Introduction

Your privacy is important to us. Shift is committed to protecting the rights of individuals in line with the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (GDPR), the UK General Data Protection Regulation and the UK Data Protection Act 2018 (as updated by the Data (Use and Access) Act 2025) (collectively, the “UK GDPR”), the EU- US Data Privacy Framework (including the UK Extension and the Swiss-US Data Privacy Framework), the U.S. state consumer privacy laws applicable to Shift (including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), and comparable laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island), as well as other applicable data protection laws and regulations.

This privacy notice (Privacy Notice) will explain how Shift uses the personal data we collect from you when you use our website (Website). By using our services or communicating with us about them, you acknowledge that your personal information will be processed in accordance with this Privacy Policy, as revised from time to time.

For certain uses of the Website, you may be asked to provide personal data. When this occurs, we will indicate what types of personal data are required. You may choose not to submit the requested data, but this may limit your access to the Website services.

Please read this Privacy Policy carefully to understand how we will treat your personal data before you share your information with us.

Content

1. Data Controller

2. What data do we collect?

3. How do we collect your data?

4. How will we use your data?

5. What is the basis for processing of your Personal Data?

6. How do we store your data?

7. Who will receive your data?

8. For how long will your Personal Data be stored?

9. Marketing

10. What are your data protection rights?

11. Cookies

12. Privacy policies of other websites

13. Changes to our Privacy Policy

14. How to contact us

15. Contact the appropriate authority

1. Data Controller

For the collection and processing of personal data under this Privacy Notice, the data controller is:  

Shift Technology, a simplified joint stock company, whose registered office is located at 2-14 rue Gerty Archimède – 75012 Paris, registered with the Paris Trade and Companies Register under number 791 862 618 (Shift).

2. What Personal Data do we collect?

When you use the Website, Shift will collect the personal data you provide us, including personal identification information (e.g. name, email address, location, phone number, etc.).

In addition to the personal data you provide to Shift , Shift may collect, record and process additional data, including personal data, generated as a result of using the Website. This may include the following types of data:

  • Data from the used equipment, such as a unique device ID, version of the operating system and settings of the device you use to access a service;
  • Information about the use of a service, such as the time at which you use the service and the type of service that is used;
  • Location details from your device or derived from your IP address that is provided to us when you use a particular service;
  • Data available from external sources. We may receive information about you from public or commercially available sources.

3. How do we collect your data?

You directly provide Shift with most of the data we collect when you use the Website. In particular, we collect data and process data when you:

  • Fill in the “Contact Us” form;
  • Send us an email;
  • Share the webpages of our Website on social media platforms;
  • Request to receive information;
  • Download files on the Website (such as white papers, reports);
  • Register on the Website or request a demo;
  • Voluntarily complete a customer survey or provide feedback on any message board or via email; or
  • Use or view the Website via your browser’s cookies.

Shift Technology may also receive your data indirectly from publicly accessible sources (e.g. Google, LinkedIn) or non-publicly accessible sources (e.g. Greenhouse, Seamless.AI, HubSpot, Wisepops, WordPress).

4. How will we use your data?

Shift will collect and process your Personal Data it collects when you use the Website, in accordance with this Privacy Policy. Your Personal Data may be used for the following purposes:

  • Website Browsers / Administration. We use your Personal Data for administrative purposes, including to help us better understand how visitors access and use our Website and applications; to provide reports to prospective partners, service providers, regulators, and others; to implement and maintain security, anti-piracy, fraud prevention, and other services designed to protect our customers, partners and us; and to enforce our policies, directives and processes.
  • To the extent permitted by law and as described under Section 9 (Marketing) below, we may use your Personal Data for marketing and promotional purposes, including communications through email or equivalent electronic means. For example, we use your Personal Data, such as your email address for news and newsletters, research, event updates, product data, and to otherwise contact you about services or information we think will interest you.
  • Communication. We use your Personal Data to communicate with you, including responding to requests for assistance, information, newsletter, or career information. We may communicate with you in a variety of ways, including email, via your social media accounts if you have agreed, and/or text message.
  • Customer service. We use your Personal Data for customer service purposes, including providing services to you, for technical support or other similar purposes and to establish and maintain customer accounts.
  • Research and development. We use your Personal Data for research and development purposes, including improving our Website, applications, services, and customer experience and for other research and analytical purposes dedicated to improving our products, services, businesses, operations and processes.
  • Legal compliance. We use your Personal Data to comply with applicable legal regulations, including responding to an authority or court order or discovery request.
  • No automated decisions. There is no fully automated decision making (within the meaning of Article 22 of the GDPR) and no profiling that produces legal or similarly significant effects by Shift based on your personal data in connection with your use of the Website. Where Shift uses artificial intelligence systems on the Website, we do so consistent with applicable laws, including Regulation (EU) 2024/1689 (the “EU AI Act”), and we provide transparency information where required.
  • Sale of Personal Information. Our policy is that we do not sell or “share” (as those terms are defined under the California Consumer Privacy Act and comparable U.S. state laws) and will not sell or share your personal information, unless you give us your consent or direct us to do so. In the preceding twelve months we have not sold personal information for monetary consideration. To the extent that the use of advertising or analytics cookies on our Website may be considered a “sale” or “share” under applicable U.S. state law, you may opt out as described in Section 10A and Section 11 (Cookies).
  •  

5. What is the basis for processing your Personal Data?

We process your Personal Data in accordance with the provisions set out in the GDPR and other applicable Data Protection laws and regulations. The legal basis for processing your Personal Data are:

  • To comply with contractual obligations or to take steps at your request before entering into a contract. When you subscribe to a particular service through the Website, the purposes of processing your Personal Data are primarily determined by that service and we will process your information so that we may provide that service to you, assist you and answer your requests, or evaluate if we can offer you a product or service and under which conditions. In this respect, the purpose of the contact form, is to establish a relationship. The legal basis for this processing is the execution of a contract or pre-contractual measures. If you decide not to provide us with the data necessary to establish contact, we shall be unable to contact you for this purpose.
  • As a result of your consent. When you have consented to the processing of your Personal Data by us for certain purposes through the Website, for instance through the Contact Form or the subscription to our newsletter. However, if we need to carry out further processing for purposes other than those for which you provided us with your consent, we will inform you and, where necessary, obtain your consent. You may withdraw your consent at any time. For further information on the right of withdrawal, please see Section 10 (What are your data protection rights?) below.
  • Within the scope of a legitimate interest. On occasion, where we have a legitimate interest to process your data, we may not need your consent to do so, however, we must inform you that we do this; examples of this are for:
    • The analysis and optimisation of the Website;
    • Ensuring IT security and the operation of Shift Technology’s IT;
    • Prevention and investigation of criminal acts.
    • On the basis of Shift Technology’ legal obligations or in the public interest. In some cases the processing of your Personal Data will be necessary for Shift Technology to fulfil legal or public interest obligations.

6. How do we store your data?

Your personal data will be stored by us and our service providers in accordance with applicable data protection laws to the extent necessary for the processing purposes set out in this Privacy Policy. As a global enterprise, our usage of the Internet almost always involves the international transmission of personal data, both within and outside the European Economic Area (EEA). In case of international transfers originating from the EEA, where the European Commission has recognized a non-EEA country as providing an adequate level of data protection, your personal data may be transferred on this basis.

For transfers to non-EEA countries whose level of protection has not been recognized by the European Commission as adequate, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you, such as when making an international payment) or implement the Standard Contractual Clauses implemented by the European Commission. For transfers of personal data to the United States, we may also rely on the EU-US Data Privacy Framework (and its UK Extension and the Swiss-US Data Privacy Framework) where the recipient is self-certified under the relevant framework. For transfers originating in the United Kingdom, we use the UK International Data Transfer Agreement or the UK Addendum to the European Commission’s Standard Contractual Clauses, as applicable. Where required, we also carry out a transfer impact assessment and adopt supplementary measures to ensure an essentially equivalent level of protection.

7. Who will receive your data?

We communicate your Personal Data only to identified and duly authorized recipients. These include:

  • Affiliates and subsidiaries of the Shift Technology group of companies (Shift Group);
  • Financial or judicial authorities, state agencies or public bodies, upon request and to the extent permitted by law;

External providers performing services on Shift Technology’s behalf.

8. For how long will your Personal Data be stored?

Your data will be kept for the duration of our relationship (for example until you unsubscribe to a newsletter) and kept for a maximum of two years after the end of this relationship. For prospects and personal Data sent through online forms, information is kept for two years. For any other data and/or purposes, your personal data are retained only for the time necessary to achieve the purpose for which such personal data were collected and for any required or permitted period under applicable laws. Once the applicable time period has expired, we will delete your data by including it in batches of data to be flagged for deletion after the relevant time period.

9. Marketing – Commercial prospection

For sending commercial solicitations by email on products similar to those ordered by customers: the legal basis of the processing is the legitimate interest of Shift Technology (Cf. article 6.1.f) of the GDPR), namely to promote our products to our customers.

For sending commercial solicitations by e-mail on other products offered by Shift Technology: the legal basis of the processing is the consent (Cf. article 6.1.a) of the GDPR), as required by article L. 34-5 of the French Post and Electronic Communications Code.

If we use electronic prospecting, your consent will be required, except if you are already a customer and the commercial prospecting deals with products similar to those we already provide you with.

If you have agreed to receive marketing communications, you may always opt out at a later date. You have the right at any time to stop Shift from contacting you for marketing purposes or giving your data to other members of the Shift Group. If you no longer wish to be contacted for marketing purposes, please contact us at: marketing@shift-technology.com.

If you are invited to and/ or attend one or our events, we will collect and process your contact information and any other information we may need to manage our invitation and your attendance (including for example dietary or special access requirements) in accordance with this Privacy Policy.

10. What are your data protection rights?

Shift would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

  • The right to access– You have the right to request copies of your personal data that Shift holds.
  • The right to rectification– You have the right to request that Shift correct any information you believe is inaccurate. You also have the right to request Shift to complete any information you believe is incomplete.
  • The right to erasure– You have the right to request that Shift erase your personal data, under certain conditions.
  • The right to restrict processing– You have the right to request that Shift restrict the processing of your personal data, under certain conditions.
  • The right to object to processing– You have the right to object to Shift processing your personal data, under certain conditions.
  • The right to data portability– You have the right to request that Shift transfer the data that we have collected to another organization, or directly to you, under certain conditions.
  • The right to decide what happens to your personal data after your death.You have the right to give instructions regarding the storage, deletion and disclosure of your personal data after your death.

(Collectively a Data Subject Access Request or DSAR)

If you make a DSAR, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at: dpo@shift-technology.com

Or write to us: Shift Technology – Attn. Data Protection Officer. 2-14, rue Gerty Archimède, 75012 Paris, France.

10A. Additional rights for U.S. state residents

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, or Rhode Island, you may have additional rights under the consumer privacy law of your state (including the California Consumer Privacy Act, as amended by the California Privacy Rights Act). Depending on your state of residence and subject to applicable exceptions and verification, these rights may include:

  • The right to know what categories and specific pieces of personal information we collect, use, disclose, and (where applicable) sell or share about you, and to receive a portable copy;
  • The right to correct inaccurate personal information that we maintain about you;
  • The right to delete personal information we have collected from you;
  • The right to opt out of the “sale” of your personal information, of the “sharing” of your personal information for cross-context behavioral advertising, and of targeted advertising, including via a recognized universal opt-out signal such as Global Privacy Control;
  • The right to opt out of certain profiling in furtherance of decisions that produce legal or similarly significant effects concerning you;
  • The right to limit the use and disclosure of “sensitive personal information” (as defined under the CCPA) and, where applicable, comparable restrictions on the processing of sensitive data under other state laws;
  • The right to be free from unlawful discrimination or retaliation for exercising any of these rights; and
  • Where available under your state’s law, the right to appeal our response to your request.

Shift does not sell personal information for monetary consideration. To the extent that any disclosure of personal information for cross-context behavioral advertising would be deemed a “sale” or “share” under the CCPA or a comparable U.S. state law, you may opt out via the cookie controls available on our Website (including by enabling a Global Privacy Control signal in your browser) or by emailing dpo@shift-technology.com. We do not use or disclose “sensitive personal information” (as defined under the CCPA) for purposes other than those permitted without a right to limit.

We do not knowingly “sell” or “share” the personal information of consumers under 16 years of age, and we do not knowingly process the personal information of children under the age of 13 (or, where applicable under state law, under 16 or 18) without legally required consent. Connecticut and Arkansas residents under 18 and California residents under 16 benefit from additional protections under their state’s age-appropriate design and minors’ data laws.

You may submit a request to exercise these rights through the channels described in Section 10. An authorized agent may submit a request on your behalf with appropriate proof of authorization. We will respond to your request within the timeframe required by applicable law (generally 45 days, subject to extension). If you are a California resident, you may also designate an authorized agent in accordance with the California Privacy Rights Act and its implementing regulations.

11. Cookies


12. Third Party Privacy Notices

The Website contains links to other websites. Our privacy policy applies only to our Website, so if you click on a link to another website, you should read their privacy policy.

13. Changes to our Privacy Policy

Shift keeps its Privacy Notice under regular review and places any updates on this Website. This Privacy Notice was last updated on May 13, 2026.

14. How to contact us

If you have any questions about Shift’s Privacy Notice, your personal data that we hold, or you would like to exercise one of your DSAR rights, please contact our Data Protection Officer:

  • By email at: dpo@shift-technology.com, or
  • By mail: Shift Technology – Attn: Data Protection Officer. 2-14, rue Gerty Archimède, 75012 Paris, France.

15. Contact the appropriate authority

Should you wish to report a complaint or if you feel that Shift has not addressed your concern in a satisfactory manner, you may contact the Commission Nationale de l’Informatique et des Libertés (“CNIL”) the French data protection supervisory authority or another competent data protection supervisory authority.   The CNIL may be contacted at the following address:

Commission Nationale de l’Informatique et des Libertés
A l’attention du service des plaintes
3 Place de Fontenoy
TSA 80715
75334 PARIS CEDEX 07

For more details, please visit the CNIL website : www.cnil.fr/en