Privacy Policy
Version 1.0, effective July 12, 2026
This Privacy Policy explains how [ShiftGraph operating entity, to be finalized at incorporation] (“ShiftGraph,” “we”) handles data in connection with the ShiftGraph website and Service. It is written to be accurate about what the Service does and does not process, because that accuracy is itself a commitment we hold ourselves to.
1. Our approach: value-free by design
ShiftGraph’s product only needs the shape of your dependencies’ behavior, not their contents. Our client software and SDK observe the third-party API and SDK traffic of your own software and extract, in your own environment, a structural profile: types, keys, nullability, response-shape signatures, and behavioral statistics such as latency and error rates. Values, request and response bodies, header maps, cookies, query and path values, and secret-like fields are stripped before anything leaves your process, and any payload carrying a value beyond that structural vocabulary is rejected at our ingest edge. We are built so that we cannot leak what we never hold.
2. What we process
We process the following categories of data:
- Structural metadata about your dependencies (as described above). This is not intended to contain personal data, and our value-free ingest gate is designed to keep it that way. To the extent any personal data is nonetheless transmitted, we process it as your processor under our Data Processing Addendum.
- Account and billing data that you provide: names, work email addresses, organization details, authentication data, billing contact and address, tax identifiers, and payment references. Full payment-card details are captured and stored by our payment processor, not by ShiftGraph.
- Product and website usage: first-party, privacy-safe telemetry about how the Service and site are used (for reliability and product improvement), and standard server logs (including IP address) needed to operate and secure the Service.
- Support and communications: the content of messages you send us.
3. What we do not process
We do not collect, store, or transmit the values inside your traffic: not the bodies, headers, cookies, tokens, query strings, or field values of your API calls. We do not sell or share personal data for cross-context behavioral advertising, and we do not use third-party advertising or tracking technologies on our authenticated product or, except for strictly necessary purposes, on our website (see our Cookie Policy).
4. How we use data
- to provide, maintain, secure, and improve the Service;
- to detect and report dependency drift and to operate the CI drift gate;
- to authenticate users, prevent abuse, and enforce our terms and policies;
- to bill you and manage your subscription;
- to respond to support requests and send service and security notices;
- to contribute anonymized, aggregated structural signals to the cross-company early-warning network, subject to Section 5 and your contribution setting; and
- to comply with law and enforce our rights.
5. The cross-company early-warning network
A core benefit of ShiftGraph is that a change confirmed across many teams warns everyone before it reaches them. To do this we derive anonymized structural signatures of contract changes. A signature is published only when our own observatory confirms it independently, or when at least three distinct organizations exhibit the same structural signature; counts are shown as coarse ranges below five to resist re-identification; and a published signal carries no organization’s identity, host aliases, routes beyond a canonical template, or precise timing. This aggregated output is designed to fall outside personal data. You can turn off your organization’s contribution at any time in the Service; doing so excludes you from the aggregation immediately, and you still receive the feed on eligible plans.
6. Legal bases (EEA/UK)
Where the EU or UK GDPR applies to personal data we process as a controller (chiefly account, billing, and website data), we rely on: performance of a contract (to provide the Service and bill you); our legitimate interests (to secure, operate, and improve the Service and to understand usage), balanced against your rights; your consent where required (for example, certain cookies); and compliance with legal obligations. Where we process personal data on a customer’s behalf, the customer is the controller and our DPA governs.
7. How we share data
We share data with vendors who process it on our behalf under contract, our subprocessors, for hosting, database, email, payments, and similar functions, each bound to protect it and to use it only to provide their service to us. We may disclose data to comply with law or valid legal process, to protect rights and safety, or in connection with a merger, acquisition, or sale of assets (with notice where required). We do not sell your personal data, and we do not share it for advertising.
8. International transfers
ShiftGraph operates from the United States, and our subprocessors may process data in the United States. Where we transfer personal data from the EEA, the UK, or Switzerland, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses and the UK Addendum, and, where applicable, an adequacy mechanism. Our DPA contains the transfer terms for customer data.
9. Retention
We keep structural event and evidence data for the retention window of your plan (for example, 30 days on Starter, one year on Growth, or a custom period on Enterprise), keep billing records for as long as required for tax and accounting (generally seven years), and keep account data for the life of your account plus a short wind-down period. Raw uploads used to bootstrap a profile are processed and then deleted promptly (within 24 hours, or immediately where you configure it). We delete or de-identify data when it is no longer needed, subject to legal holds.
10. Security and breach notification
We protect data with technical and organizational measures appropriate to the risk, including least-privilege database roles, row- and column-level access controls, encryption of secrets, mandatory second-factor authentication, and a tamper-evident audit log. No system is perfectly secure. If we become aware of a personal-data breach, we will notify affected customers and, where required, authorities and individuals without undue delay. A summary of our measures is available on request and in our DPA.
11. Your rights and choices
Depending on where you are, you may have rights to access, correct, delete, or port your personal data, to object to or restrict certain processing, and to withdraw consent. Under California and other US state laws, you may have the right to know, delete, and correct personal information, and to opt out of any sale or sharing. We do not sell or share, and we honor Global Privacy Control signals as an opt-out where applicable. To exercise a right, contact privacy@shiftgraph.dev; we will verify and respond within the time the law allows, and we will not discriminate against you for exercising a right. If we act as a processor for a customer, we will refer your request to that customer.
12. Children
The Service is for businesses and is not directed to children under 16, and we do not knowingly collect their personal data.
13. Changes
We may update this Policy; the version and effective date are shown above, and we will give notice of material changes. Continued use after the effective date, following notice, constitutes acceptance where permitted by law.
14. Contact
For privacy questions or requests, contact privacy@shiftgraph.dev. We are based in Virginia, United States.
Questions about this document can be sent to legal@shiftgraph.dev. These documents govern the ShiftGraph service operated by [ShiftGraph operating entity, to be finalized at incorporation], under the laws of the Commonwealth of Virginia, United States (excluding its conflict-of-laws rules).