Privacy Policy

1. Who we are

ShiftMod AI (“ShiftMod AI,” “we,” “us,” or “our”) operates from Ontario, Canada. We operate the website at www.shiftmodai.comand the AI Legal Receptionist platform that law firms (each a “Firm Customer”) deploy to handle inbound intake calls. For data we collect directly from website visitors, prospects, and Firm Customer administrators, we act as an organization accountable under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, as a data controller. For audio recordings, transcripts, and caller-supplied information that flow through the Service on behalf of a Firm Customer, we act as a service provider or data processor acting at the Firm Customer's direction.

2. Information we collect

2.1 Information you provide directly

• Account & identity information. When a Firm Customer signs up or an administrator is provisioned, we collect name, email, firm name, role, and authentication identifiers (Google or Microsoft account subject IDs, magic-link sign-in tokens).
• Configuration data. Firm Customers supply intake scripts, booking URLs, attorney contact information, notification preferences, and other settings used to operate the receptionist.
• Payment and billing information. Billing addresses and tax IDs (if applicable). Payment card data is handled by our payment processor and never stored on our servers.
• Communications. When you email, chat, or message us, we keep that correspondence for support and quality-assurance purposes.

2.2 Information collected during inbound calls

When a member of the public calls a phone number that has been forwarded to our voice infrastructure by a Firm Customer, we — on behalf of the Firm Customer — process:

• Audio recordings of the inbound conversation and an AI-generated transcript of that audio.
• Caller-provided informationsuch as name, callback phone number, email address, descriptions of injuries, charge codes, custody status, statute-clock timing, opposing party / adverse driver names, and the caller's preferred consultation time.
• Call metadata — the dialed number, the inbound caller ID, call start and end timestamps, duration, AI-assigned booking outcome, and a short AI-generated summary of the call.

Where applicable law requires disclosure that a call is being recorded or monitored, the ShiftMod AI receptionist can provide that disclosure at the start of the call when configured to do so. In Canada, recording laws vary by context; federally, one-party consent generally applies to private recordings, but Firm Customers remain responsible for ensuring their use of the Service complies with federal, provincial, and local recording, monitoring, and disclosure requirements (including two-party consent rules in certain U.S. states).

2.3 Information collected automatically

• Device & technical data. IP address, browser type and version, operating system, referring URL, time of access, and pages viewed.
• Cookies and similar technologies. Strictly necessary cookies for authentication and session management. We do not use cross-site advertising cookies on the marketing site.
• Audit logs. Sign-ins, configuration changes, recording deletions, and other administrative actions are recorded against the actor for security and compliance.

3. How we use information

We use the categories of information above to:

• Provide, operate, and secure the Service, including answering inbound calls, transcribing audio, extracting structured intake fields, surfacing conflict-screen prompts for manual review by the Firm Customer's team, generating call summaries, and sending alerts or exports configured by the Firm Customer.
• Authenticate users, enforce role-based access (super-admin, tenant administrator, tenant user), and detect or prevent fraud, abuse, or unauthorized access.
• Send service announcements, security notifications, and — where you have consented — product updates.
• Improve and develop the Service. Voice synthesis, transcription, and analytical improvements that incorporate Firm Customer audio are subject to the Firm Customer's contract; we do not use Firm Customer recordings to train general third-party AI models without express written consent.
• Comply with legal obligations, including responses to lawful requests.

4. Legal bases for processing

4.1 Canada (PIPEDA)

For personal information collected in Canada, we collect, use, and disclose information only for purposes that a reasonable person would consider appropriate in the circumstances, and we rely on one or more of the following as applicable: your consent; performance of a contract with you or your firm; compliance with a legal obligation; or our legitimate interests in operating, securing, and improving the Service where those interests are not overridden by your rights.

4.2 Visitors in the EU/UK

If you access the Service or website from the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases for processing your personal information under the General Data Protection Regulation (GDPR) or UK GDPR:

• Performance of a contract with you or your firm (provisioning the Service, processing payments, providing support).
• Legitimate interests in operating, securing, and improving the Service, where those interests are not overridden by your rights and freedoms.
• Legal obligation (responding to lawful requests, retaining records as required by tax law).
• Consent, where required for optional marketing communications or for cookies that are not strictly necessary.

5. How we share information

We share information only as described below, and never sell personal information.

5.1 Sub-processors and service providers

We use a small number of vetted infrastructure providers to deliver the Service. Each is bound by contract to confidentiality, security, and processing-on-instructions obligations:

• Voice infrastructure provider — handles inbound telephony, AI voice synthesis, audio recording storage, and call transcription.
• Cloud database provider — hosts authentication, tenant configuration, audit logs, and call metadata (PostgreSQL with row-level security).
• Hosting provider — runs the marketing site and application servers.
• Email delivery provider — sends transactional and magic-link emails.
• Payment processor — collects and processes subscription fees.

A current list of named sub-processors is available to Firm Customers under their Data Processing Addendum (DPA). Material changes to that list will be communicated in advance per the DPA.

5.2 Firm Customers

When a caller dials a phone number that forwards to a specific Firm Customer's ShiftMod AI receptionist, the audio recording, transcript, and structured intake fields are made available to administrators of that Firm Customer only. Row-level security on our database enforces this isolation; no Firm Customer can see another Firm Customer's calls.

5.3 Legal and protective disclosures

We may disclose information when we have a good-faith belief that disclosure is necessary to comply with a subpoena, court order, or other legal process; to protect the rights, property, or safety of ShiftMod AI, our Firm Customers, or the public; or to investigate fraud, security, or technical issues.

5.4 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections and continued application of this Privacy Policy (or a successor with equivalent protections).

6. Data retention

We retain personal information only for as long as needed to fulfill the purposes described above, comply with our legal obligations, resolve disputes, and enforce our agreements.

While a Firm Customer's account is active, call recordings, transcripts, and related intake data remain available to authorized users of that tenant. Firm Customers may delete records through the Service; deleted information may remain recoverable for a limited period before permanent removal. Records subject to legal hold, archival arrangements, or legal requirements may be kept longer and are not deleted until those restrictions end.

When a Firm Customer account ends, Customer Data remains available for export for a limited period stated in the contract or Order Form. After that period, it may be deleted in line with these practices.

Removed records are deleted from active ShiftMod systems promptly. Residual copies may persist in infrastructure-provider backups until those backups cycle out per the provider's schedule — not instant total erasure.

7. Security

We use commercially reasonable administrative, physical, and technical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit and at rest where supported by our infrastructure providers, isolated multi-tenant database row-level security, role-based access control, time-limited access to recordings where applicable, verification of inbound webhooks, audit logging of administrative and lifecycle actions, and monitoring for abuse. No method of electronic transmission or storage is perfectly secure, however, and we cannot guarantee absolute security.

8. Your rights

You may have the rights described below depending on where you live. To exercise any of these rights, contact us at privacy@shiftmodai.com. We will respond within the timeframe required by applicable law.

8.1 Rights for all users

• Request access to the personal information we hold about you.
• Request correction of inaccurate or incomplete information.
• Request deletion of personal information, subject to legal retention obligations.
• Object to or restrict certain processing.
• Request a portable copy of certain information.

8.2 Additional rights for residents of Canada

Under PIPEDA and applicable provincial privacy laws, you may have the right to access personal information we hold about you, request correction of inaccurate information, withdraw consent where processing is based on consent (subject to legal or contractual restrictions), and challenge our compliance with applicable privacy law. Ontario residents may contact the Information and Privacy Commissioner of Ontario with concerns about our handling of personal information, after giving us a reasonable opportunity to address your concern.

8.3 Additional rights for California residents (CCPA / CPRA)

California residents have the right to: know what categories of personal information we collect and the purposes; access the specific pieces of information; request deletion; request correction; opt out of any sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising); limit the use of sensitive personal information; and not be discriminated against for exercising these rights.

8.4 Additional rights for EU/UK residents

You also have the right to lodge a complaint with your local data protection authority. Where we rely on consent, you may withdraw it at any time without affecting prior lawful processing.

8.5 Caller information held on behalf of a Firm Customer

If you are an individual whose information was captured during a call to one of our Firm Customers, your primary point of contact is that Firm Customer. We will forward rights-related requests to the Firm Customer and assist with response under our Data Processing Addendum.

9. International data transfers

ShiftMod AI is headquartered in Ontario, Canada. Personal information may be processed and stored in Canada, the United States, or other countries where our sub-processors operate. Where required, we rely on contractual safeguards such as Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms to protect cross-border transfers.

10. Children's privacy

The Service is not directed to children under thirteen (13). We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to us, please contact us and we will delete it.

11. Special notice: client confidentiality and the practice of law

ShiftMod AI is a triage and intake tool, not a law firm. The AI receptionist is designed to collect intake facts and support consult scheduling; it does not give legal advice, evaluate liability, or form an attorney–client relationship. Where a caller's communication would be protected by solicitor–client privilege or work-product doctrine, that protection arises (if at all) between the caller and the Firm Customer, not between the caller and ShiftMod AI.

Firm Customers are responsible for assessing privilege, running formal conflict checks, and complying with their regulator's rules, including Law Society of Ontario rules on confidentiality and conflicts (and analogous provincial, state, or ABA Model Rules where applicable).

12. Third-party links

The Service and marketing site may contain links to third-party websites and services. We are not responsible for the privacy practices of those third parties; review their privacy policies directly.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make a material change, we will provide reasonable advance notice, including by email to account administrators or a prominent notice on the Service. The “Effective date” at the top reflects the date of the most recent revision.

14. Contact us

Questions or requests under this Privacy Policy can be sent to privacy@shiftmodai.com. For contract-related or general inquiries, write to hello@shiftmodai.com.