This Privacy Policy describes how SHU collects, uses, shares, and protects your personal information when you use our hosted AI knowledge platform. For a plain-English summary of the principles behind it, see our Privacy Promise.
01 Introduction
This Privacy Policy describes how Shu Technologies USA, Inc., doing business as Shu ("Shu," "we," "us," or "our"), collects, uses, shares, and protects personal information when you use our AI knowledge platform and related services (the "Service"). Shu is a Texas corporation with its principal place of business at 3809 Juniper Trace, Ste. 101, Austin, TX 78738. This Privacy Policy applies to all users of the Service, including account holders, authorized users, and visitors to our website. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.
02 Information We Collect
Account Information.
When you create an account, we collect information necessary to set up and maintain your account, including your name, email address, organization name, and billing address. If you are an authorized user added by an Account Holder, we collect your name and email address.
Billing Information.
We collect billing details such as your billing address and the name on the payment method. Payment card information (card number, expiration date, and CVC) is collected and processed directly by our payment processor, Stripe, Inc. Shu does not receive, store, or have access to your full payment card numbers. Stripe may collect additional information in connection with payment processing, including device identifiers and transaction metadata, as described in Stripe's privacy policy at https://stripe.com/privacy.
Customer Content.
We collect and process the documents, text, queries, prompts, and other content that you upload to or create within the Service ("Customer Content"). Customer Content is processed solely to provide the Service to you, as described in our Terms of Service.
Usage Data.
We automatically collect information about how you interact with the Service, including features accessed, pages viewed, actions taken within the Platform, query frequency, token consumption, session duration, and timestamps. We also collect technical data such as IP address, browser type, operating system, device identifiers, and referring URLs.
Log Data.
Our servers automatically record information ("Log Data") when you access the Service, including your IP address, request details, system activity, and the date and time of your request. Log Data is used for security monitoring, debugging, and service improvement.
Communications.
If you contact us for support or other inquiries, we collect the content of those communications along with your contact information.
03 How We Use Information
We use the information we collect for the following purposes:
Providing the Service.
We use Account Information, Customer Content, and Usage Data to operate, maintain, and deliver the Service, including processing your queries, generating outputs, and managing your account.
Processing Payments.
We use Billing Information (in conjunction with Stripe) to process subscription fees, overage charges, and other transactions.
Service Communications.
We use your email address to send transactional and account-related communications, including billing confirmations, subscription renewal notices, security alerts, and service updates. These communications are a necessary part of the Service and are not marketing.
Improvement and Analytics.
We use Usage Data and Log Data in aggregate and anonymized form to analyze trends, understand how the Service is used, diagnose technical issues, and improve the Service. We do not use Customer Content to train, fine-tune, or develop general-purpose AI or machine learning models without your separate, explicit written consent.
Security and Fraud Prevention.
We use Log Data, Usage Data, and technical information to detect and prevent fraud, abuse, and security incidents, and to enforce our Terms of Service.
Legal Compliance.
We may process personal information as necessary to comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
We do not sell your personal information to third parties. We do not share your personal information with third parties for their own direct marketing purposes.
04 Information Sharing
We share personal information only in the following circumstances:
Service Providers.
We share information with third-party service providers who process data on our behalf to help us operate and deliver the Service. These providers include our payment processor, cloud hosting and infrastructure providers, and AI model API providers. Each service provider is contractually obligated to use personal information only for the purposes of providing services to Shu and in accordance with applicable data protection laws. We use Stripe for payments, analytics, and other business services. Stripe may collect personal data, including via cookies and similar technologies. The personal data Stripe collects may include transactional data and identifying information about devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection, loss prevention, authentication, and analytics related to the performance of its services. You can learn more about Stripe and read its privacy policy at https://stripe.com/privacy.
Legal Requirements.
We may disclose personal information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a lawful request from law enforcement.
Business Transfers.
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred as part of that transaction. We will notify you by email or by prominent notice on the Service before your personal information is transferred and becomes subject to a different privacy policy.
With Your Consent.
We may share your information for purposes other than those described in this Privacy Policy if you provide your explicit consent.
Aggregate and De-Identified Data.
We may share aggregate or de-identified information that cannot reasonably be used to identify you with third parties for analytics, research, or other purposes.
05 Data Retention
Active Accounts.
We retain your personal information for as long as your account is active and as necessary to provide the Service to you.
Canceled Accounts.
Upon cancellation or termination of your account, we retain your Customer Content for thirty (30) days to allow you to export your data. After this export window, we delete Customer Content from our active systems within a commercially reasonable timeframe. Residual copies in encrypted backups are purged in the ordinary course of backup rotation.
Account and Billing Records.
We retain Account Information and Billing Information for a reasonable period following account closure as necessary to comply with our legal and financial obligations, resolve disputes, and enforce our agreements. Typically, this retention period does not exceed seven (7) years following account closure.
Log Data.
We retain Log Data and Usage Data for up to eighteen (18) months for security monitoring, debugging, and service improvement purposes, after which it is deleted or anonymized.
Legal Obligations.
We may retain personal information for longer periods where required by applicable law, regulation, or legal process.
06 Security
We implement technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit using Transport Layer Security (TLS)
- Encryption of data at rest using industry-standard encryption algorithms
- Access controls and role-based authentication for internal access to personal information
- Regular security assessments and monitoring of our systems
- Incident response procedures to identify, contain, and remediate security events
While we take the security of your information seriously, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you acknowledge that you provide personal information at your own risk. In the event of a security incident involving your personal information, we will notify you in accordance with applicable law.
07 Your Rights
Depending on your jurisdiction, you may have certain rights regarding your personal information. Shu is committed to honoring these rights as required by applicable law.
Rights Under the California Consumer Privacy Act (CCPA/CPRA).
If you are a California resident, you have the right to: know what personal information we collect about you and how it is used and shared; request deletion of your personal information; request correction of inaccurate personal information; opt out of the sale or sharing of your personal information (Shu does not sell or share personal information as defined by the CCPA); and be free from discrimination for exercising your privacy rights.
Rights Under the General Data Protection Regulation (GDPR).
If you are located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, you have the right to: access your personal data and receive a copy; rectify inaccurate or incomplete personal data; request erasure of your personal data ("right to be forgotten"); restrict or object to certain processing of your personal data; receive your personal data in a structured, commonly used, machine-readable format (data portability); and withdraw consent at any time, where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority.
Exercising Your Rights.
To exercise any of these rights, please contact us at [email protected]. We will respond to verified requests within thirty (30) days, or within the timeframe required by applicable law. We may request additional information to verify your identity before fulfilling a request. If we need more time to respond, we will inform you of the reason and the extended timeframe.
Opt-Out of Marketing.
You may opt out of promotional communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us at [email protected]. Opting out of marketing communications does not affect transactional or service-related communications.
08 International Data Transfers
The Service is hosted and operated in the United States. If you access the Service from outside the United States, you acknowledge that your personal information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
EU/EEA, UK, and Swiss Transfers.
For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, Shu relies on the following mechanisms as applicable: (a) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, to the extent Shu has self-certified under the applicable framework; and (b) the European Commission's Standard Contractual Clauses (SCCs) for transfers to recipients not covered by an adequacy decision, supplemented by any additional safeguards required by applicable law. You may request a copy of the applicable transfer mechanism by contacting us at [email protected].
We require our service providers and sub-processors that receive personal data from the EEA, UK, or Switzerland to provide equivalent protections through contractual commitments or other lawful transfer mechanisms.
09 Cookies and Tracking Technologies
Shu uses cookies and similar technologies on the Service. During the current MVP phase, we limit our use of cookies to those that are strictly necessary for the operation and security of the Service, including:
- Authentication cookies that maintain your login session and account access
- Security cookies that help detect and prevent fraudulent activity
- Preference cookies that remember your functional settings within the Platform
We do not currently use third-party advertising or tracking cookies. Stripe, our payment processor, may place cookies on your browser in connection with payment processing and fraud detection. You can learn more about Stripe's cookie practices at https://stripe.com/cookie-settings.
If we introduce additional cookies or tracking technologies in the future, we will update this Privacy Policy and, where required by applicable law, obtain your consent before deploying non-essential cookies.
Most web browsers allow you to manage cookie preferences through browser settings. Disabling cookies may affect the functionality of the Service.
10 Children's Privacy
The Service is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe that a child under 18 has provided personal information to us, please contact us at [email protected].
11 Contact Information and Data Protection Officer
If you have questions or concerns about this Privacy Policy or our data practices, you may contact us at:
Shu Technologies USA, Inc.
Attn: Privacy Team
3809 Juniper Trace, Ste. 101
Austin, TX 78738
Email: [email protected]
Shu has not appointed a Data Protection Officer ("DPO") at this time. If Shu's data processing activities expand to the point where a DPO appointment is required under GDPR Article 37 (for example, if Shu establishes an EU presence or engages in large-scale processing of special categories of data), we will appoint a DPO and update this Privacy Policy with their contact information.
12 Updates to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. When we make material changes, we will notify you by email to the address associated with your account and by posting a prominent notice on the Platform at least thirty (30) days before the changes take effect. Non-material changes (such as typographical corrections or formatting updates) may be made without prior notice.
Your continued use of the Service after the effective date of any update constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised Privacy Policy, you should discontinue your use of the Service before the changes take effect. We encourage you to review this Privacy Policy periodically. The "Last Updated" date at the top of this Privacy Policy indicates when it was most recently revised.
↑ Back to top