Privacy Policy

Last updated: April 14, 2026 · Version 1.0

1. Introduction

ShadowTagAI ("we," "us," or "our") operates the shadowtagai.com and kovelai.com web properties, along with associated APIs, services, and open-source tooling (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you interact with our Services.

We are committed to a Sovereign-First Data Governance posture. This means your data stays under your control, on your infrastructure, processed by models you select.

2. Information We Collect

2.1 Information You Provide Directly

  • Contact Forms: Name, email address, and message content submitted through our website contact forms.
  • Account Information: If you create an account, we collect your email, display name, and authentication credentials (managed via Firebase Authentication).
  • Legal Intake (KovelAI): If you use KovelAI's intake system, we collect the information you voluntarily provide regarding your legal matter. This data is treated with the highest sensitivity.

2.2 Information Collected Automatically

  • Server Logs: Standard HTTP request logs including IP address, User-Agent, request path, and response status code. Retained for 30 days, then purged.
  • Firebase Analytics (Limited): IP anonymization enabled, advertising features disabled. Aggregate page view counts and performance metrics only. No individual tracking profiles.

2.3 Information We Do NOT Collect

  • Biometric Data — Never.
  • Location Data — No GPS or fine-grained location tracking.
  • Third-Party Tracking — No Facebook Pixel, Google Ads, or advertising trackers.
  • Session Replay — No Hotjar, FullStory, or keystroke recording.

3. Telemetry Disclosure

3.1 Open-Source Telemetry Posture

All ShadowTagAI open-source repositories enforce a strict telemetry-disabled posture:

DISABLE_TELEMETRY=1
DISABLE_ERROR_REPORTING=1

No telemetry data is transmitted to any external service from our open-source tooling.

3.2 Runtime Model Telemetry

AI-powered features use Google Gemini models via the Vertex AI API. Google's data processing terms apply to model inference. We do not store prompts or completions beyond the active session unless you explicitly opt in.

4. How We Use Your Information

  • Service Delivery: Processing your requests, rendering pages, and executing AI inference.
  • Security: Detecting and preventing abuse, unauthorized access, and DDoS attacks.
  • Operational Monitoring: Cloud Monitoring alerting policies for uptime and error rate tracking.
  • Legal Compliance: Responding to lawful requests from governmental authorities.

We never sell, rent, or trade your personal information to third parties.

5. Data Storage & Security

  • Primary Cloud: Google Cloud Platform (GCP), project shadowtag-omega-v4.
  • Database: Google Firestore with zero-trust security rules (default deny-all).
  • Hosting: Firebase Hosting with automatic SSL/TLS encryption.
  • Encryption: TLS 1.3 in transit, AES-256 at rest (Google-managed keys).
  • Access Controls: Workload Identity Federation (WIF) — no persistent service account keys.

6. Data Retention

Data TypeRetentionDeletion
Server Logs30 daysAutomatic rotation
Contact Form Submissions1 yearManual purge on request
Firebase Analytics14 monthsAutomatic expiration
Legal Intake Data (KovelAI)Engagement + 7 yearsSecure deletion per legal requirements
Session DataDuration of sessionAutomatic on session end

7. Your Rights

Regardless of your jurisdiction, we honor the following rights:

  • Access: Request a copy of all personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Deletion: Request deletion of your data ("Right to be Forgotten").
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to processing for specific purposes.

7.1 GDPR (European Economic Area)

Our lawful basis for processing is legitimate interest (service delivery and security) and consent (for optional features).

7.2 CCPA (California)

California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information.

8. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

9. Third-Party Services

  • Google Cloud Platform / Firebase: Infrastructure and authentication.
  • Stripe: Payment processing (PCI DSS Level 1 compliant). We never store credit card numbers.
  • GitHub: Source code hosting and CI/CD (no user data is shared with GitHub).
  • Google Fonts: Typography delivery.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Last Updated" date. Continued use of our Services after changes constitutes acceptance of the revised policy.

11. Contact Us

For privacy inquiries, data requests, or concerns:

privacy@shadowtagai.com

shadowtagai.com/contact

12. Open-Source Privacy Policy

ShadowTagAI maintains open-source repositories under the ShadowTag-v2 GitHub organization. This section governs data handling within those repositories and any forks or derivatives.

12.1 Contributor Data

  • Git Metadata: Contributor names and email addresses are captured in Git commit history. This data is publicly visible and governed by GitHub's Privacy Statement.
  • Issue & PR Content: Information in GitHub Issues and Pull Requests is public. Do not submit personal, client, or privileged information in public issues.
  • CLA: We do not currently require a Contributor License Agreement. All contributions are accepted under the repository's stated license.

12.2 Telemetry Kill-Switch Doctrine

All ShadowTagAI open-source software ships with telemetry disabled by default:

DISABLE_TELEMETRY=1
DISABLE_ERROR_REPORTING=1
  • Set in all CI/CD pipelines, development environments, and production runtimes.
  • Forks and derivatives are strongly encouraged to maintain this posture.
  • No open-source package will ever phone home without explicit, opt-in user consent.

12.3 License Obligations

RepositoryLicensePrivacy Scope
Core infrastructure (apps/shadowtagai, apps/kovelai)ProprietarySections 1–11
Open-source tooling (tools/*, labs/*)Apache 2.0 / MITSection 12
Third-party vendored code (external_repos/*)Original upstreamUpstream policy

12.4 Sovereign Execution Guarantee

When you deploy ShadowTagAI open-source tooling on your own infrastructure:

  • Zero data egress: No data leaves your execution environment to ShadowTagAI servers.
  • Zero phone-home: No license validation, update checks, or analytics callbacks.
  • Full auditability: All source code is available for inspection.

12.5 Vulnerability Disclosure

If you discover a privacy or security vulnerability:

  • Email: security@shadowtagai.com
  • Response SLA: Acknowledgment within 48 hours, patch within 7 days for critical issues.
  • No retaliation: We will never pursue legal action against good-faith security researchers.