Privacy Policy

1. Who we are

AI Shift Digital Ltd is a company registered in England and Wales (Company No. 17191528). Our registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

We operate ShiftID — a professional self-reflection platform that helps individuals understand their identity in the context of agentic AI disruption. Our services include the ShiftID Identity Mirror Quiz, the AI Role Exposure Report, and related digital products.

For the purposes of UK GDPR and the Data Protection Act 2018, AI Shift Digital Ltd is the data controller for personal data collected through our services.

To contact us about data protection matters: [email protected]

2. What data we collect

2.1 Data you provide directly

When you use our services, you may provide the following personal data:

• First name — collected on the quiz name screen and report gate form, used to personalise your results and communications
• Email address — collected when you unlock the full AI Role Exposure Report, used to deliver your report and send relevant communications you have consented to receive
• Country — collected to personalise your AI exposure score and quiz results to your local market context
• Department and job role/title — collected to personalise your quiz results, identity pattern and AI prompts to your specific professional context
• Quiz responses (Questions 1–4 and 6–10) — your multiple-choice answers to the 10 Identity Mirror Quiz questions, used to calculate your identity pattern and generate your personalised result. These responses are stored individually linked to your submission record and retained for pattern research purposes as described in Section 3 below
• Mirror Question response (Question 5) — your open-text answer to the qualitative Mirror Question ("What would you lose if your job title disappeared tomorrow?"). This response is used to inform your identity pattern analysis and is stored as part of your individual submission record. It may contain personal reflections about your career, sense of identity or employment circumstances. You provide this voluntarily. See Section 2.4 for specific information about how this data is handled
• Identity pattern result — the derived pattern assigned to you (Expert Under Pressure, Quiet Doubter, Conscious Shifter, or Identity-First Leader) based on your quiz responses. This is stored alongside your submission record
• AI exposure score — if you use the AI Role Exposure Report, your selected role's AI exposure score is stored as part of your lead record
• Consent record — when you consent to receive communications, we store a timestamped record of that consent including the date, time and version of the Privacy Policy in force at that time

2.4 The Mirror Question — additional information

2.5 Structured research dataset

We maintain a structured dataset of quiz submissions for the purpose of improving our identity pattern model and understanding professional identity trends in the context of AI disruption. This dataset includes all 11 quiz responses (multiple choice and open text), your derived pattern, role, country and department. It does not include your name or email address in the research dataset — these are stored separately in our CRM (GoHighLevel) and are not linked to the research dataset after initial processing.

After reaching 500 submissions, we conduct pattern distribution analysis to calibrate our model and improve result accuracy. This analysis is conducted on anonymised data only. No individual submission is identifiable in any analysis, report or publication we produce.

2.2 Data collected automatically

When you visit our website we may collect limited technical data through our privacy-friendly analytics tool (Plausible Analytics):

• Page views and navigation path
• Referring website or UTM campaign source
• Country and device type (derived from IP address — IP address itself is not stored)
• Browser type and screen size

2.3 Data we do not collect

We do not collect, store or process: payment card details (handled directly by Stripe), sensitive personal data as defined by UK GDPR (such as health, ethnicity, religion or political views), or data from children under 18.

3. How we use your data

We use your personal data for the following purposes:

• Delivering your quiz results and report — your name, role, country and all quiz responses (including your Mirror Question answer) are used to generate and personalise your Identity Mirror Report and AI Role Exposure Report
• Email communications — where you have given explicit consent, we send you emails relating to your results, follow-up insights and ShiftID products and services. You can unsubscribe at any time using the link in any email we send
• Pattern research and model improvement — we store all 11 quiz responses per submission (multiple choice answers and your Mirror Question open-text response) in a structured research dataset. After a minimum of 500 submissions, this dataset is analysed in anonymised, aggregated form to calibrate our identity pattern model and understand trends in professional identity across roles, departments and countries. Your name and email are not included in this research dataset. Individual responses are never published or attributed to any individual
• Product development — aggregated insights from our dataset inform the development of new ShiftID products, features and content. No individual data is used for this purpose in identified form
• Analytics — cookieless, anonymised usage data helps us understand how people navigate our site and identify where we can improve the user experience
• Legal compliance — we may process your data where required to comply with a legal obligation

We will never sell your personal data to third parties. We will never use your data for purposes incompatible with those described in this policy without first obtaining your explicit consent. We will never use your Mirror Question response in any marketing, advertising or published content in identified form.

4. Legal basis for processing

Under UK GDPR, we rely on the following legal bases to process your personal data:

• Consent (Article 6(1)(a)) — for sending you marketing emails and for processing your open-text Mirror Question response. You can withdraw consent at any time by unsubscribing from emails or contacting us at [email protected]
• Legitimate interests (Article 6(1)(f)) — for delivering the quiz results and report you have requested, and for improving our services through anonymised analytics. Our legitimate interests do not override your rights and freedoms
• Legal obligation (Article 6(1)(c)) — where we are required to process data to comply with applicable law

5. Who we share your data with

We share your personal data only with trusted third-party service providers who assist us in operating our services. All third parties are contractually required to handle your data securely and in accordance with applicable data protection law.

5.1 Our current third-party processors

• GoHighLevel (HighLevel Inc.) — our CRM and email marketing platform. Stores your name, email, role, country and identity pattern for the purpose of delivering communications you have consented to receive. Based in the United States. Covered by Standard Contractual Clauses for UK/EU data transfers.
• Pabbly Connect — our automation platform that transfers data between our website forms and GoHighLevel. Processes your submission data in transit only. Based in India. Subject to appropriate transfer safeguards.
• Cloudflare Inc. — our website hosting and delivery network. May process limited technical data as part of serving our web pages. Based in the United States. Covered by Standard Contractual Clauses.
• Plausible Analytics — our cookieless website analytics tool. Processes only anonymised, aggregated data. No personal data is transferred. Based in the European Union.
• Stripe Inc. — our payment processor for paid products. Handles payment card data directly — we never see or store your card details. Based in the United States. Covered by Standard Contractual Clauses. Subject to Stripe's own Privacy Policy.

5.2 Other disclosures

We may disclose your personal data to law enforcement or regulatory authorities where required by law, or where necessary to protect the rights, property or safety of ShiftID, our users or others.

6. How long we keep your data

• Contact and lead data (name, email, role, country) — retained in our CRM for up to 3 years from your last interaction with ShiftID, or until you request deletion, whichever comes first
• Quiz responses — multiple choice (Questions 1–4, 6–10) — retained in our research dataset in anonymised form indefinitely for pattern model calibration. Individual responses linked to your identity are deleted within 12 months of collection, or immediately upon a valid deletion request
• Mirror Question response (Question 5 — open text) — retained in identified form for up to 6 months from the date of submission, after which it is anonymised and retained only as part of the aggregated research dataset. You may request immediate deletion at any time by contacting [email protected]
• Identity pattern result and AI exposure score — retained as part of your CRM record for up to 3 years, and in anonymised research dataset indefinitely
• Consent records — retained for the duration of your relationship with ShiftID and for 3 years thereafter, as required to demonstrate lawful processing
• Email communications — retained for the duration of your email subscription. Deleted within 30 days of unsubscribe or deletion request
• Analytics data — cookieless, anonymised aggregates retained for 24 months. No personal data is retained in analytics
• Financial records — transaction data retained for 7 years to comply with UK financial regulations

7. Cookies and tracking

Our website does not use cookies for analytics or tracking purposes. We use Plausible Analytics which is a cookieless solution — it does not set any cookies in your browser and does not track you across websites.

The only cookies that may be set on our site are:

• Strictly necessary cookies — set by Cloudflare for security and performance purposes (e.g. bot protection). These do not require consent under PECR as they are essential for the website to function.
• Payment cookies — if you make a purchase, Stripe may set cookies on the payment page. These are covered by Stripe's own cookie policy and are necessary to process your payment securely.

We do not use advertising cookies, social media tracking pixels, or any third-party cookies for marketing purposes. You will not see a cookie consent banner on our site because we do not set non-essential cookies.

8. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

• Right of access — you can request a copy of the personal data we hold about you
• Right to rectification — you can ask us to correct inaccurate or incomplete data
• Right to erasure — you can ask us to delete your personal data. We will action this within 30 days
• Right to restriction — you can ask us to restrict how we use your data in certain circumstances
• Right to data portability — you can request your data in a structured, commonly used format
• Right to object — you can object to processing based on legitimate interests or for direct marketing purposes
• Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before processing your request.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction or damage. These include:

• HTTPS encryption on all pages via Cloudflare SSL
• Access controls limiting who within our organisation can access personal data
• Use of reputable, security-certified third-party processors
• Regular review of our data handling practices

While we take security seriously, no method of internet transmission or electronic storage is 100% secure. If you become aware of any security issue relating to our services please contact us immediately at [email protected].

10. Children's privacy

ShiftID is designed for working professionals and is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at [email protected] and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services or legal requirements. When we make material changes we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact us