Privacy Policy

1. Who we are

Ares Online S.R.L. is the controller of personal information processed in connection with the Services, except where we act as a processor on behalf of a business customer (see our Data Processing Addendum).

• Legal entity: Ares Online S.R.L. (Romania), trading as Shadow Pages.
• Registered address: [ROMANIAN REGISTERED ADDRESS]
• Trade Register / CUI: [CUI / TRADE REGISTER NO.]
• Privacy contact: legal@shadowpages.ai
• UK representative (Art. 27 UK GDPR): [UK REPRESENTATIVE NAME AND ADDRESS]. We have appointed a UK representative because we may target offerings to data subjects in the United Kingdom.

As our controller is established within the European Union, an Article 27 EU GDPR representative is not required.

2. Scope & controller / processor roles

This Policy covers personal information we process as a controller: data of website visitors, prospects, applicants, customers, billing contacts, and call participants.

Where a business customer uses the Services to process the personal information of its own end-users, audience members, or leads, the business customer is the controller and Ares Online S.R.L. acts as processor under our Data Processing Addendum, which forms part of the contract.

3. Comprehensive privacy laws that apply

This Policy is drafted to comply with the following frameworks, to the extent each applies to a given data subject and processing activity:

• EU GDPR— Regulation (EU) 2016/679, and the Romanian implementing Law no. 190/2018.
• Romanian Law no. 506/2004— on the processing of personal data and the protection of privacy in the electronic-communications sector (ePrivacy).
• UK GDPR and the Data Protection Act 2018.
• Swiss revFADP— Federal Act on Data Protection.
• California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
• The Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and the Virginia Consumer Data Protection Act (VCDPA), to the extent we direct the Services at residents of those states and meet the applicable thresholds.

Where local law grants stronger rights than this Policy describes, those local rights prevail.

4. Sources of personal information we collect

We collect personal information from three categories of sources:

4.1 Voluntary submissions

Information you provide directly to us when you fill out our intake or application form, book a discovery call, register an account, attend onboarding, send us a support ticket, comment on our content, reply to a marketing email, or otherwise voluntarily share information through the Services.

4.2 Automatic collection

Information collected automatically when you interact with the Site or the Services, including IP address, user-agent string, device and browser identifiers, referring URL, pages viewed, timestamps, click and scroll events, and cookie identifiers (see our Cookie Policy).

4.3 External sources

Information we receive from third parties such as our payment processor ([PAYMENT_PROCESSOR]), our scheduling tool (Calendly), our analytics providers (Google Analytics 4, Vercel Analytics), our CRM/email tooling, our LLM inference vendors (OpenAI, Anthropic), publicly available sources, and partners who refer customers to us under lawful arrangements. Where you sign in with a social account or interact with our social-media presence, we receive limited profile information governed by that platform’s own privacy policy.

5. Categories of personal information

We collect or have collected, in the past twelve months, the following categories of personal information, mapped to the CCPA/CPRA taxonomy:

5.1 General Identifiers

Name, email address, postal address, phone number (if provided), social handles, country, time zone, and similar identifiers.

5.2 Business & Commercial Information

Job title, employer, niche/industry, products or services you sell, billing entity, billing country, last four digits of card, transaction history, invoice status, applicable VAT data, and other purchase-related information.

5.3 Internet & Network Activity

IP address, device identifiers, browser type, operating system, referring URL, pages viewed, clicks, scroll depth, session duration, and interactions with our emails, ads, and Site.

5.4 Application Information

If you apply to join the Shadow Pages team or to be considered for a partnership programme, we may collect resume content, work history, references, and other application information you submit.

5.5 Audio & Visual Information

If you opt in to a recorded discovery, onboarding, or coaching call, we may collect audio and video recordings and the transcripts and notes derived from them.

5.6 Analytics & Inference Data

Aggregated and inferred data about your engagement with the Services, including segment membership, content preferences, lifecycle stage, and product-usage patterns. We use this data to improve and personalise the Services.

5.7 Sensitive Personal Information

We do not request and do not knowingly collect sensitive personal information as defined by the CPRA (e.g., government identifiers, account credentials, precise geolocation, racial or ethnic origin, religious beliefs, union membership, health, sex life or sexual orientation, biometric data) or special categories of personal data under Article 9 GDPR. You must not submit such data through the Services without our prior written agreement.

5.8 De-identified Information

We may de-identify or aggregate personal information so that it no longer reasonably identifies, relates to, or could be linked to a particular consumer or household. We maintain de-identified information without attempting to re-identify it and require any recipient to do the same.

6. Affinity actions & social media

Shadow Pages maintains a presence on third-party social-media platforms (such as Instagram, TikTok, YouTube, X, LinkedIn, and Facebook). When you follow, like, comment on, share, message, or otherwise engage with our profiles or posts (“affinity actions”), the relevant platform may share with us limited information such as your handle, public profile data, and engagement metrics.

Those platforms are independent controllers of any personal information you provide to them. Their use of your data is governed by their own privacy policies, not by this Policy. We are not responsible for the practices of third-party platforms. We recommend reviewing the privacy policy of each platform before engaging with our content there.

7. Purposes of processing

• To create and administer your account.
• To deliver and operate the Services you purchased.
• To process payments, produce invoices, and meet tax obligations under Romanian and EU law.
• To respond to support requests and client communications.
• To send service messages (billing, security, product updates) and, with consent, marketing emails and SMS.
• To monitor, secure, and improve the Services, including fraud detection and abuse prevention.
• To produce aggregated, de-identified analytics about how the Services are used.
• To comply with legal obligations, enforce our Terms of Service, Website Terms of Use, and Acceptable Use Policy, and to defend our legal rights.

8. Legal bases (GDPR Article 6)

• Contract (Art. 6(1)(b)): to provide the Services you purchased and to take pre-contractual steps such as processing applications and discovery calls at your request.
• Legitimate interests (Art. 6(1)(f)): to secure the Services, prevent fraud, conduct internal analytics, and promote our business to existing customers. We balance these interests against your fundamental rights and freedoms, and you may object at any time (see Section 15).
• Consent (Art. 6(1)(a)): for non-essential cookies, marketing emails or SMS to prospects, and call recordings where required by law. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Art. 6(1)(c)): for tax, accounting, anti-money-laundering, and other statutory record-keeping required under Romanian and EU law.

9. Retention periods

We keep personal information only as long as we need it for the purposes we have told you about, plus any period required to meet legal obligations or to defend legal claims.

10. Disclosure to third parties & sub-processors

We share personal information only with vetted vendors who help us run the Services. Each is bound by a written agreement with confidentiality and security obligations, and where the vendor processes personal information on our behalf, by Article 28 GDPR terms.

• Vercel Inc.— hosting and edge delivery (United States). Transfers governed by Standard Contractual Clauses (SCCs).
• Calendly LLC— call scheduling (United States). Transfers governed by SCCs.
• Google LLC— Google Analytics 4 and business email (United States / EU). Transfers governed by SCCs.
• [PAYMENT_PROCESSOR]— payment processing, billing, fraud screening, and tax compliance. Transfers governed by SCCs where applicable.
• OpenAI, OpenAI Ireland Ltd., and Anthropic PBC — large-language-model inference for in-product AI features (United States / EU). Used under no-training contractual terms; transfers governed by SCCs.
• Customer support & CRM tooling— ticket handling and lifecycle communications.

We do not sell personal information for monetary consideration. We may “share” limited identifiers with advertising partners for cross-context behavioural advertising as defined under the CPRA; you can opt out via /do-not-sell (see Section 12). We may also disclose personal information to comply with law, respond to lawful requests from competent authorities, or protect the rights, property, and safety of Ares Online S.R.L., our customers, or others. In the event of a merger, acquisition, or asset sale, data may be transferred, subject to the protections of this Policy.

11. International data transfers

Personal information may be transferred to and processed in the United States and other countries outside the European Economic Area (EEA), the United Kingdom, and Switzerland. Where required, we rely on the following safeguards:

• The European Commission’s Standard Contractual Clauses (Decision 2021/914) and the UK International Data Transfer Addendum issued by the ICO.
• Adequacy decisions, where they apply (including the EU-U.S. Data Privacy Framework for certified U.S. importers).
• Supplementary safeguards such as encryption in transit and at rest, pseudonymisation where feasible, and contractual access controls.

A copy of the relevant transfer mechanism is available on request at legal@shadowpages.ai.

12. Sale, sharing & targeted advertising

We do not “sell” personal information in exchange for monetary consideration. In the past twelve months, we may have “shared” (as that term is defined by the CPRA) limited identifiers and device data with advertising partners for the purpose of cross-context behavioural advertising on third-party platforms.

You have the right to opt out of any such sharing or sale at any time. To do so:

• Use our dedicated form at /do-not-sell.
• Email legal@shadowpages.ai with subject “Do Not Sell or Share My Personal Information request.”
• Manage non-essential cookies via the cookie banner trigger in the footer (see our Cookie Policy).

We will honour valid requests within 15 business days for California consumers and 45 days for residents of other U.S. states that grant a right to opt out of targeted advertising, sale, or profiling.

13. Global Privacy Control & Do Not Track

Global Privacy Control (GPC).We treat a valid GPC browser signal as a legally enforceable opt-out of the “sale” and “sharing” of personal information and, where applicable, as an opt-out of targeted advertising for the device or browser sending the signal. You do not need to be logged in for the GPC signal to be honoured for the relevant device/browser.

Do Not Track (DNT). Browser DNT signals are not yet a uniform industry standard. We therefore do not respond to DNT signals as a primary opt-out signal; consent recorded via our cookie banner and any GPC signal take precedence.

14. Promotional messages & SMS consent

If you opt in to receive promotional emails or SMS/MMS from Shadow Pages, you consent to receive recurring messages at the address or number you provided. Frequency varies. Standard message and data rates may apply based on your carrier plan. We are not responsible for delays or failed deliveries caused by your wireless or email carrier; carriers are not liable for delayed or undelivered messages.

• Reply STOP to any SMS to unsubscribe from future messages on that programme. You will receive a final confirmation message.
• Reply HELP for help, or contact legal@shadowpages.ai.
• For email, click UNSUBSCRIBEin the footer of any marketing email or email us with subject “Unsubscribe.”

Withdrawal of consent does not affect transactional or service-related communications, which we may continue to send for account, billing, security, and legal-notice purposes.

15. Your rights (GDPR & CCPA/CPRA matrix)

Subject to applicable law, you have the following rights. The table below maps each right to its primary legal source.

How to exercise your rights. Email legal@shadowpages.ai with your request, or use /do-not-sell for U.S. opt-out requests. We respond within 30 days under GDPR and within the timeframes required by applicable U.S. statutes (typically 45 days, with one 45-day extension where permitted). We may ask you to verify your identity before acting on a request. You may use an authorised agent where applicable law permits.

Right to appeal. If we decline your request, our response will explain the basis and how to appeal to us internally. After appeal, you may also contact the relevant supervisory authority (Section 21) or the state attorney general.

16. Security

We use appropriate technical and organisational measures to protect personal information: TLS 1.2+ in transit, AES-256 encryption at rest for production data stores, role-based access control, multi-factor authentication for staff, audit logging, secrets management, and least-privilege access reviews. The full list of measures is set out in Annex II of our Data Processing Addendum. No system is perfectly secure; you are responsible for keeping your credentials confidential.

17. Breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Romanian supervisory authority (ANSPDCP) without undue delay and, where feasible, within 72 hours of becoming aware, as required by Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals directly, in clear and plain language, as required by Article 34. We maintain an internal incident-response plan and an on-call rotation to support this commitment.

18. Children & minors

The Services are intended for users aged 18 and over. Under the Romanian Civil Code, full contractual capacity arises at the age of 18; you must be 18 or older to purchase, subscribe to, or contract for the Services.

We do not direct the Services to and do not knowingly process the personal information of anyone under the age of 16— the threshold for valid consent of a child under Article 8(1) GDPR as implemented in Romania. If you believe a person under 16 has provided us with personal information, contact legal@shadowpages.ai and we will delete it without undue delay.

For U.S. residents, we comply with the Children’s Online Privacy Protection Act (COPPA), which restricts collection of personal information from children under 13.

19. Automated decision-making & AI

We do not make solely automated decisions that produce legal or similarly significant effects about you (Art. 22 GDPR). Where AI features inform our internal operations (e.g., spam filtering, lead scoring), human review is available on request. The AI features within the Services are intended for content generation and do not constitute profiling for high-risk purposes under the EU AI Act. You may opt out of profiling under the CPRA and other state laws by emailing legal@shadowpages.ai.

20. Cookies

We honour the ePrivacy Directive (2002/58/EC) and Romanian Law no. 506/2004. Non-essential cookies fire only after you provide explicit opt-in consent via the cookie banner. See our Cookie Policy for the full inventory, durations, and management instructions.

21. Supervisory authority, complaints & appeals

Our lead supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal — “ANSPDCP”).

• Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
• Email: anspdcp@dataprotection.ro
• Phone: +40.318.059.211 / +40.318.059.212
• Website: www.dataprotection.ro

You may also lodge a complaint with the supervisory authority of the EU/EEA Member State of your habitual residence, your place of work, or the place of the alleged infringement (Art. 77 GDPR), or with the UK Information Commissioner’s Office where the UK GDPR applies. For U.S. residents, you may also contact your state Attorney General or the California Privacy Protection Agency (CPPA) for California consumers.

22. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by email or a prominent notice on the Site at least 30 days before they take effect for active customers. The “Last updated” date at the top of this page indicates the latest revision.

23. Contact

For any privacy question, request, or complaint, email legal@shadowpages.ai or write to Ares Online S.R.L., [ROMANIAN REGISTERED ADDRESS].