Effective Date: May 9, 2026
Shadow Span Technologies Inc. ("Shadow Span", "we", "us", or "our") operates the Shadow Span intelligence platform (the "Service"). This Privacy Policy explains what information we collect, how we use it, and your rights in relation to it. By accessing or using the Service, you agree to the terms of this Policy.
Shadow Span Technologies Inc. is a corporation incorporated in Ontario, Canada, and is the data controller for personal data collected through the Service. Our registered address is [REGISTERED ADDRESS].
As a Canadian-controlled organisation processing personal information of residents in Canada and the United States, we operate in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, in addition to applicable U.S. state privacy laws.
If you have questions about this Policy or wish to exercise your rights, contact us at privacy@shadowspan.com.
2.1 Account and Organisation Data. When you register for an account or invite team members, we collect: full name, work email address, organisation name, job title, and billing contact details.
2.2 Payment Data. Payments are processed by Stripe, Inc. We do not store full card numbers or CVV codes. We receive and store a Stripe customer ID, subscription tier, billing cycle, and the last four digits of your payment method for reference.
2.3 Usage and Technical Data. We automatically collect: IP address, browser type and version, operating system, referring URLs, pages visited, session duration, and feature interaction events. This data is used to operate, secure, and improve the Service.
2.4 Monitored Asset Data. To deliver intelligence services, we process information about the digital assets you instruct us to monitor — including domain names, IP ranges, executive identities, and vendor names. This data belongs to you; we act as a data processor on your behalf for this category.
2.5 Intelligence Feed Data. The Service aggregates publicly available threat intelligence from sources including NVD, CISA KEV, MITRE ATT&CK, VCDB, SEC EDGAR, and various open feeds. This data does not directly relate to identified individuals and is used solely to populate the intelligence database.
2.6 Communications. If you contact us via email or our support channels, we retain those communications to resolve your query and improve our services.
We use the information we collect to:
(a) Provide, operate, and maintain the Service and your account;
(b) Process payments and manage your subscription;
(c) Deliver threat intelligence reports, alerts, and notifications relevant to your configured assets;
(d) Monitor for security incidents, prevent fraud, and ensure platform integrity;
(e) Respond to support requests and communicate service updates;
(f) Comply with legal obligations, including applicable data protection and cybersecurity regulations;
(g) Analyse aggregate, anonymised usage patterns to improve the Service.
We do not sell your personal data to third parties. We do not use your data for targeted advertising.
Canada (PIPEDA and provincial privacy laws). For Canadian residents, we process personal information based on the consent principles of PIPEDA and applicable provincial laws (including Quebec's Law 25, BC PIPA, and Alberta PIPA where applicable). Consent is obtained at the time of account creation and may be withdrawn subject to contractual and legal limitations.
United States. For U.S. residents, we process personal information based on the contract you enter into with us, our legitimate business interests, and our legal obligations. Where required (notably under California and Colorado law), we honour rights to access, delete, and opt out of sale or sharing — Shadow Span does not sell or share personal information for cross-context behavioural advertising.
European Economic Area and United Kingdom. For users in the EEA and UK, we process personal data under the following lawful bases:
Contract performance — processing necessary to provide the Service you have subscribed to (Art. 6(1)(b) GDPR).
Legitimate interests — security monitoring, fraud prevention, product analytics, and service communications, where these interests are not overridden by your rights (Art. 6(1)(f) GDPR).
Legal obligation — compliance with applicable laws and regulatory requirements (Art. 6(1)(c) GDPR).
Consent — where we have obtained your explicit consent, such as for optional marketing communications (Art. 6(1)(a) GDPR). You may withdraw consent at any time.
We share data with the following categories of sub-processors to operate the Service. All sub-processors are bound by data processing agreements and provide appropriate safeguards:
Supabase, Inc. (database hosting and authentication) — United States, with Standard Contractual Clauses for EEA transfers.
Google Cloud Platform (compute infrastructure, Cloud Run, Cloud Storage) — United States, with Standard Contractual Clauses for EEA transfers.
Cloudflare, Inc. (CDN, WAF, DDoS protection) — United States, with Standard Contractual Clauses for EEA transfers.
Stripe, Inc. (payment processing) — United States, certified under the EU-US Data Privacy Framework.
Upstash, Inc. (rate-limiting cache) — United States, with Standard Contractual Clauses for EEA transfers.
We may disclose information to law enforcement or regulatory authorities where required by law or where we have a good-faith belief that disclosure is necessary to protect the rights, property, or safety of Shadow Span, our customers, or the public.
Our infrastructure is primarily located in the United States. When we transfer personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision, we rely on Standard Contractual Clauses adopted by the European Commission (or the UK equivalent) to ensure an adequate level of protection.
You may request a copy of the applicable transfer mechanism by contacting us at privacy@shadowspan.com.
Account and organisation data is retained for the duration of your subscription and for six years thereafter to comply with financial record-keeping obligations.
Usage logs and technical data are retained for 90 days in active storage and up to 12 months in cold archive.
Monitored asset intelligence (threat reports, scan results) is retained for the duration of your subscription. Upon termination, you may request an export within 30 days; after this period the data is deleted from our systems.
Communications with our support team are retained for three years.
Anonymised, aggregated analytics data is retained indefinitely.
Depending on your location, you may have the following rights regarding your personal data:
Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate or incomplete data.
Erasure — request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Restriction — request that we restrict processing of your data in certain circumstances.
Data Portability — receive your personal data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests or for direct marketing.
Withdraw Consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, contact us at privacy@shadowspan.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection supervisory authority.
California Residents: For CCPA purposes, Shadow Span does not sell or share your personal information. You have the right to know what personal information we collect, to delete it, and to opt out of any sale (which we do not conduct). Contact us at privacy@shadowspan.com to submit a CCPA request.
We use strictly necessary session cookies for authentication. We do not use third-party advertising cookies or cross-site tracking pixels.
Cloudflare may set security-related cookies (__cf_bm, cf_clearance) to distinguish legitimate users from automated bots. These are necessary for service delivery and cannot be disabled without affecting functionality.
Our platform analytics use anonymised, aggregated data; we do not fingerprint individual users.
We implement industry-standard technical and organisational measures to protect your data, including:
Encryption in transit (TLS 1.2 minimum, enforced HTTPS) and at rest (AES-256 on all storage volumes).
Multi-layer access controls: Cloudflare WAF, network-level firewall rules, per-IP rate limiting, and row-level security in the database.
Supabase CA certificate pinning to prevent man-in-the-middle attacks on database connections.
Least-privilege service accounts with scoped IAM roles.
While we take significant measures to protect your data, no method of electronic storage or transmission is 100% secure. We will notify affected users and relevant authorities of any breach as required by applicable law.
The Service is intended for use by businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us immediately at privacy@shadowspan.com.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Policy on this page and, where required by law, by sending an email notification to your registered address at least 30 days before the change takes effect.
Your continued use of the Service after changes take effect constitutes acceptance of the revised Policy.
Data Controller: Shadow Span Technologies Inc.
Address: [REGISTERED ADDRESS]
Email: privacy@shadowspan.com
For general legal enquiries: legal@shadowspan.com