Privacy Policy
Applied AI Inc. · Delaware C-Corporation
Effective date: May 12, 2026
Last updated: May 12, 2026
Status: Draft pending final US-counsel review. GDPR-aligned where applicable.
This Privacy Policy describes how Applied AI Inc. ("we", "us", "Applied AI") collects, uses, and protects information when you interact with ShiftKit Services at exautomatica.com and related sub-paths. It applies to all visitors, audit participants, customers, and email subscribers.
1. What we collect
We collect only what we need to operate the Services. Specifically:
- Contact information you provide. Email address, name (optional), company name (optional), country, and any free-text comments you submit through the audit widget, contact form, or paid engagement onboarding.
- Audit responses. Your answers to the eight audit questions, the computed verdict, and the timestamp. Free-text "pain point" responses (Q7) are stored verbatim.
- Engagement data. Information you share during a paid engagement: technical architecture descriptions, sample webhook payloads, CRM schema diagrams, code excerpts. We treat all of this as confidential.
- Payment metadata. Order reference, amount, currency, and payment status. We do not store credit card numbers; that data lives only with Stripe.
- Email engagement metrics. Whether you opened or clicked emails we sent you. We do not use cross-site tracking pixels.
- Server logs. Standard web-server data including IP address, user agent, timestamp, requested URL, and referrer. Logs are retained for 30 days.
2. What we do not collect
We do not knowingly collect:
- Sensitive categories of personal data (health, biometric, religious, political, sexual orientation) — these are not relevant to the Services.
- Data from end-consumers of your business — the audit and engagement only collect information about your business operations, not your individual customers' personal data, unless you explicitly share it for engagement purposes.
- Information about children under 16.
3. How we use it
We use the information we collect to:
- Deliver the audit verdict, full audit report (PDF), and any follow-up reports you request.
- Operate paid engagements and deliver contracted services.
- Send transactional emails (booking confirmations, scope-of-work documents, invoices, monitoring alerts).
- Send occasional marketing emails about new ShiftKit products or significant Meta WhatsApp platform changes. You can opt out of marketing at any time.
- Improve the audit's scoring accuracy and our scope-of-work templates (using aggregated, de-identified patterns).
- Comply with legal obligations.
4. Legal bases (for EEA/UK residents under GDPR)
Where GDPR applies, we rely on the following bases:
- Performance of a contract for engagement delivery, audit fulfillment, and account management.
- Legitimate interests for marketing emails to existing customers and prospects who explicitly opted in, fraud prevention, and service improvement. You can object to processing based on legitimate interests at any time.
- Consent for any other marketing communications, withdrawn by replying STOP or emailing us.
- Legal obligation for tax records, accounting, and responses to lawful government requests.
5. Who we share with
We do not sell your personal data. Ever. We share limited data with the following categories of processors, each under contract with confidentiality and security obligations:
| Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | USA |
| Instantly.ai | Email delivery (marketing + transactional) | USA |
| Postmark (ActiveCampaign) | Email delivery (transactional fallback) | USA |
| Cloudflare, Inc. | Web hosting, CDN, DDoS protection, server logs | Global |
| Google Workspace | Internal communications (only metadata if you email us at an @exautomatica.com address) | USA |
We may also disclose information when required by law, in response to a valid subpoena or court order, or to protect the rights or safety of our users.
6. International transfers
Applied AI Inc. is based in Delaware, USA. If you are based outside the USA (including in MENA, the UK, or the EEA), your data may be transferred to and processed in the USA. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.
7. Retention
- Email subscribers: until you unsubscribe, then we retain a record of your email address on a suppression list to honor your opt-out (legitimate interest).
- Audit responses: indefinitely, in aggregated form. Identified responses retained for 2 years from your last interaction.
- Engagement data: for the duration of the engagement plus 7 years (US tax record requirements for service businesses).
- Server logs: 30 days.
8. Your rights
Subject to your jurisdiction, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data, subject to our legal retention obligations.
- Restrict or object to processing in certain circumstances.
- Port your data to another service in a machine-readable format.
- Withdraw consent for marketing at any time.
- Lodge a complaint with a data protection authority (for EEA/UK residents, your local supervisory authority).
To exercise any right, email mercury@exautomatica.com with your request. We respond within 30 days. For deletion requests, we may need to retain limited data to fulfill ongoing obligations (e.g., tax records, suppression lists).
9. Cookies and tracking
We use minimal cookies:
- Strictly necessary cookies for site functionality (e.g., remembering your audit progress mid-flow). No consent banner required.
- Analytics via Cloudflare Web Analytics (privacy-preserving, no cross-site tracking, no fingerprinting). If we add third-party analytics, we will display a consent banner first.
- No third-party advertising cookies. We do not run retargeting or behavioral advertising.
10. Security
We follow industry-standard security practices: TLS for data in transit, encrypted storage for data at rest, principle of least privilege for internal access, and incident response procedures aligned with industry frameworks. No system is perfectly secure; if we become aware of a breach affecting your data, we will notify you in accordance with applicable law (typically within 72 hours for GDPR-covered data).
11. Children
The Services are not intended for individuals under 16. We do not knowingly collect data from children. If you believe a child has provided us data, email us and we will delete it.
12. Changes to this policy
We may update this Privacy Policy. Material changes will be communicated by email to active customers and posted on this page at least thirty (30) days before they take effect.
13. Contact
Applied AI Inc.
Attn: Privacy
131 Continental Drive, Suite 305
Newark, DE 19713
Wilmington, Delaware, USA
Email: mercury@exautomatica.com