Effective date: 4 March 2026
Who we are
Shadow AI Watch is an independent publication covering workplace AI governance, based in Perth, Western Australia.
For any privacy-related questions, email privacy@shadowaiwatch.com.
We do not have a Data Protection Officer. Given the minimal data we collect, one is not required under GDPR or the Australian Privacy Act. If you have a concern, email us directly and we will respond within 30 days.
What we collect and why
Website analytics
We use Cloudflare Web Analytics. It does not use cookies, does not collect personal data, and does not track individual visitors. It provides aggregate page view counts and referral sources only. No IP addresses are stored. No fingerprinting occurs.
Legal basis (GDPR): Legitimate interest in understanding aggregate site traffic to improve our content. This processing does not identify individuals.
Newsletter subscribers
If you subscribe to our newsletter, we collect your email address through our subscription form. We use this solely to send you our newsletter. We send using Mailjet (Sinch Group), whose servers are located in the European Union.
Legal basis (GDPR): Your consent, given when you subscribe. You can withdraw consent at any time by clicking the unsubscribe link in any email or by emailing us.
No cookies
This website does not set any cookies. No first-party cookies, no third-party cookies, no tracking pixels, no local storage.
Who we share data with
We share data only with the service providers necessary to run this site:
- Cloudflare (US) provides hosting and privacy-first analytics. Cloudflare processes requests to serve pages but does not store personal data on our behalf. Their privacy policy is at cloudflare.com/privacypolicy.
- Mailjet / Sinch Group (EU) processes newsletter delivery. They store subscriber email addresses on our behalf. Their privacy policy is at mailjet.com/privacy-policy.
We do not sell, rent, or share your data with anyone else. We do not use your data for advertising or profiling.
International data transfers
Cloudflare is a US-based company. They participate in the EU-US Data Privacy Framework and use Standard Contractual Clauses for international transfers. Mailjet stores data within the EU.
If you are based in Australia, your data may be processed overseas by these providers. Under Australian Privacy Principle 8, we take reasonable steps to ensure these providers handle your data consistently with the Australian Privacy Principles.
How long we keep data
Newsletter email addresses are retained for as long as you remain subscribed. When you unsubscribe, your email address is deleted from our mailing list within 30 days.
Cloudflare Web Analytics does not retain any personal data. Aggregate statistics are retained indefinitely.
Your rights
Depending on where you are located, you have the following rights over your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Ask us to correct inaccurate data.
- Deletion: Ask us to delete your data. For newsletter subscribers, unsubscribing achieves this.
- Withdraw consent: Unsubscribe from the newsletter at any time.
- Portability: Request your data in a portable format (GDPR).
- Restriction: Ask us to limit how we process your data (GDPR).
- Object: Object to processing based on legitimate interest (GDPR).
- Complaint to a regulator: You can lodge a complaint with your local data protection authority. In Australia, that is the Office of the Australian Information Commissioner. In the EU, contact your national supervisory authority.
To exercise any of these rights, email privacy@shadowaiwatch.com. We will respond within 30 days.
Data security
The site is served over HTTPS with TLS encryption. Cloudflare provides DDoS protection and edge security. Newsletter data is stored in Mailjet's EU infrastructure with their enterprise security controls. Access to our Mailjet account is restricted and protected by multi-factor authentication.
Given that we only collect email addresses (and only from people who actively subscribe), our attack surface is minimal by design.
Children
This website is not directed at anyone under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has subscribed to our newsletter, email us and we will delete the data promptly.
Sponsor content
Shadow AI Watch features clearly labelled sponsor content. Sponsor links include UTM parameters so the sponsor can measure referral traffic from our site. These parameters are processed by the sponsor's website, not ours. Each sponsor site has its own privacy policy governing how they handle that data.
External links
Our articles link to external sources for attribution and further reading. Those sites have their own privacy policies. We are not responsible for how they handle your data.
Complaints
If you have a complaint about how we handle your personal data, email privacy@shadowaiwatch.com. We will acknowledge your complaint within 7 days and provide a response within 30 days.
If you are not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner or your local data protection authority.
Changes to this policy
We will update this page if our data practices change. Given how little data we collect, changes are unlikely to be frequent. The effective date at the top of this page will be updated when changes are made.