0. Operator and Regional Application
Except as stated in the Mainland China Privacy Terms section, Grid Heap, Inc., a Delaware corporation, is the data controller / business for operation of the Rshift website, platform, and related online services.
If your billing address or principal residence is outside mainland China (the People's Republic of China, excluding Hong Kong, Macau, and Taiwan), your data is handled primarily under the Grid Heap terms in this Policy and may be processed in the United States and in regions where relevant service providers operate.
If your billing address or principal residence is in mainland China, also review Section 10, Mainland China Privacy Terms. That dedicated section covers local personal information handling, rights requests, cross-border transfers, and compliance assessment requirements.
1. Scope
This Policy applies to rshift.com, accounts.rshift.com (the Clerk-hosted Account Portal), app.rshift.com/admin, tenant workspaces hosted on app.rshift.com/<brand>, Rshift APIs, hosted workspaces, customer support interactions, and online services directly linked to Rshift product functionality. If a feature, integration, order form, data processing addendum, or supplemental notice states additional terms, those materials also apply.
If you access Rshift through your employer, client, agency, or brand organization, that organization may separately determine certain purposes, permissions, and retention periods for workspace data. You may therefore also be subject to your organization's internal privacy policies.
2. Information We Collect
We collect different categories of information depending on how the Services are used, and we aim to limit collection to what is relevant and reasonably necessary for those purposes.
- Account and identity information, such as name, business email address, avatar, user ID, role, brand membership, and identity verification data returned by login or access-control providers.
- Workspace and business data, such as brand profiles, voice rules, projects and project documents, brand knowledge sources, knowledge entries and versions, scenes, characters, storyboards, shots, media-generation jobs, custom skills, prompts, briefs, drafts, approval notes, templates, marketing plans, content versions, notification preferences, and activity history.
- Integration and sync data when you connect services such as OceanEngine, Xiaohongshu Juguang, Xiaohongshu Pugongying, or WeChat Official Accounts, including account identifiers, authorization tokens, ad or content asset identifiers, reporting data, webhook events, comments, publication status, and sync logs.
- Usage and technical information, such as timestamps, request logs, browser and device information, crash and error logs, performance metrics, page interactions, session identifiers, and audit logs created for security and compliance purposes.
- Payment-related information: payments are collected and processed by third-party payment processors such as Stripe. We receive only billing-necessary metadata such as transaction status, the last four digits of a card, and subscription state — we do not store full payment card numbers.
- Communications and support data, such as emails, feedback, commercial discussions, troubleshooting records, screenshots, and files you provide when requesting support or implementation help.
3. How We Use Information
Where GDPR, UK GDPR, or similar requirements apply, our legal bases for processing personal information include performance of a contract or pre-contract steps, compliance with legal obligations, our legitimate interests (such as security, service improvement, abuse prevention, customer support, and business operations), and consent where required.
Personal information usually comes from you, your organization administrators, third-party platforms you connect, service providers, payment processors, and logs or technical data generated when you use the Services. If information is necessary to create an account, deliver the Services, process billing, or maintain security, failure to provide it may make the relevant functionality unavailable.
We do not make decisions based solely on automated processing that produce legal or similarly significant effects concerning you. If we introduce such processing in the future, we will provide required explanations, choices, and human review mechanisms under applicable law.
- To provide, configure, maintain, and deliver Rshift, including authentication, permissions, brand workspace administration, custom skill hosting, approvals, and notifications.
- To run model inference, content generation, review, analytics, reporting, workflow orchestration, and enabled MCP or third-party integrations.
- To process subscriptions, payments, and invoices through Stripe and to manage billing-related state changes (upgrades, downgrades, renewals, refunds).
- To secure the Services and customer workspaces, including access control, abuse prevention, audit logging, troubleshooting, capacity planning, and incident response.
- To improve reliability, usability, and performance through error correction, monitoring, aggregated analytics, and feature refinement.
- To comply with law, respond to regulators or legal process, resolve disputes, and protect the legitimate rights and interests of Rshift, our customers, users, and third parties.
4. AI Processing, Customer Content, and Third-Party Platforms
Rshift includes model-based generation, analysis, and workflow features. To complete tasks you request, we may transmit prompts, brand rules, brand knowledge sources, scene and storyboard content, context materials, drafts, structured settings, and necessary metadata to model providers, review services, or third-party platforms you choose to connect.
You are responsible for ensuring that content uploaded to Rshift, third-party accounts connected to the Services, and instructions given through the platform are lawful and properly authorized, especially where personal information, trade secrets, regulated data, or third-party platform data are involved. Except as needed to deliver the Services, troubleshoot issues, protect security, comply with law, or with your further authorization, we do not disclose customer workspace content to other customers.
If applicable law, platform policy, or industry rules require AI-generated material to be labeled, disclosed, reviewed, or otherwise governed before publication or external use, you remain responsible for completing those steps. If Rshift provides labeling or compliance prompts in-product, you must use them appropriately.
5. Sharing and Disclosure
We do not sell personal information. We share or disclose information only in the limited situations described below and require recipients to handle data with appropriate confidentiality and security protections where applicable.
- With service providers supporting infrastructure, authentication (e.g., Clerk), payment processing (e.g., Stripe), model inference, messaging, logging, storage, monitoring, and customer support on our behalf.
- With third-party platforms or partners when you enable an integration or direct us to send requests, tokens, parameters, assets, or sync results to them.
- Within an organization according to role-based permissions, such as administrators, brand leads, reviewers, or other authorized members.
- With regulators, law enforcement, courts, advisors, counterparties, or other parties where disclosure is required or reasonably necessary for legal compliance, investigations, anti-fraud efforts, or rights protection.
- In connection with a merger, financing, restructuring, acquisition, asset sale, or similar transaction, subject to appropriate protections and continuity of data handling obligations where feasible.
6. Cross-Border Processing and Storage (Grid Heap)
Except as stated in the Mainland China Privacy Terms, some Rshift infrastructure, model functionality, monitoring tools, or third-party platforms may operate in multiple jurisdictions.
Data is primarily processed and stored in the United States (including in Delaware and in Grid Heap-selected cloud regions) and may be transferred to other regions where model and infrastructure providers operate. For personal data originating from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission Standard Contractual Clauses (SCCs) and the UK Addendum, or other recognized transfer mechanisms, where applicable.
7. Retention
We retain personal information for as long as reasonably necessary to fulfill the purposes described in this Policy, taking into account account status, customer instructions, contractual commitments, data type, audit and security requirements, dispute handling, and applicable law.
When content is deleted, integrations are disabled, accounts are closed, or customer relationships end, data is generally deleted, anonymized, or isolated within a reasonable period. Backup copies, security logs, billing records, audit records, and information that must be retained by law may remain stored for a longer period.
8. Security
We use technical and organizational safeguards appropriate to the nature of the Services and the risks presented, including access controls, least-privilege permissions, token and key handling, encrypted transmission, audit logs, vulnerability remediation, monitoring, and internal authorization controls.
No internet service can be guaranteed completely secure. If you believe an account, token, integration, or workspace has been compromised, email legal@gridheap.com immediately so that we can investigate and respond.
9. Your Rights and Choices
Subject to applicable law, you or your organization may have rights to access, copy, correct, supplement, delete, or request an explanation of relevant personal information, withdraw consent where consent is the basis for processing, limit certain processing activities, or request account closure.
If you use Rshift through an enterprise or brand account, we may direct your request to the relevant organization administrator or require you to use the organization's designated process. We may also take reasonable steps to verify identity before fulfilling a request.
- Data Export and Portability: Workspace administrators can request a full export of workspace data through the Data Governance section in workspace settings. This includes brand profiles, brand knowledge sources, knowledge entries, scenes and storyboards, content assets, AI conversation logs, review records, integration configurations (excluding credentials), analytics data, and more. Export files are provided in an open JSON format with accompanying data structure documentation.
- Data Deletion: Workspace administrators can initiate workspace offboarding. The platform supports a secure export-first-then-delete workflow. Once deletion is confirmed, the platform will remove the relevant workspace data (including database records and object storage files) and send a deletion confirmation. Audit logs and compliance records will be retained for the minimum period required by law.
- Processing Restrictions: You may request that we stop processing your personal information for specific purposes (such as marketing analytics) while retaining the minimum processing necessary for basic service delivery.
10. Mainland China Privacy Terms
If your billing address or principal residence is in mainland China (the People's Republic of China, excluding Hong Kong, Macau, and Taiwan), Shanghai Gezihui Technology Co., Ltd. (上海格子汇科技有限公司) ("Shanghai Gezihui") acts as the local compliance operator for mainland China and is your personal information handler for personal information processed in connection with your use of Rshift in that region.
Processing in mainland China is governed by the Personal Information Protection Law of the People's Republic of China (PIPL), the Data Security Law, the Cybersecurity Law, and other applicable PRC laws and regulations. Data is primarily processed and stored within mainland China. Where personal information must be provided across the border (for example, when using overseas model inference), Shanghai Gezihui will assess necessity, restrict downstream use, strengthen security controls, and complete the procedures required by PIPL, including separate consent, security assessment, standard contractual clauses, or personal information protection certification, as applicable.
You have the following rights under PIPL: the right to be informed, the right to decide, the right to access and copy, the right to data portability, the right to correction and supplementation, the right to deletion, the right to explanation of processing rules, and the right to withdraw consent.
Shanghai Gezihui will conduct a Personal Information Protection Impact Assessment (PIPIA) before: processing sensitive personal information, using personal information for automated decision-making, entrusted processing of personal information, providing personal information to third parties, transferring personal information overseas, and other processing activities that have a significant impact on individual rights. The assessment covers whether the processing purpose and methods are lawful, proper, and necessary; the impact on individual rights and associated security risks; and whether protective measures are lawful, effective, and proportionate to the risk.
To exercise PIPL rights or for questions about personal information processing, email legal@gridheap.com.
11. Rights Under GDPR / UK GDPR / CCPA / CPRA (Grid Heap Users)
Where Grid Heap is your data controller and you are located in the EU/EEA or the UK, you have the following rights under the GDPR/UK GDPR: access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection, and the right to withdraw consent for consent-based processing. You also have the right to lodge a complaint with the data protection authority in your country of residence.
If you are a California resident, you have the following rights under the CCPA/CPRA: the right to know, the right to access, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information (note: we do not sell personal information and we do not share personal information for cross-context behavioral advertising), the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising your rights.
For California privacy-law purposes, in the past 12 months we may have collected and disclosed the categories listed in Section 2 for business purposes. Sources include you, your organization, integrations you enable, service providers, payment processors, and automatically generated logs. Recipients include the service providers, third-party platforms, authorized organization members, advisors, regulators, law enforcement, courts, and transaction counterparties described in Section 5.
We do not sell personal information or share personal information for cross-context behavioral advertising, and we do not use sensitive personal information for purposes outside those permitted by CCPA/CPRA. If our practices change, we will update this Policy and provide legally required choices, including honoring Global Privacy Control where applicable.
You may submit privacy requests through legal@gridheap.com or in-product data governance and administrator workflows. We may verify identity and handle authorized-agent requests as permitted by applicable law.
When brand customers use Rshift to manage their workspaces, the brand customer is typically the data controller, and Rshift acts as a data processor processing data on the customer's instructions. For data collected in the course of platform operations (such as account information, usage logs, and security audit records), Rshift is the data controller.
We offer a standard Data Processing Agreement (DPA) to enterprise customers. To request a copy of the DPA or to exercise the rights above, email legal@gridheap.com.
12. Data Retention and Automated Cleanup
The platform provides configurable data retention policies for each workspace. Workspace administrators can adjust retention periods for the following data categories in workspace settings:
- AI conversation logs: 90 days by default
- Monitoring run data: 180 days by default
- AI usage records: 365 days by default
- Audit logs: 730 days by default (minimum 365 days to meet compliance requirements)
- Data export files: automatically expire after 7 days by default
13. Minors
Rshift is designed for brand teams and business organizations and requires all users to be at least 18 years old. We do not knowingly offer account-based commercial services to anyone under 18 or intentionally collect their personal information.
If you believe a minor has provided personal information to us without appropriate authorization, please email legal@gridheap.com and we will take appropriate steps, including deletion, after review.
14. Changes to This Policy
We may update this Privacy Policy as our products, partners, regulatory environment, or business operations change. The latest version will be posted on this page, and material changes may also be communicated through in-product notices, email, or other reasonable means.
Your continued use of Rshift after an updated Policy becomes effective generally means you have reviewed the updated version. Where law requires additional notice, consent, or choice for a specific change, we will provide it.
15. Contact Us
Questions about this Policy, our privacy practices, cross-border data arrangements, deletion requests, or other privacy matters can be sent to legal@gridheap.com. Mainland China local compliance requests will be handled under Section 10; other requests will be handled by Grid Heap under applicable law.