AlgorithmShift

Legal

Privacy policy

Last updated: April 20, 2026

This policy explains what we collect, why we collect it, how we use it, and who we share it with. We're an early-access company — this document will tighten as we move through SOC 2 and enterprise review. Questions? Email privacy@algorithmshift.ai.

1. Overview

AlgorithmShift is an enterprise AI software development platform. To deliver the service we process two broad categories of data: information you provide directly (account details, prompts, uploaded documents) and information we generate on your behalf (specs, generated code, migrations, agent run logs). This policy covers both.

If you use AlgorithmShift on behalf of a company or team, that company or team is the “controller” of your usage under most privacy regimes; we act as their “processor”.

2. Who we are

AlgorithmShift Inc. (“AlgorithmShift”, “we”, “us”) is the data controller for data processed under this policy. Our business contact for privacy matters is privacy@algorithmshift.ai.

3. Data we collect

Account & identity

  • Name, work email, avatar, and employer (from sign-up or SSO).
  • Authentication tokens and session metadata. Passwords, when used, are stored only as salted hashes.

Workspace & product input

  • Requirement prompts, uploaded spec documents, schema descriptions, and any other inputs you provide to the agents.
  • Connected-database credentials, environment variables, and API keys you configure — stored encrypted in a secrets manager, not in plain database columns.

Generated artifacts

  • Generated code, migrations, design tokens, release notes, and the agent-run timelines that produced them.
  • Token usage, model, cost, and timing for each run — used for billing, debugging, and observability.

Usage & telemetry

  • Pages viewed, actions taken (e.g. “approved phase”, “exported SQL”), errors encountered.
  • IP address, browser, device type, and coarse geolocation derived from IP (country / region).

4. How we use it

  • Deliver the service. Run the agents you invoke, apply migrations you approve, store the artifacts you own.
  • Operate and secure. Monitor availability, debug failures, detect abuse, enforce rate limits.
  • Improve the product. Aggregate, anonymised usage tells us what agents get stuck, what features get used, and what to build next. Individual prompts are not used for this without explicit opt-in.
  • Bill you. Usage drives the Team and Enterprise pricing tiers.
  • Communicate. Transactional emails (sign-ups, approvals, failed jobs) and — only if you opt in — occasional product updates.

5. AI & model training

We do not train foundation models on your data. The underlying models (Anthropic Claude, others we may add) are operated by their respective vendors; per our agreements, your prompts and outputs are not used to train those models.

We may use aggregated, anonymised patterns (e.g. “the schema agent succeeded N% of the time on tables with more than 10 columns”) to tune our own prompt templates and orchestration. This does not include your actual prompts, code, or data.

6. How we share data

We share data only with the service providers who make the product work (see Sub-processors below), when required by law, or in the course of a corporate transaction that we'll notify you about.

We do not sell your data. We do not share it with advertisers. We do not use it for cross-context behavioural advertising.

7. Sub-processors

A current list of sub-processors is maintained on our Security page. Core processors include:

  • Cloud infrastructure — AWS (primary), tenant-isolated per region.
  • Foundation-model providers — Anthropic, for agent model calls. Zero-retention agreements in place.
  • Identity — your IdP (Okta, Google Workspace, etc.) if you use SSO.
  • Email + analytics — transactional email and product-analytics vendors, both bound by DPAs.

We notify customers of new sub-processors at least 30 days before they process production data.

8. Data retention

  • Account data — retained while your account is active, then 90 days after closure for dispute-resolution purposes, then deleted.
  • Generated artifacts — retained for the life of the workspace. You can export or delete at any time.
  • Agent run logs — 180 days by default. Enterprise customers can configure up to 7 years for audit needs.
  • Audit logs — 1 year by default; exportable to your SIEM for longer retention.

9. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or object to processing of your personal data. You can exercise these rights via the Settings page of your workspace, or by emailing privacy@algorithmshift.ai.

For EEA / UK users, our lawful bases for processing are contract (delivering the service), legitimate interest (product improvement, fraud prevention), and consent (optional marketing). You have the right to lodge a complaint with your local data-protection authority.

For California users, we do not sell or share personal information under CCPA's definitions, and we honour “Do Not Sell” signals as a default.

10. International transfers

Our primary infrastructure is in the United States. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses and — where relevant — the EU-US Data Privacy Framework. Enterprise customers can request a region-pinned deployment.

11. Cookies

We use a small set of cookies: strictly necessary (authentication, session), preferences (theme, locale), and analytics (first-party, anonymised). We do not use third-party advertising cookies. A cookie banner is shown to EU/UK visitors on first load; you can revisit preferences at any time via the footer link.

12. Children

AlgorithmShift is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact us and we'll delete it.

13. Security

We encrypt data in transit (TLS 1.2+) and at rest (AES-256). Details on our tenant isolation, access controls, and compliance roadmap live on the Security page.

14. Changes to this policy

We'll update this page when practices change and bump the “last updated” date at the top. Material changes are announced via email to account owners at least 30 days before they take effect.

15. Contact

Email privacy@algorithmshift.ai for privacy questions, data-subject requests, or to report a concern. For urgent security issues, use security@algorithmshift.ai.

Note — this policy is under active review with counsel as we prepare for SOC 2 Type II and enterprise customer agreements. Enterprise customers receive a full Data Processing Addendum (DPA) as part of contracting.