it in uploaded content.
4. How and why we use personal information
| Purpose | Legal basis under GDPR | Typical data |
|---|---|---|
| Provide, maintain, and secure the Services | Contract performance (Art. 6 (1)(b)); legitimate interests (security) | All categories |
| Process payments and manage subscriptions | Contract performance | Account, payment data |
| Respond to enquiries and send service e-mails | Legitimate interests; contract performance | Contact data |
| Improve features and user experience | Legitimate interests | Usage data, aggregated prompts |
| Detect, prevent, and investigate fraud or abuse | Legitimate interests; legal obligation | Log data |
| Comply with legal obligations (tax, accounting) | Legal obligation (Art. 6 (1)(c)) | Account, transaction records |
| Conduct direct marketing with your opt-in consent | Consent (Art. 6 (1)(a)) | Contact data |
5. How we disclose information
We do not sell personal information. We share it only with:
- Authorised sub-processors that help us run the platform (see Schedule 1).
- Professional advisers (lawyers, accountants) bound by confidentiality.
- Public authorities when required by law or court order.
- Successors in the event of a merger, acquisition, or asset sale.
- Others with your consent or at your direction (e.g., if you enable Slack integration).
6. Cookies and similar technologies
We use strictly-necessary first-party cookies for authentication, load balancing, and user preferences. You can block cookies through your browser, but the Services may not function. If we adopt analytics or advertising cookies in future, we will request consent via a banner.
7. International data transfers
Our primary infrastructure is in the United States. When we transfer personal data from the EEA, UK, or Switzerland, we rely on:
- The EU-U.S., UK, and Swiss-U.S. Data Privacy Framework certifications held by Vercel, Google, Stripe, Slack (Salesforce group), Amazon Web Services, and Upstash. (aws.amazon.com)
- The 2021 Standard Contractual Clauses executed with Supabase and any other non-DPF vendor.
- OpenAI's EU data-residency feature, which we enable for EU customers.
We also conduct transfer-impact assessments and implement supplementary safeguards where required.
8. Security
We employ administrative, technical, and organisational measures such as:
- TLS 1.3 encryption in transit and AES-256 encryption at rest
- Envelope encryption of sensitive fields with AWS KMS
- Role-based access control and least-privilege principles
- Continuous monitoring and rate-limiting via Upstash
- Annual penetration tests and vendor due-diligence
No internet service is 100% secure; please contact us immediately if you believe your account has been compromised.
9. Data retention
We keep personal data:
- While your account is active and for 30 days after you request deletion (allows restoration on request).
- Back-ups roll off within 90 days.
- Financial records are retained for up to 7 years to meet tax and audit requirements.
10. Your rights
| If you are… | You may… |
|---|---|
EEA/UK/Swiss resident | Access, correct, delete, restrict, port, or object to processing; withdraw consent. |
California resident | Know what we collect, correct inaccuracies, delete data, opt-out of "sharing," and not be discriminated against for exercising rights. |
Resident of other U.S. states with privacy laws (e.g., CO, VA) | Similar rights as above, as applicable under local law. |
How to exercise your rights:
Send an e-mail to privacy@white-shoe.ai with the subject "Privacy Rights Request" or use the in-app form. We will respond within one month (GDPR) or 45 days (CCPA). We may ask for information to verify your identity.
11. Children
The Services are not directed to children under 18. We do not knowingly collect personal information from children. If you believe we have done so, contact us and we will delete the data.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be announced in-app or by e-mail at least 30 days before they take effect. The "Effective Date" above shows when the Policy was last revised.
13. Contact us
White Shoe AI, Inc.
Attn: Privacy Officer
E-mail: privacy@white-shoe.ai
If you live in the EEA or UK, you may also lodge a complaint with your local supervisory authority.