Privacy Policy
Last Updated: march 2026
ShifterLabs S.A.S. (“ShifterLabs,” “we,” “our,” or “us”) respects your privacy and is committed to protecting personal data in a transparent, responsible, and secure manner.
This Privacy Policy explains how we collect, use, store, disclose, and protect personal data when you visit our website, interact with our services, or use our learning solutions, including ShiftLoop, our digital learning delivery platform.
1. Who We Are
ShifterLabs is an education and technology company that designs and delivers digital learning experiences, training programs, and innovation solutions for educators, professionals, institutions, and organizations.
Where applicable, ShiftLoop may be used as a structured learning and reporting environment, while familiar channels such as WhatsApp may be used only as a conversational interface for learning delivery.
2. Scope of This Policy
This Privacy Policy applies to:
• visitors to our website;
• individuals who contact us or request information;
• learners using our training services or digital learning solutions;
• representatives of client organizations and institutional partners;
• users interacting with ShiftLoop or related services.
This Policy does not override separate contractual data protection terms that may apply between ShifterLabs and a client organization.
3. Personal Data We May Collect
Depending on the nature of the interaction, we may collect the following categories of personal data:
• identity information, such as name;
• contact information, such as email address, phone number, and organization;
• account and access information, such as login credentials or user identifiers;
• learning-related information, such as enrollment data, participation, module progress, quiz responses, completion status, badges, or certificates;
• communications data, such as messages sent to us through forms, email, or supported learning interfaces;
• technical data, such as device type, browser type, IP address, usage logs, and platform diagnostics;
• payment or billing information, where relevant to a paid service.
We aim to collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes described in this Policy. That reflects GDPR’s data minimization principle.
4. How We Collect Personal Data
We may collect personal data:
• directly from you when you contact us, register, enroll, or use our services;
• from client organizations that invite or enroll learners into a program;
• through website forms, cookies, analytics tools, and other standard web technologies;
• through learning delivery tools and service integrations used to operate our services;
• from supported messaging channels where learners have been properly enrolled or opted in.
Where messaging channels such as WhatsApp are used, they are used as a communication and learning interface, not as the sole governance layer of the service.
5. Why We Process Personal Data
We may process personal data for the following purposes:
• to provide and operate our website, services, and learning solutions;
• to onboard learners and manage access to courses or learning experiences;
• to deliver lessons, quizzes, reminders, certificates, badges, and related educational features;
• to monitor participation, progression, completion, and reporting;
• to communicate with users, clients, institutions, and partners;
• to provide support and respond to inquiries;
• to maintain service security, integrity, and performance;
• to comply with legal, contractual, and regulatory obligations;
• to improve our services, provided that we do so in a lawful and proportionate manner.
Where required by law, we will identify and rely on an appropriate lawful basis for processing, such as consent, contract performance, legitimate interests, or legal obligation. GDPR requires that processing be lawful and tied to a recognized basis.
6. Client Data Ownership and Institutional Control
For services delivered to or on behalf of client organizations, institutions, or partners:
• the client organization may act as the controller of learner personal data;
• ShifterLabs may act as a processor or service provider operating under documented client instructions;
• learner data and course-related data remain under the ownership or control of the relevant client organization, subject to applicable contracts and law;
• where enabled, client organizations may be provided with their own administrative environment, login credentials, dashboards, and tools to manage lessons, modules, user progress, badges, and reporting.
This reflects the GDPR distinction between controllers and processors and the need for clear contractual governance.
7. Our Core Privacy Commitments
ShifterLabs is committed to the following principles:
• we do not sell personal data;
• we do not share personal data with unrelated third parties for advertising or data brokerage purposes;
• we do not use client data or learner personal data to train generalized AI models;
• we aim to process personal data only for specified, legitimate, and transparent purposes;
• we apply data minimization and controlled access principles;
• we support client governance, accountability, and appropriate reporting structures.
8. Use of WhatsApp and Similar Interfaces
In some learning contexts, WhatsApp or comparable tools may be used to deliver messages, prompts, reminders, or learning interactions.
Where this occurs:
• WhatsApp is used only as a conversational learning interface;
• the underlying service logic, reporting, and administrative controls are managed through ShifterLabs systems and processes;
• messaging is used only where the relevant user or organization has provided the necessary authorization or opt-in;
• users may stop engaging or request support through the contact channels provided.
WhatsApp Business policies require businesses to maintain a privacy policy, obtain appropriate permissions, and respect opt-out requests. WhatsApp Business terms also contemplate processor-style obligations in certain enterprise processing contexts.
9. How We Share Personal Data
We may share personal data only when necessary and appropriate, including:
• with service providers and subprocessors who help us operate our services;
• with client organizations that sponsor, administer, or receive reporting for their own learners;
• with payment, hosting, analytics, communication, or infrastructure providers where relevant;
• where required by law, regulation, legal process, or legitimate authority.
When we use service providers, we seek to ensure that appropriate contractual and security safeguards are in place. Under GDPR, processor relationships must be governed by binding terms.
10. International Data Transfers
Because some technology providers or infrastructure services may operate internationally, personal data may be processed outside the country where it was collected.
Where personal data is transferred internationally, we aim to use appropriate safeguards, which may include:
• contractual data protection clauses;
• transfer mechanisms recognized by applicable law;
• vendor commitments and documented security measures;
• supplementary safeguards where appropriate.
International transfers involving EU personal data require lawful safeguards and accountability.
11. Data Retentio
We retain personal data only for as long as necessary for the purposes described in this Policy, including service delivery, reporting, contractual compliance, legal obligations, dispute resolution, and security.
Retention periods may vary depending on:
• the type of service being provided;
• whether the data belongs to an individual user or a client organization’s program;
• contractual obligations;
• legal or regulatory requirements.
Where data is no longer needed, we aim to delete, anonymize, or securely dispose of it in an appropriate manner. Storage limitation is a core GDPR principle.
12. Data Security
We implement reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure.
These measures may include:
• access controls and role-based permissions;
• secure credentials and authentication practices;
• encryption in transit where supported;
• logging, monitoring, and system administration controls;
• secure hosting and infrastructure practices;
• backup and recovery procedures;
• incident response processes.
GDPR requires security measures appropriate to the level of risk.
13. Your Rights
Depending on your jurisdiction, you may have rights regarding your personal data, including the right to:
• access your personal data;
• correct inaccurate data;
• request deletion;
• restrict or object to certain processing;
• request portability, where applicable;
• withdraw consent where processing is based on consent;
• lodge a complaint with a competent supervisory authority.
Where ShifterLabs processes personal data on behalf of a client organization, requests may need to be directed first to that organization as the relevant controller.
14. Children’s Privacy
Our services are intended to be used in lawful educational and professional contexts. Where children’s data may be involved, we expect client institutions, parents, guardians, schools, or authorized organizations to ensure appropriate permissions, notices, and lawful participation.
We do not knowingly collect personal data from children in a manner inconsistent with applicable law.
15. Cookies and Website Technologies
Our website may use cookies, analytics tools, or similar technologies to improve functionality, understand website usage, and support performance and security.
Where required, we will provide notice and obtain consent for non-essential cookies.
16. Third-Party Services and Links
Our website or services may contain links to third-party sites or rely on third-party services. We are not responsible for the privacy practices of third-party websites or services outside our direct control.
Users should review the applicable privacy notices of those third parties where relevant.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or operational practices.
When we do, we will update the “Last Updated” date and, where appropriate, provide additional notice.
18. Contact Us
If you have questions about this Privacy Policy or about how personal data is handled, you may contact us at:
ShifterLabs S.A.S.
Important: This Privacy Policy is a high-level statement of ShifterLabs’ privacy commitments and practices. Certain services may also be governed by separate contractual data protection terms, notices, or client-specific agreements.
Terms of Service
Last Updated: march 2026
Welcome to ShifterLabs and ShiftLoop. These Terms of Service (“Terms”) govern your access to and use of the websites, platforms, digital learning solutions, services, content, and related offerings provided by ShifterLabs S.A.S.(“ShifterLabs,” “we,” “our,” or “us”).
By accessing or using our website, services, or platforms, you agree to be bound by these Terms. If you do not agree to these Terms, you should not use our services.
1. Who We Are
ShifterLabs is an education and technology company that designs and delivers digital learning experiences, training solutions, instructional systems, and innovation services for educators, institutions, organizations, professionals, and learners.
Our services may include, without limitation:
digital training programs;
online and hybrid learning experiences;
learning delivery through ShiftLoop;
instructional design and learning system services;
digital certification, reporting, and learner progress tools;
institutional and enterprise education solutions.
2. Scope of Services
These Terms apply to your use of:
the ShifterLabs website;
ShiftLoop and related learning platforms;
digital content, courses, modules, lessons, assessments, and certifications;
institutional, educational, and commercial services offered by ShifterLabs.
Some services may also be governed by separate agreements, proposals, statements of work, data processing agreements, pilot agreements, or client contracts. In the event of conflict, those specific agreements will govern the relevant service relationship.
3. Eligibility and Authority
By using our services, you represent and warrant that:
you are legally capable of entering into a binding agreement; or
if you are using the services on behalf of an organization, institution, school, company, or other legal entity, you have authority to bind that entity to these Terms.
If you do not have such authority, you must not use the services on behalf of that entity.
4. Accounts and Access
Some services may require account registration, login credentials, access codes, or administrative authorization.
You are responsible for:
providing accurate and current information;
maintaining the confidentiality of your credentials;
restricting unauthorized access to your account or administrative environment;
notifying us promptly of any suspected unauthorized use or security issue.
We reserve the right to suspend or restrict access where necessary to protect the security, integrity, or lawful operation of the service.
5. ShiftLoop and Learning Delivery
ShiftLoop is a structured digital learning environment developed and operated by ShifterLabs. Depending on the specific service configuration, ShiftLoop may include:
course, lesson, and module delivery;
learner onboarding and enrollment;
quizzes, prompts, and interaction checkpoints;
completion tracking and reporting;
badges, certificates, or recognition tools;
organization-level admin access and dashboards.
Where messaging tools such as WhatsApp are used in connection with ShiftLoop, they are used only as a conversational learning interface. The instructional logic, reporting structure, and administrative controls of the service are governed by ShifterLabs systems and related contractual arrangements.
6. Acceptable Use
You agree to use our services lawfully, responsibly, and in good faith.
You must not:
use the services for unlawful, fraudulent, deceptive, or harmful purposes;
interfere with or disrupt the services, infrastructure, or security;
attempt unauthorized access to systems, accounts, or data;
upload, transmit, or distribute malicious code or harmful material;
misuse learning interfaces for spam, harassment, abuse, or unrelated communications;
copy, scrape, reverse engineer, or exploit the services except as permitted by law or by written agreement;
use the services in a manner that infringes intellectual property, privacy, or other rights.
We may suspend or terminate access for violations of these Terms or where reasonably necessary to protect users, clients, or the platform.
7. Client Organizations and Institutional Use
Where services are provided to a client organization, institution, or enterprise:
the client may administer learner access, content structure, reporting, and participation rules;
the client may act as the primary controller of learner data for its program;
ShifterLabs may act as the technical service provider and processor, where applicable;
organization-specific administrative access may be provided, including dashboards, modules, lessons, learner progress, badges, and reporting tools.
Client organizations are responsible for ensuring that they have the lawful authority to provide learner information, enroll participants, and instruct ShifterLabs to process relevant data for the agreed educational purposes.
8. Data Ownership and Platform Governance
Unless otherwise agreed in writing:
client organizations retain ownership or control over their course content, learner data, and related organizational information;
ShifterLabs does not acquire ownership rights over client personal data or client educational records;
ShifterLabs may process such data solely as necessary to operate, maintain, secure, support, and improve the agreed services in accordance with applicable law and contract.
We do not sell personal data.
We do not use client data or learner personal data to train generalized AI models.
We do not share client data with unrelated third parties for advertising or data brokerage purposes.
9. Privacy and Data Protection
Your use of the services is also subject to our Privacy Policy, which explains how personal data is collected, used, stored, and protected.
Where required, additional data protection terms, including data processing addenda, may apply to institutional or enterprise services.
You agree that:
we may process personal data as described in our Privacy Policy and applicable agreements;
client organizations may provide us with participant data necessary to operate agreed learning services;
messaging-based delivery may require user opt-in, authorization, or institutionally valid enrollment processes, depending on the use case and jurisdiction.
10. Intellectual Property
All rights, title, and interest in and to the ShifterLabs website, ShiftLoop platform, software, branding, visual identity, proprietary systems, documentation, workflows, and underlying technology remain the property of ShifterLabs or its licensors, except for client-owned content and third-party materials.
You may not:
reproduce, modify, distribute, sublicense, or commercially exploit our proprietary materials without prior written permission;
remove branding, notices, or proprietary markings;
present our materials as your own.
Client content uploaded or provided to the service remains subject to the client’s ownership rights, subject to the limited rights necessary for us to provide the services.
11. Content and Learning Materials
We may provide educational materials, lessons, prompts, templates, frameworks, videos, quizzes, and related instructional content.
Unless otherwise agreed in writing:
such materials are licensed, not sold;
they may be used only for the intended educational or contractual purpose;
redistribution, resale, republication, or unauthorized reuse is prohibited.
Users remain responsible for how they apply educational content in their own professional, academic, or institutional environments.
12. Fees, Billing, and Payment
Certain services may be paid, subscription-based, pilot-based, or offered under a separate proposal or contract.
Where fees apply:
pricing, invoicing, billing terms, taxes, and payment schedules will be defined in the relevant offer, contract, or checkout process;
failure to pay may result in suspension, restricted access, or termination of service;
unless otherwise stated, fees are non-refundable once services have been rendered or access has been provisioned.
Institutional pilots, enterprise programs, and custom services may be subject to separate commercial terms.
13. Availability and Service Changes
We aim to provide reliable services, but we do not guarantee uninterrupted or error-free availability.
We may:
update, improve, modify, suspend, or discontinue parts of the services;
change features, interfaces, or functionalities;
perform maintenance, patches, or security-related interventions.
Where reasonably possible, we will seek to avoid unnecessary disruption.
14. Third-Party Services and Integrations
Our services may rely on or integrate with third-party providers, including messaging services, hosting providers, analytics services, payment processors, and infrastructure tools.
We are not responsible for the independent acts, terms, outages, or policies of third-party services beyond our reasonable control. Use of such services may also be subject to third-party terms and privacy notices.
15. Disclaimers
The services are provided on an “as is” and “as available” basis, except as otherwise expressly agreed in writing.
To the maximum extent permitted by law, ShifterLabs disclaims warranties of any kind, whether express, implied, statutory, or otherwise, including implied warranties of merchantability, fitness for a particular purpose, non-infringement, or uninterrupted availability.
Educational content and training services are intended to support learning and professional development, but we do not guarantee any specific academic, institutional, business, regulatory, or commercial outcome unless expressly agreed in writing.
16. Limitation of Liability
To the maximum extent permitted by applicable law, ShifterLabs shall not be liable for any indirect, incidental, consequential, special, exemplary, or punitive damages, including loss of profits, revenue, goodwill, data, opportunities, or business interruption, arising out of or related to the use of the services.
Our total aggregate liability arising out of or related to the services shall not exceed the amount actually paid by the relevant customer to ShifterLabs for the service giving rise to the claim during the [12] months preceding the event, unless otherwise required by law or expressly agreed in writing.
Nothing in these Terms excludes liability that cannot legally be excluded.
17. Indemnification
You agree to indemnify, defend, and hold harmless ShifterLabs, its officers, directors, affiliates, employees, contractors, and agents from and against claims, liabilities, losses, damages, judgments, costs, and expenses arising out of or related to:
your misuse of the services;
your violation of these Terms;
your infringement of third-party rights;
content, data, or instructions you provide unlawfully or without proper authorization.
18. Suspension and Termination
We may suspend, restrict, or terminate access to the services if:
you violate these Terms;
payment obligations are not met;
continued access would create legal, security, or operational risk;
required cooperation, authorization, or lawful basis for service delivery no longer exists.
You may stop using the services at any time, subject to any contractual obligations already agreed.
Upon termination, access rights may end, and data handling will proceed in accordance with applicable law, the Privacy Policy, and any contractual retention/deletion obligations.
19. Confidentiality
Where confidential information is exchanged in the context of institutional, enterprise, pilot, or commercial discussions, both parties are expected to use such information only for legitimate evaluation, delivery, administration, or contractual purposes, and not to disclose it improperly.
Additional confidentiality provisions may apply in separate written agreements.
20. Governing Law and Dispute Resolution
These Terms shall be governed by the laws of [Insert Jurisdiction], without regard to conflict of law principles, unless a separate signed agreement provides otherwise.
Any dispute arising under or in connection with these Terms shall be resolved in the competent courts of [Insert Jurisdiction], unless otherwise agreed in writing.
For international institutional or enterprise agreements, the parties may agree to an alternative governing law or dispute resolution framework in a separate contract.
21. Changes to These Terms
We may update these Terms from time to time.
When we do, we will revise the “Last Updated” date. Continued use of the services after updated Terms become effective constitutes acceptance of the updated Terms, unless applicable law requires a different notice or consent process.
22. Contact Information
If you have questions regarding these Terms, please contact us at:
ShifterLabs S.A.S.
quito, pichincha, ecuador
info@shifterlabs.com
www.shifterlabs.com
Data Processing Addendum (DPA)
Last Updated: march 2026
Important: This Data Processing Addendum is a general template for ShifterLabs services. Specific customer engagements may be governed by a customized DPA, SCC package, or negotiated contractual schedule.
This Data Processing Addendum (“DPA”) forms part of and supplements the applicable agreement, proposal, statement of work, pilot agreement, subscription agreement, or Terms of Service (the “Agreement”) between:
ShifterLabs S.A.S. (“Processor” or “ShifterLabs”), and
the customer, institution, organization, school, company, partner, or other legal entity receiving the services (“Controller” or “Customer”).
This DPA applies where ShifterLabs processes Personal Data on behalf of the Customer in connection with the provision of services, including but not limited to ShiftLoop, digital learning delivery, course administration, reporting, certification, onboarding, and related support services.
1. Purpose and Scope
The purpose of this DPA is to define the terms under which ShifterLabs processes Personal Data on behalf of the Customer and to ensure that such processing is carried out in accordance with applicable data protection law.
This DPA applies where:
the Customer acts as a controller of Personal Data; and
ShifterLabs acts as a processor processing Personal Data on the Customer’s behalf.
Where the parties’ relationship differs in a specific use case, the parties may define the applicable roles in a separate written agreement.
2. Definitions
For the purposes of this DPA:
“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, Regulation (EU) 2016/679 (“GDPR”).
“Personal Data” means any information relating to an identified or identifiable natural person processed by ShifterLabs on behalf of the Customer.
“Processing” means any operation performed on Personal Data, whether or not by automated means.
“Controller” means the entity that determines the purposes and means of the processing of Personal Data.
“Processor” means the entity that processes Personal Data on behalf of the Controller.
“Subprocessor” means any third party engaged by Processor to process Personal Data on behalf of the Controller.
“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
“Security Incident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
These concepts reflect GDPR and EDPB role guidance.
3. Subject Matter and Duration of Processing
ShifterLabs shall process Personal Data solely for the purpose of providing the services described in the Agreement, including platform operation, learner onboarding, learning delivery, reporting, support, and related administrative functions.
Processing shall continue only for the duration necessary to provide the services, unless otherwise required by applicable law or agreed in writing.
4. Nature and Purpose of Processing
The nature and purpose of the processing may include:
course and program enrollment;
learner onboarding and access management;
lesson, module, and assessment delivery;
participation, progression, and completion tracking;
reporting and analytics for Customer-authorized educational or organizational purposes;
badges, certifications, and completion records;
technical support, security, maintenance, and service administration.
Where supported messaging tools such as WhatsApp are used, they are used only as a conversational learning interface, while the underlying service governance, reporting, and administrative controls are managed through ShifterLabs systems and processes.
5. Categories of Data Subjects
Depending on the service, Data Subjects may include:
learners;
trainees;
teachers or educators;
employees or staff members;
administrators;
client representatives;
institutional or organizational users;
website or platform users.
6. Categories of Personal Data
Depending on the service configuration, Personal Data may include:
identification data, such as name;
contact data, such as email address and phone number;
account and access data, such as user identifiers or login credentials;
course participation and learning data, such as module progression, quiz responses, completion records, and badges;
communications data relevant to the service;
technical and usage data relevant to platform administration, security, and support;
limited billing or transaction information, where applicable.
Processor shall aim to process only Personal Data that is adequate, relevant, and limited to what is necessary for the purposes defined by the Customer. GDPR’s data minimization and purpose limitation principles require that.
7. Controller Obligations
The Customer represents and warrants that:
it has a valid legal basis for the processing of Personal Data;
it has provided all required notices to Data Subjects;
it has obtained any necessary consents, permissions, or authorizations;
it has the right to disclose Personal Data to ShifterLabs for processing under the Agreement;
its instructions to ShifterLabs comply with Applicable Data Protection Law.
The Customer remains responsible for determining the purposes and essential means of processing, and for responding to Data Subject rights requests where it acts as Controller.
8. Processor Obligations
ShifterLabs shall:
process Personal Data only on documented instructions from the Customer, unless otherwise required by law;
ensure that persons authorized to process Personal Data are subject to confidentiality obligations;
implement appropriate technical and organizational measures to protect Personal Data;
assist the Customer, where reasonably possible, in responding to Data Subject requests and meeting its legal obligations;
inform the Customer if, in Processor’s opinion, an instruction infringes Applicable Data Protection Law, unless prohibited by law from doing so.
These are core GDPR Article 28-type processor duties.
9. Confidentiality
Processor shall ensure that employees, contractors, and authorized personnel who access Personal Data are bound by confidentiality obligations and receive appropriate training or instructions regarding data protection and information security.
10. Security Measures
Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to Data Subjects, Processor shall implement appropriate technical and organizational measures designed to protect Personal Data.
Such measures may include, where appropriate:
access control and role-based permissions;
password protection and authentication controls;
encryption in transit where supported;
secure infrastructure and hosting practices;
backup and recovery procedures;
logging, monitoring, and administrative controls;
vulnerability management and security maintenance;
secure deletion or disposal practices;
incident response procedures.
GDPR Article 32 requires security measures appropriate to the risk.
11. Subprocessors
The Customer authorizes ShifterLabs to engage Subprocessors where reasonably necessary to provide the services.
Processor shall:
impose data protection obligations on Subprocessors that are no less protective than those set out in this DPA;
remain responsible for the performance of its Subprocessors to the extent required by law;
maintain and provide, upon request or through a public notice, a list of relevant Subprocessors used in connection with the services;
use reasonable efforts to notify Customer of material changes to Subprocessors where legally or contractually required.
If the Customer reasonably objects to a new Subprocessor on documented data protection grounds, the parties shall discuss the concern in good faith.
12. International Data Transfers
To the extent Processor transfers Personal Data outside the jurisdiction in which it was collected, including outside the European Economic Area where applicable, Processor shall use appropriate safeguards as required by Applicable Data Protection Law.
Such safeguards may include:
adequacy decisions;
Standard Contractual Clauses (“SCCs”);
supplementary measures where appropriate;
other lawful transfer mechanisms recognized under applicable law.
The European Commission’s SCC framework remains the standard contractual mechanism for many restricted transfers.
13. Data Subject Rights Assistance
Taking into account the nature of the processing, Processor shall provide reasonable assistance to the Customer, insofar as possible, to enable the Customer to respond to requests by Data Subjects exercising their rights under Applicable Data Protection Law.
Where Processor receives a Data Subject request directly and the Customer is the Controller, Processor shall, unless prohibited by law, direct the requester to the Customer or promptly notify the Customer.
14. Assistance with Compliance
Processor shall provide reasonable assistance to the Customer, taking into account the nature of the processing and the information available to Processor, in relation to:
security of processing;
breach notification obligations;
data protection impact assessments, where relevant;
prior consultation with supervisory authorities, where required.
15. Personal Data Breach Notification
In the event of a Security Incident involving Personal Data processed under this DPA, Processor shall notify the Customer without undue delay after becoming aware of the incident.
Such notification shall include, to the extent reasonably available:
the nature of the incident;
the categories of data affected;
the likely consequences;
the measures taken or proposed to address the incident;
relevant contact information for follow-up.
Processor shall cooperate reasonably with the Customer in investigating and responding to the incident.
16. Deletion and Return of Data
Upon termination or expiry of the Agreement, and at the Customer’s choice where feasible and unless otherwise required by law, Processor shall:
delete Personal Data; or
return Personal Data to the Customer and then delete remaining copies.
Processor may retain Personal Data only to the extent required by applicable law, regulatory obligation, or legitimate archival and security requirements, and in such case shall continue to protect the retained data in accordance with this DPA.
17. Audit and Information Rights
Processor shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA.
Where appropriate and proportionate, and subject to confidentiality, security, and operational safeguards, Processor shall allow for audits, inspections, or equivalent review mechanisms by the Customer or an independent auditor mandated by the Customer, provided that:
reasonable advance notice is given;
audits occur during normal business hours;
the audit scope is limited to matters relevant to the services and this DPA;
the Customer bears its own costs unless otherwise agreed.
GDPR expects processors to make compliance information available and support appropriate review.
18. No Sale of Personal Data
Processor shall not sell Personal Data.
Processor shall not disclose Personal Data to unrelated third parties for advertising, behavioral targeting, or data brokerage purposes.
19. No AI Training on Client Data
Processor shall not use Customer Personal Data, learner Personal Data, or client content processed under the Agreement to train generalized machine learning or artificial intelligence models.
This restriction does not prevent Processor from:
using aggregated or anonymized operational metrics where lawful and not identifiable to a person or client; or
using narrowly scoped service-improvement data where expressly agreed in writing and lawful.
20. Client Data Ownership
As between the parties, the Customer retains ownership or control of its client content, learner records, and Personal Data processed under this DPA, subject to applicable law and the Agreement.
Nothing in this DPA transfers ownership of Customer Personal Data to Processor.
21. Admin Access and Organizational Segregation
Where enabled as part of the service, Processor may provide Customer with organization-level administrative access, including access to dashboards, lessons, modules, learner progress, badges, reports, and related functions.
Processor shall use reasonable efforts to structure such access in a manner that supports organizational segregation, controlled permissions, and limited access to only the data relevant to the Customer’s own users and learners.
22. WhatsApp and Messaging Interfaces
Where messaging tools such as WhatsApp are used as part of the service:
they are used as a communication or learning interface only;
the broader governance, reporting, and service administration functions remain subject to the Agreement and this DPA;
Customer is responsible for ensuring lawful enrollment, notice, and opt-in where required;
Processor shall use such channels only in connection with authorized service delivery.
23. Liability
The liability of each party under this DPA shall be subject to the limitations and exclusions set out in the Agreement, except to the extent prohibited by Applicable Data Protection Law.
24. Priority
If there is a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA shall prevail to the extent of that conflict.
25. Governing Law
This DPA shall be governed by the governing law specified in the Agreement, unless otherwise required by Applicable Data Protection Law or agreed in writing.
26. Annexes
The following annexes may be attached to this DPA, where applicable:
Annex I – Description of Processing Activities
Annex II – Technical and Organizational Measures
Annex III – List of Subprocessors
Annex IV – International Transfer Mechanisms / SCC Module Selection
Optional Annex I – Description of Processing Activities
Subject Matter: provision of digital learning, reporting, administration, and support services.
Duration: for the term of the Agreement and any agreed retention period.
Nature and Purpose: onboarding, course delivery, progress tracking, support, reporting, certification.
Categories of Data Subjects: learners, administrators, client representatives, institutional users.
Categories of Personal Data: names, contact information, identifiers, learning records, usage/support data.
Optional Annex II – Technical and Organizational Measures
Processor maintains measures appropriate to risk, including, where relevant:
access controls;
authentication measures;
secure hosting;
encryption in transit where supported;
monitoring and logging;
backup and recovery;
restricted personnel access;
incident response procedures;
secure deletion practices.
Optional Annex III – Subprocessors
Processor may use subprocessors for:
cloud hosting and infrastructure;
analytics and diagnostics;
communications and messaging integrations;
payment processing;
support and service administration.
A current list may be provided upon request or maintained through a public-facing notice.
Optional Annex IV – International Transfers
Where required, the parties may incorporate:
European Commission Standard Contractual Clauses;
UK or Swiss transfer addenda where relevant;
supplementary measures, if appropriate;
transfer risk documentation as reasonably required.
Subprocessors / Infrastructure Notice
Last Updated: march 2026
ShifterLabs S.A.S. (“ShifterLabs,” “we,” “our,” or “us”) may use carefully selected third-party service providers to support the delivery, operation, security, hosting, maintenance, and administration of our services, including ShiftLoopand related digital learning solutions.
This Subprocessors / Infrastructure Notice explains the categories of third-party providers we may use, the nature of their services, and our approach to governance and data protection.
1. Purpose of This Notice
We are committed to transparency regarding the infrastructure and external service providers that may support our services.
This notice is intended to help customers, institutions, partners, and users understand:
the categories of subprocessors and infrastructure providers we may rely on;
the functions they perform;
the types of data they may process in connection with those functions;
the safeguards we seek to apply when engaging such providers.
2. What Is a Subprocessor?
A subprocessor is a third-party service provider engaged by ShifterLabs to process personal data on behalf of a customer in connection with the services we provide.
Not every infrastructure or technology provider necessarily acts as a subprocessor in every context. The role of a provider depends on the specific service configuration, the type of data involved, and the nature of the processing activity.
3. How We Select Providers
ShifterLabs seeks to use service providers that are appropriate to the nature, scale, and risk profile of the services being delivered.
When selecting providers, we may consider factors such as:
security and operational reliability;
functionality and technical suitability;
privacy and data protection posture;
contractual commitments;
availability of data protection terms;
ability to support lawful and secure service delivery.
4. Categories of Providers We May Use
Depending on the service configuration, we may use providers in one or more of the following categories:
a. Cloud Hosting and Infrastructure Providers
These providers may host application environments, databases, storage, backups, or related infrastructure necessary for the operation of our services.
b. Communication and Messaging Providers
These providers may support communication workflows, including messaging interfaces used for learning delivery, onboarding, notifications, or support.
Where messaging tools such as WhatsApp are used, they are used as communication or conversational learning interfaces, while ShifterLabs remains responsible for the broader service logic, reporting, and governance layer.
c. Email and Notification Providers
These providers may support transactional email, service notifications, onboarding messages, password resets, or account-related communications.
d. Analytics and Diagnostic Providers
These providers may support service monitoring, error diagnostics, platform stability, and lawful analytics related to performance, usage, or technical improvement.
e. Authentication and Access Management Providers
These providers may support login systems, identity verification, credential management, or secure access functions.
f. Payment and Billing Providers
For paid services, these providers may support payment processing, invoicing, billing operations, or related financial transactions.
g. File Storage and Document Management Providers
These providers may support secure storage, retrieval, or management of documents, reports, certificates, or service-related materials.
h. Customer Support and Service Administration Providers
These providers may support helpdesk systems, ticketing, account support, or other service administration functions.
5. Types of Data That May Be Processed
Depending on the category of provider and the service being delivered, subprocessors or infrastructure providers may process limited categories of data such as:
names;
email addresses;
phone numbers;
organization or institution names;
user identifiers;
course participation or completion records;
technical or device-related metadata;
service logs;
limited billing or payment information;
support communications.
We aim to limit data sharing with providers to what is reasonably necessary for the relevant service function.
6. Our Core Commitments Regarding Providers
ShifterLabs seeks to apply the following principles when engaging subprocessors or infrastructure providers:
we do not use providers for the purpose of selling customer data;
we do not authorize providers to use customer data for unrelated advertising purposes on our behalf;
we do not use customer data or learner personal data processed under client services to train generalized AI models;
we seek to ensure that providers are engaged only for legitimate operational, technical, security, communication, or support purposes;
we aim to maintain reasonable contractual and operational safeguards appropriate to the service context.
7. Customer Data Ownership
Use of subprocessors does not change the ownership or control structure of customer data.
As between ShifterLabs and the customer:
customer organizations retain ownership or control of their own content, learner data, and related records, subject to applicable law and contract;
ShifterLabs uses subprocessors only to support the delivery and operation of the agreed services;
subprocessors do not obtain independent ownership rights over customer data through their involvement in the service chain.
8. International Processing and Transfers
Some subprocessors or infrastructure providers may operate in jurisdictions outside the country in which data is originally collected.
Where this occurs, ShifterLabs seeks to apply appropriate safeguards in accordance with applicable law and contractual requirements. These may include:
provider data protection terms;
data processing agreements;
standard contractual clauses or similar transfer mechanisms;
supplementary measures where appropriate;
commercially reasonable diligence regarding provider privacy and security posture.
9. Security and Access Controls
We seek to use providers that support appropriate technical and organizational measures, taking into account the nature and sensitivity of the service.
These measures may include:
access controls;
secure hosting practices;
authentication protections;
encryption in transit where supported;
audit or logging capabilities;
backup and recovery processes;
service reliability and monitoring controls.
10. Provider Changes
Our provider stack may change over time as our services evolve.
We may add, replace, or remove subprocessors or infrastructure providers for operational, legal, technical, or commercial reasons. Where required by contract or law, we may provide notice of material subprocessor changes.
11. Current Provider List
A current list of subprocessors and infrastructure providers may be made available:
upon request;
through a customer-specific agreement or annex;
through a separate subprocessor list maintained by ShifterLabs.
Where a specific customer engagement requires greater detail, ShifterLabs may provide a more specific subprocessor schedule identifying:
provider name;
processing activity;
location or region;
service category.
12. Customer Questions and Requests
Customers who require more detailed information regarding subprocessors, infrastructure, or data processing governance in connection with a specific service may contact us using the details below.
Where appropriate, and subject to confidentiality, security, and contractual limitations, we may provide additional information regarding the provider categories relevant to that customer’s service configuration.
13. Contact
If you have questions regarding this Subprocessors / Infrastructure Notice, please contact:
ShifterLabs S.A.S.
ShifterLabs may use providers in categories such as cloud hosting, communications and messaging, transactional email, analytics, authentication, billing, file storage, and service administration. Specific providers may vary depending on the customer engagement and technical configuration.
Cookie Notice
Last Updated: March 2026
This Cookie Notice explains how ShifterLabs S.A.S. (“ShifterLabs,” “we,” “our,” or “us”) uses cookies and similar technologies on our website and related digital services.
It should be read together with our Privacy Policy.
1. What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help websites function properly, remember preferences, improve performance, and provide information about how a website is used. The European Commission describes cookies this same way in its own policy.
Cookies may be:
first-party cookies, set directly by our website;
third-party cookies, set by external services integrated into our website;
session cookies, which expire when you close your browser;
persistent cookies, which remain on your device for a defined period.
2. Why We Use Cookies
We may use cookies and similar technologies for the following purposes:
to make our website function properly;
to remember user preferences;
to improve website security and performance;
to understand how visitors use our website;
to support analytics, diagnostics, and service administration;
to improve user experience and website usability.
3. Types of Cookies We May Use
a. Strictly Necessary Cookies
These cookies are necessary for the operation, security, and core functionality of the website. They may include cookies used to:
maintain session integrity;
support login or authentication;
remember privacy or cookie preferences;
enable basic website features;
protect against abuse or security threats.
These cookies are generally not optional because the website cannot function properly without them. The European Commission and CNIL both distinguish necessary cookies from those that require consent.
b. Preference Cookies
These cookies remember choices you make, such as:
language settings;
cookie preferences;
user interface preferences;
region or display settings.
These help provide a more consistent and personalized browsing experience.
c. Analytics or Audience Measurement Cookies
These cookies help us understand how visitors use our website, such as:
which pages are visited;
how long users stay on the site;
whether users encounter performance or navigation issues;
overall site usage trends.
Where required by law, these cookies will only be used with your consent. In some jurisdictions, certain audience-measurement cookies may be exempt from consent only under specific conditions, such as being strictly limited to audience measurement on behalf of the site operator. CNIL makes this distinction explicitly.
d. Functional Cookies
These cookies support additional website functionality, such as embedded tools, forms, media content, or other service features.
e. Third-Party Cookies
Some cookies may be set by third-party providers whose services we use for analytics, embedded content, communication tools, or infrastructure support.
We do not control third-party cookies in the same way as our own first-party cookies, and their use may be subject to the privacy and cookie policies of the relevant third parties.
4. Legal Basis for Cookie Use
Where required by applicable law, we rely on:
necessity for strictly necessary cookies; and
consent for non-essential cookies, including certain analytics, functional, or third-party cookies.
Visitors should be able to accept or refuse non-essential cookies. The European Commission’s own cookie policy uses this accept/refuse model.
5. How You Can Manage Cookies
You can manage your cookie preferences in several ways:
through our cookie banner or preference center, where available;
through your browser settings;
by deleting existing cookies from your device;
by blocking future cookies through your browser configuration.
Please note that disabling certain cookies may affect website functionality or limit your experience.
6. Consent and Withdrawal
Where consent is required, we will request it before placing non-essential cookies on your device.
You may withdraw or update your consent at any time through the cookie settings mechanism made available on our website.
CNIL also emphasizes that users must have a real ability to refuse or oppose certain tracking technologies, including in some audience-measurement contexts.
7. Cookie Retention
Cookies may remain on your device for different periods depending on their purpose.
Some cookies are deleted when you close your browser, while others remain until they expire or are manually deleted.
Where possible, we aim to keep cookie retention periods proportionate to their purpose.
8. Third-Party Services
Our website may rely on external providers for certain services, such as:
analytics;
embedded media;
communication tools;
infrastructure support;
website performance monitoring.
These providers may place cookies or similar technologies on your device when their services are loaded through our website.
For more information, please review the relevant third-party privacy and cookie notices where applicable.
9. Changes to This Cookie Notice
We may update this Cookie Notice from time to time to reflect changes in our website, legal requirements, or operational practices.
When we do, we will update the “Last Updated” date above.
10. Contact Us
If you have questions about this Cookie Notice or our use of cookies, you may contact us at:
ShifterLabs S.A.S.
