Privacy Policy
Last updated: 2026-04-27
1. What we collect
When you use the service, we collect:
| Category | Examples |
|---|---|
| Account info | Business name, owner email, phone, mailing address, time zone, brand colors, logo |
| Customer-of-customer data | Names, emails, addresses, and invoice data for the people YOU bill through the service |
| Usage data | Login times, pages visited, features used, error logs (server-side only) |
| Payment data | Stripe customer ID and subscription status. Card details are stored by Stripe, not by us |
| Integration data | OAuth tokens for QuickBooks / GoHighLevel / Gmail; data synced from those services on your authorization |
| Communication | Support tickets, replies, and emails you send through the service |
2. How we use it
- To operate the service — render your invoices, send your emails, sync to your QB/GHL accounts
- To bill you and process refunds via Stripe
- To detect abuse and respond to security events
- To improve the service (aggregated, anonymized usage analytics only)
- To send transactional emails (password resets, paid receipts, account notices) — never marketing without consent
3. Who we share it with
We share data only with the third-party providers we depend on, and only as needed to operate the service:
- Vercel — application hosting (your data passes through Vercel's infrastructure)
- Supabase — database + authentication (encrypted at rest, encrypted in transit)
- Stripe — payment processing for SaaS subscriptions and customer invoice payments
- Anthropic — AI features (proposal rewriting, transcript extraction). Inputs are not used to train models.
- Intuit (QuickBooks) — only if you connect QB; we sync invoices and payments you authorize
- GoHighLevel — only if you connect GHL; we sync contacts you authorize
- Google (Gmail API) — to send emails via the kaizenshift.com Gmail account on your behalf
We don't sell your data. We don't use your data to train AI models. We don't share your data with advertisers.
4. How we protect it
- All data encrypted in transit (TLS 1.2+)
- All data encrypted at rest (Supabase + Vercel Blob)
- OAuth tokens stored encrypted; rotated on the integration provider's schedule
- Service-role database access restricted to server functions; tenant data isolated via Row-Level Security policies
- Audit log of every operator-impersonation session (when our team views your account for support)
5. Your rights
You can:
- Export all your data at any time from the admin UI
- Request deletion when you cancel — we begin within 7 days, complete within 30
- Update account info or revoke any integration connection from the admin UI
- Email scott@kaizenshift.com with any privacy questions
6. Data retention
- Active account data: retained for the life of the account
- Cancelled accounts: data retained for 30 days for recovery, then permanently deleted
- Email send records: retained for 2 years for audit + dispute resolution, then archived
- Server logs: retained for 90 days then deleted
- AI rewrite history: retained for 30 days then deleted
7. International transfers
The service runs on infrastructure based in the United States and Canada. By using the service, you consent to your data being processed in these jurisdictions, which may have different data protection rules than your home country.
8. Children
The service is not directed to children under 18. We don't knowingly collect data from children. If you believe we have, contact us and we'll delete it.
9. Changes
We'll notify you of material changes to this policy with at least 30 days' notice via email or in-app banner. Continued use means acceptance of the updated policy.
10. Contact
Privacy questions, deletion requests, or anything else: scott@kaizenshift.com. Mail: Kaizen Shift Inc., 10238 103 St NW, Edmonton AB, Canada.