Privacy Notice

This Privacy Notice for Shift("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

• Visit our website at keepshifting.org or any website of ours that links to this Privacy Notice
• Engage with us in other related ways, including any marketing or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services.

Table of Contents

1. What information do we collect?
2. How do we process your information?
3. Automated decision-making and AI
4. When and with whom do we share your personal information?
5. Service providers and sub-processors
6. Do we use cookies and other tracking technologies?
7. Is your information transferred internationally?
8. How long do we keep your information?
9. Do we collect information from minors?
10. What are your privacy rights?
11. California privacy rights (CCPA / CPRA)
12. Controls for Do-Not-Track features
13. Do we make updates to this notice?
14. How can you contact us about this notice?
15. How can you review, update, or delete the data we collect from you?

1. What Information Do We Collect?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information we collect may include the following:

• Names
• Email addresses
• Job titles
• Résumé / CV content
• LinkedIn profile URL
• Google Docs link
• Career intake answers

Sensitive Information

When necessary, with your consent or as otherwise permitted by applicable law, we process the following categories of sensitive information:

• User-submitted free-text content (resumes, Google Docs, career intake answers) may incidentally contain sensitive personal information voluntarily disclosed by the user. We do not request, infer, or use such information for targeting, profiling, or decision-making; it is processed solely as context for generating career path recommendations.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information automatically collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

Like many businesses, we also collect information through cookies and similar technologies. The information we collect includes:

• Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services. This may include your IP address, device information, browser type and settings, and information about your activity in the Services (such as pages viewed, time on page, features used, and timestamps).
• Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services. This may include device and application identification numbers, browser type, hardware model, operating system, and system configuration.
• Location Data. We collect approximate geolocation derived from your IP address (country or region level). We do not collect precise GPS location.
• Session replay recordings. Recordings of user interactions on the site. Input values (form text, textarea content) are automatically masked before recording. Used for debugging and understanding user experience.
• Ad conversion and attribution data. Events recorded by LinkedIn Insight Tag and Impact.com tags indicating which advertisement or referral source brought a user to the site and which actions they completed afterward.

Information collected from other sources

In Short: We collect limited data from third-party services that enrich the information you provide.

When you paste a LinkedIn profile URL during onboarding, we call a third-party service (Fresh LinkedIn Profile Data, accessed via RapidAPI) that retrieves the publicly available information from that LinkedIn profile and returns it to us. This may include your name, headline, employment history, education, skills, location region, and profile photo URL.

When you paste a Google Docs link, we fetch the document’s plain-text contents from its public export endpoint.

We use this information solely to generate your personalized career recommendations. Under GDPR Article 14, you have the right to know when your personal data is collected from sources other than yourself — this section discloses that practice.

2. How Do We Process Your Information?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To generate personalized career path recommendations based on your profile and answers
• To deliver transactional email (for example, magic links that let you return to your saved paths)
• To send marketing and promotional communications, where you have opted in
• To protect our Services from abuse, fraud, and unauthorized access (including rate limiting)
• To maintain the technical operation of our Services
• For internal analytics, product improvement, and reporting
• To comply with applicable law

3. Automated Decision-Making and AI

In Short: Your career path recommendations are generated by an AI model. They are guidance, not professional advice, and may contain errors.

SHIFT uses a large language model provided by Anthropic PBC (the Claude family of models) to analyze your uploaded résumé, LinkedIn profile data, Google Docs content (if provided), and free-text intake answers, and to generate your three personalized career path recommendations.

This processing constitutes automated decision-making under GDPR Article 22 and similar laws. You have the right to:

• Obtain human review of the output by contacting us at support@keepshifting.org
• Request that your inputs not be processed by an AI model — in which case we are unable to generate paths for you
• Be informed of the general logic involved: the model takes your signals (skills, experience, stated goals, constraints) and produces structured recommendations from a curated course catalog plus its training knowledge of role clusters and market conditions

Important limits. AI-generated recommendations may contain errors or omissions. They are not professional career, legal, financial, or medical advice. The model is instructed not to fabricate credentials, certifications, or claims you have not actually earned — but you remain responsible for verifying any factual claim before acting on it.

Your inputs are sent to Anthropic’s API for inference. Anthropic’s processing terms are available at anthropic.com/legal/commercial-terms.

4. When and With Whom Do We Share Your Personal Information?

In Short: We may share information in specific situations described in this section and with the service providers listed in the next section.

We may share your personal information in the following situations:

• Service providers and sub-processors. We share information with the third-party vendors listed in Section 5 so they can perform services on our behalf.
• Business transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• Affiliate and referral partners. When you click a course link from your recommendations, you may be redirected to a third-party platform (e.g., Coursera, Udemy) through an affiliate network (e.g., Impact.com). That platform’s privacy policy then governs their collection of your information.
• Legal obligations. We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process.

5. Service Providers and Sub-Processors

In Short: These are the third-party services that process your personal information on our behalf.

We rely on the following service providers to deliver our Services. Each processes personal information only under contractual terms that require confidentiality, security, and purpose limitation.

We update this list as our infrastructure changes. Material changes trigger an update to this Privacy Notice and, where required by law, notification to affected users.

6. Do We Use Cookies and Other Tracking Technologies?

In Short: We use cookies and tracking technologies for session management, analytics, and ad attribution.

We use the following categories of tracking technologies on our Services:

• Strictly necessary. A session cookie (shift_session) identifies your anonymous session so we can associate your intake answers with your generated paths. A resume-token cookie restores your session when you click the magic link emailed to you.
• Analytics. PostHog sets cookies to record pageviews, events, and session replays (with form inputs masked). These help us understand how people use the Services.
• Advertising and attribution. LinkedIn Insight Tag and Impact.com set cookies to measure which advertisements and referral sources bring people to the site. We use this data to evaluate ad performance.

If you are in the European Economic Area, United Kingdom, or Switzerland, the non-essential trackers above load only after you provide consent.

7. Is Your Information Transferred Internationally?

In Short: Yes — our primary servers are in the United States.

Our primary infrastructure (Supabase database, Vercel hosting) is located in the United States. Depending on your location, your information may be transferred to, stored by, and processed by our service providers in the United States and other countries.

If you are a resident of the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, these countries may not necessarily have data protection laws as comprehensive as those in your country. For transfers of your personal information out of the EEA/UK/Switzerland, we rely on the European Commission’s Standard Contractual Clauses with our sub-processors where applicable, and on other appropriate safeguards. We will take all necessary measures to protect your personal information in accordance with this Privacy Notice and applicable law.

8. How Long Do We Keep Your Information?

In Short: We keep your information for as long as necessary to provide the Services, subject to the specific retention periods below.

We keep your personal information only for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law. Specific retention periods:

• Session cookies + resume tokens: 30 days from last use; renewed automatically each time you visit your saved paths.
• Intake answers, parsed profile signals, generated paths, résumé content, LinkedIn snapshot, Google Docs content: retained for up to 24 months from your last active session, then deleted. You may request earlier deletion at any time (see Section 15).
• Résumé files in storage: deleted after engine processing completes and associated metadata is no longer needed (typically within 24 months).
• Email address (when you save your paths): retained until you unsubscribe or request deletion.
• Analytics (PostHog): retained per PostHog’s default retention (currently 12 months for events, rolling).
• Server logs (Vercel): typically 30 days for operational logs.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

9. Do We Collect Information From Minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at support@keepshifting.org.

10. What Are Your Privacy Rights?

In Short: You may review, change, or terminate your use of the Services at any time. You may also request a copy, correction, or deletion of your personal information.

Withdrawing your consent

If we are relying on your consent to process your personal information — which may be express and/or implied consent depending on the applicable law — you have the right to withdraw your consent at any time. You can withdraw your consent by contacting us using the details provided in the "How can you contact us" section below. However, this will not affect the lawfulness of the processing before its withdrawal, nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Opting out of marketing and promotional communications

You can unsubscribe from our marketing and promotional communications at any time by clicking the unsubscribe link in the emails that we send, or by contacting us at support@keepshifting.org. You will then be removed from the marketing lists. However, we may still communicate with you for service-related purposes — for example, to deliver magic links to return to your saved paths, or to respond to service requests.

Account information

If you would at any time like to review or change the information we hold about you, or request deletion, you can do so by submitting a data subject access request or by contacting us at support@keepshifting.org.

Upon your request to terminate your account, we will deactivate or delete your data from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms, and/or comply with applicable legal requirements.

11. California Privacy Rights (CCPA / CPRA)

In Short: California residents have specific rights regarding their personal information.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources from which we collected it, the purposes for collection, and the third parties with whom we have shared it.
• Right to delete. You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to correct. You have the right to request that we correct inaccurate personal information.
• Right to limit use of sensitive personal information. You have the right to direct us to limit our use of any sensitive personal information to that which is necessary to perform the services.
• Right to opt out of sale or sharing. We do not sell your personal information for money. However, our use of advertising and attribution trackers (LinkedIn Insight Tag, Impact.com) may qualify as “sharing” for cross-context behavioral advertising under CPRA. You may opt out using the link below.
• Right to non-discrimination. We will not deny, charge different prices for, or provide a different quality of service to you for exercising any of your rights.

Exercising your rights. To submit any of these requests, use our data subject access request form or email support@keepshifting.org. We will respond to verified requests within 45 days.

Do Not Sell or Share My Personal Information — use this link to submit a request to opt out of sharing your personal information for cross-context behavioral advertising.

Global Privacy Control (GPC). We honor GPC signals sent by your browser as a valid opt-out of sharing for cross-context behavioral advertising. Where supported by our infrastructure, non-essential advertising trackers are blocked for sessions where the GPC signal is present.

Authorized agents.You may designate an authorized agent to make requests on your behalf. We may require verification of the agent’s authority and your identity.

12. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals. However, as noted above, we do honor the Global Privacy Control signal. If a uniform standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice.

13. Do We Make Updates to This Notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated “Last updated” date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

14. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may email us at support@keepshifting.org.

Shift — a product of The Fair Winds Group LLC, California, United States.

15. How Can You Review, Update, or Delete the Data We Collect From You?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law.

To request to review, update, or delete your personal information, please fill out and submit a data subject access request or email support@keepshifting.org.