Privacy Notice

My Shadow Assistant is operated by Darcy Reid ("My Shadow Assistant", "we", "us"). For the personal data described below, Darcy Reid acts as the data controller.

• Account data — name, email address, login credentials, profile preferences.
• Configuration data — spending rules, caps, watched URLs, trusted vendors, permissions you set.
• Activity data — payment drafts, approval decisions, watch items, chat messages with the agent.
• Support communications — messages you send us when seeking help.
• Technical data — IP address, device identifiers, browser, log/telemetry data.
• Cookies — strictly necessary cookies for authentication and session management.

Payment and billing data (card details, billing address, tax ID) is collected and processed directly by Paddle as the Merchant of Record — we do not store your card numbers.

• Account creation and authentication — necessary to perform our contract with you.
• Providing the service (running the agent, drafting payments, executing approved payments) — performance of contract.
• Security and fraud prevention — legitimate interests in keeping the service safe.
• Customer support — performance of contract and legitimate interests.
• Service improvement and analytics — legitimate interests; we minimize and aggregate where possible.
• Legal compliance — where required by tax, accounting, or other law.

• Paddle — our Merchant of Record. Paddle handles payments, subscription management, tax compliance, invoicing, and refund handling. See Paddle's Privacy Notice.
• Cloud infrastructure & hosting providers — to operate the application and database.
• AI processing providers — to power the My Shadow Assistant agent's reasoning. Conversation context is sent to these providers strictly to generate a response.
• Email and support tooling — for transactional notifications and helping you with issues.
• Professional advisers — legal, accounting, where strictly necessary.
• Authorities — where required by law or valid legal process.

We do not sell your personal data.

We keep account and configuration data for as long as your account is active. Activity logs (drafts, approvals, payment history) are kept for up to 7 years to satisfy financial record-keeping obligations. Support messages are kept for up to 2 years. When data is no longer needed, it is deleted or anonymized.

Some of our service providers may process data outside your country, including in the United States. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions to protect international transfers.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you;
• Request correction of inaccurate data;
• Request deletion ("right to be forgotten");
• Restrict or object to certain processing;
• Data portability — receive your data in a structured format;
• Withdraw consent where processing is based on consent;
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us through your account's support channel. We aim to respond within one month.

We use appropriate technical and organizational measures — including encryption in transit, access controls, and least-privilege roles — to protect your personal data. No system is perfectly secure, but we work to keep yours safe.

We use only strictly necessary cookies required to authenticate you and maintain your session. We do not currently use advertising or third-party tracking cookies. If that changes, we will update this notice and provide a cookie consent mechanism.

We may update this notice from time to time. The "Last updated" date above will reflect any changes. Material changes will be communicated by email or in-app notice.

For privacy questions or to exercise your rights, contact Darcy Reid via the support channel in your account.