Privacy Policy
How we collect, use, and protect your information when you use our platform.
Posted: May 9, 2025
1. Who we are
White Shoe AI, Inc. ("White Shoe AI," "we," "us," or "our") is a Delaware corporation that develops and operates the White Shoe AI software-as-a-service platform and the websites located at whiteshoe.ai (collectively, the "Services").
2. Scope of this Policy
This Policy explains how we collect, use, disclose, and safeguard personal information when you visit our websites, create an account, or otherwise interact with the Services. It applies when we act as a "controller" under the EU General Data Protection Regulation ("GDPR") and a "business" under the California Consumer Privacy Act as amended by the CPRA ("CCPA"). It does not apply to content you upload that you expressly instruct us to share publicly.
3. Personal information we collect
| Category | Examples in our product | How we obtain it |
|---|---|---|
Account & profile data | E-mail address, first and last name, subscription tier, company-profile fields (industry, size, jurisdiction, preferred terms) | Provided by you during sign-up or profile edits |
Payment data | Stripe customer ID, subscription ID, partial card details | Collected by Stripe during checkout and returned to us via secure token |
User-generated content | Files uploaded to your contract repository, chat prompts, LLM outputs, handbook-analysis results | Provided by you when you use platform features |
API credentials (optional) | Slack token, Gmail API key | Provided by you in settings |
Usage & log data | IP address, device/browser type, request timestamps, recent feature interactions | Collected automatically by our servers, Vercel, and Upstash |
Cookies & similar tech | Strictly-necessary cookies (Supabase sb-access-token, sb-refresh-token); functional, analytics, and marketing cookies loaded only after your consent. See our Cookie Policy for the full list. | Set automatically (necessary) or after your consent (functional, analytics, marketing) |
Consent record | A short server-side audit entry recording each cookie-consent choice you make: consent ID, categories accepted, hashed IP, approximate country, user-agent, and timestamp. | Created when you interact with the cookie banner. Required to demonstrate consent under GDPR/CCPA. |
We do not intentionally collect sensitive personal information (SPI) unless you choose to include it in uploaded content.
4. How and why we use personal information
| Purpose | Legal basis under GDPR | Typical data |
|---|---|---|
| Provide, maintain, and secure the Services | Contract performance (Art. 6 (1)(b)); legitimate interests (security) | All categories |
| Process payments and manage subscriptions | Contract performance | Account, payment data |
| Respond to enquiries and send service e-mails | Legitimate interests; contract performance | Contact data |
| Improve features and user experience | Legitimate interests | Anonymized and aggregated usage data |
| Detect, prevent, and investigate fraud or abuse | Legitimate interests; legal obligation | Log data |
| Comply with legal obligations (tax, accounting) | Legal obligation (Art. 6 (1)(c)) | Account, transaction records |
| Conduct direct marketing with your opt-in consent | Consent (Art. 6 (1)(a)) | Contact data |
5. How we disclose information
We do not sell personal information. We share it only with:
- Authorised sub-processors that help us run the platform (see Schedule 1).
- Marketing partners we engage with your consent: Google Ads (to measure ad-campaign conversions) and Apollo.io (which uses reverse-IP lookup to identify the company associated with a visit so our team can prioritize B2B outreach). These tools only receive data after you accept marketing cookies in our consent banner.
- Professional advisers (lawyers, accountants) bound by confidentiality.
- Public authorities when required by law or court order.
- Successors in the event of a merger, acquisition, or asset sale.
- Others with your consent or at your direction (e.g., if you enable Slack integration).
6. Cookies and similar technologies
We use strictly-necessary first-party cookies for authentication, load balancing, and core functionality. With your consent, we also load functional cookies (your preferences), analytics cookies (Sentry Session Replay for product debugging), and marketing cookies (Google Ads, Apollo.io). You can review and change your choices at any time via the “Cookie preferences” link in our footer. We record your consent decision in a short server-side audit log (consent ID, categories, hashed IP, country, user-agent, timestamp) so we can demonstrate compliance if asked.
We honor the Global Privacy Control (GPC) browser signal as a default opt-out of analytics and marketing cookies under the CCPA/CPRA. If your browser sends GPC, we treat it as a rejection of non-essential cookies by default; you can still opt in later via our Cookie preferences panel.
Full details on each cookie, its provider, duration, and purpose are in our Cookie Policy.
7. International data transfers
Our primary infrastructure is in the United States. When we transfer personal data from the EEA, UK, or Switzerland, we rely on:
- The EU-U.S., UK, and Swiss-U.S. Data Privacy Framework certifications held by Vercel, Google, Stripe, Slack (Salesforce group), Amazon Web Services, and Upstash. (aws.amazon.com)
- The 2021 Standard Contractual Clauses executed with Supabase and any other non-DPF vendor.
- OpenAI's EU data-residency feature, which we enable for EU customers.
We also conduct transfer-impact assessments and implement supplementary safeguards where required.
8. Security
We employ administrative, technical, and organisational measures such as:
- TLS 1.3 encryption in transit and AES-256 encryption at rest
- Envelope encryption of sensitive fields with AWS KMS
- Role-based access control and least-privilege principles
- Continuous monitoring and rate-limiting via Upstash
- Annual penetration tests and vendor due-diligence
No internet service is 100% secure; please contact us immediately if you believe your account has been compromised.
9. Data retention
We keep personal data:
- While your account is active and for 30 days after you request deletion (allows restoration on request).
- Back-ups roll off within 90 days.
- Financial records are retained for up to 7 years to meet tax and audit requirements.
10. Your rights
| If you are… | You may… |
|---|---|
EEA/UK/Swiss resident | Access, correct, delete, restrict, port, or object to processing; withdraw consent. |
California resident | Know what we collect, correct inaccuracies, delete data, opt-out of "sharing," and not be discriminated against for exercising rights. |
Resident of other U.S. states with privacy laws (e.g., CO, VA) | Similar rights as above, as applicable under local law. |
How to exercise your rights:
Send an e-mail to [email protected] with the subject "Privacy Rights Request" or use the in-app form. We will respond within one month (GDPR) or 45 days (CCPA). We may ask for information to verify your identity.
11. Children
The Services are not directed to children under 18. We do not knowingly collect personal information from children. If you believe we have done so, contact us and we will delete the data.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be announced in-app or by e-mail at least 30 days before they take effect. The "Effective Date" above shows when the Policy was last revised.
13. Contact us
White Shoe AI, Inc.
Attn: Privacy Officer
E-mail: [email protected]
If you live in the EEA or UK, you may also lodge a complaint with your local supervisory authority.