Last updated: June 19, 2026

ShiFt — Privacy Policy (shiftnow.io)

Effective Date: June 1, 2026 · Last updated: June 19, 2026 · Version: 1.0 · Governing Law: State of Georgia Controller: eWorkForce Technologies, Inc. (brand "ShiFt"), 12460 Crabapple Road, Ste 202-522, Alpharetta, GA 30004. Privacy contact: Reply@ShiFtNow.io.

Read before submitting. This Policy explains your rights under federal and state law (Sections 16-17), discloses our use of an AI voice agent and call recording (Section 10), and how we share data with service providers (Section 8). It is incorporated by reference into the ShiFt Terms of Service.

Quick Reference

What we collect: contact & business details, communications content, AI voice (VoiceOS™) recordings & transcripts, device/usage data, inferences for lead scoring. How we use it: deliver the Services, qualify and book audits, send marketing/service communications (with consent), improve the platform, comply with law, prevent fraud. Who we share with: our service providers (GoHighLevel, VoiceOS™ vendor, Supabase, Vercel, Google, Microsoft Clarity, WhatConverts) acting on our behalf; and as required by law. We do not sell your information. Your rights: access, delete, correct, port, opt out of sale/sharing/targeted advertising, limit sensitive PI; we honor Global Privacy Control. AI voice & recording: we use an AI voice agent (VoiceOS™) and may record calls for QA, training, dispute resolution, and compliance; we do not use voice for biometric identification. Contact: Reply@ShiFtNow.io · TCPA opt-out Reply@ShiFtNow.io.

01 Overview & Scope · 02 Who We Are & Roles · 03 Information We Collect · 04 How We Collect · 05 How We Use · 06 Legal Bases · 07 How We Share · 08 Service Providers · 09 Marketing & TCPA · 10 AI Voice, Recordings & Transcripts · 11 Cookies · 12 Advertising & Conversion Tracking · 13 Security · 14 Retention · 15 Children · 16 Your Rights (Universal) · 17 State-Specific Rights · 18 Sensitive PI · 19 Biometric · 20 International · 21 Do Not Track & GPC · 22 Third-Party Links · 23 Changes · 24 Exercising Rights · 25 Contact

1. Overview & Scope

This Policy describes how eWorkForce Technologies, Inc., operating under the brand "ShiFt" ("ShiFt," "we," "us"), collects, uses, shares, retains, and protects personal information in connection with the shiftnow.io websites, landing pages, dashboards, and digital properties (the "Sites"); the ShiFt platform, the AI voice agent (VoiceOS™), CRM integrations, and related services (the "Services"); and marketing, sales, and operational communications. ShiFt is the controller ("business" under California law) for personal information collected through the Sites and Services. (Where ShiFt processes data on behalf of a client under a services agreement, ShiFt acts as a processor under that client's notice and our DPA, not this Policy.)

2. Who We Are & Roles

2.1 The Entity. The Services are operated by eWorkForce Technologies, Inc. (the "Controller"/"Business"). 2.2 Controller/Business. Under the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, and other state comprehensive privacy laws in Section 17, ShiFt determines the purposes and means of processing personal information collected through the Services. 2.3 Service Providers/Processors. We engage providers — GoHighLevel, VoiceOS™ (our custom-built AI voice system), Twilio, Stripe, Supabase, Vercel, Google, Microsoft Clarity, WhatConverts, and others in Section 8 — that act as service providers/processors under contracts restricting use to our authorized purposes.

3. Information We Collect

Using the CCPA twelve-category framework (Cal. Civ. Code Section 1798.140). We collect only what is necessary for the purposes in Sections 5-6.

A. Identifiers — name, business name, email, phone, website, IP, online identifiers, account ID. Source: you; forms.
B. Customer Records — billing details for paid engagements (payment processed by a PCI-compliant processor; we do not store card numbers). Source: you.
C. Protected Classifications — none intentionally collected.
D. Commercial Information — subscription/engagement details, audit requests, transactional records. Source: you; the Platform.
F. Internet/Network Activity — pages viewed, clicks, session duration, referrer, device/browser, campaign params (gclid, gbraid, wbraid, utm_*, msclkid, fbclid). Source: cookies, logs, analytics tags.
G. Geolocation — general location from IP (city/region). No precise GPS unless you provide it.
H. Sensory/Audio — voice call audio (incl. with VoiceOS™), voicemail, chat transcripts, SMS/email contents. Source: interactions; VoiceOS™ (our custom-built AI voice system); Twilio (SMS).
I. Professional/Employment — business role, industry, service area. Source: you.
K. Inferences — lead-fit/ICP scoring, conversion-likelihood scoring. Source: derived by us.
L. Sensitive PI — account credentials with access; contents of voice/SMS/email communications (treated as "contents of mail, email, and text messages" under CCPA). See Section 18.

4. How We Collect

4.1 Directly from you — forms, demo/audit requests, account signup, communications, uploads. 4.2 Automatically — device/usage data via cookies, pixels, tags, logs (Sections 11-12). 4.3 From third parties — advertising/lead platforms (Google Ads, Meta Lead Ads), verification/fraud-prevention vendors, and our service providers. 4.4 Through AI voice & conversational interfaces — VoiceOS™ calls and chatbots are recorded/transcribed/processed (Section 10).

5. How We Use Information

Service delivery: operate the Services; manage your account; deliver and schedule the GrowthBlueprint™ Audit; process payments (paid engagements); provide support/onboarding. Communications: send marketing/sales/appointment/operational messages consistent with the consent in Section 9 and Section 6 of the Terms; conduct VoiceOS™ and SMS conversations; confirm/remind/follow up. Analytics & AI: analyze usage to improve performance; train/test/improve our AI and VoiceOS™ agent (using aggregated/de-identified data where feasible); QA on AI and human interactions. Marketing & conversion tracking: advertise the Services; measure ad performance and attribution (Google Ads, and Meta CAPI if used); personalize content (subject to opt-out in Section 12/Section 17). Trust & safety: verify identity/authority; detect/prevent fraud and security incidents; enforce the Terms. Legal: comply with law; retain TCPA consent and financial records; establish/defend legal claims.

Performance of a contract; legitimate interests (running/securing/improving the business, fraud prevention, analytics, AI improvement on de-identified data, B2B marketing of comparable services); consent (marketing/TCPA communications, non-essential cookies); legal obligations (record retention, legal process); vital/public interest (narrow).

We do not sell personal information for money, and do not share it for cross-context behavioral advertising except as in Section 12 (opt-out in Section 17). We share: with service providers (Section 8) under contract limiting use to authorized purposes; with advertising/analytics partners (limited identifiers/conversion events — Section 12); for legal reasons (law, subpoena, enforcement, safety, fraud); in business transactions (merger/acquisition/asset sale, with notice); with your consent; and de-identified/aggregated data that does not identify any individual.

8. Service Providers & Processors

Provider	Category	Purpose & data shared
GoHighLevel	CRM / automation / messaging	Activation layer: outbound calls, SMS, email execution; lead identifiers, communications history, usage data
VoiceOS™ (ShiFt — custom-built)	AI voice infrastructure	Operating the VoiceOS™ agent; voice audio, call metadata, transcripts, dispositions
Twilio	SMS & voice delivery	Phone numbers, message contents, delivery metadata
Supabase (Postgres)	Database — system of record	Lead and consent data, incl. the ConsentVault™ consent-proof record
Vercel	Hosting / CDN	Hosting the Sites/Platform; operational data
Google (Ads, Analytics, Tag Manager)	Analytics & ad measurement	Device, browser, IP, page-view, event data
Microsoft Clarity	Product analytics	Session/heatmap analytics
WhatConverts	Call/lead attribution	Phone numbers, lead-source/call metadata
Stripe	Payments (paid engagements)	Name, billing details; processor is merchant of record for card/ACH; we do not store card numbers
Professional advisors (legal/audit/tax)	Professional services	Only what is necessary for the engagement
Each provider is bound by a data-processing agreement. International transfers rely on Standard Contractual Clauses or equivalent. To request a current subprocessor list, email Reply@ShiFtNow.io.

Our practices for marketing voice/SMS/AI-voice/email — including the express written consent under the TCPA, the FCC AI Voice Ruling (Feb. 8, 2024), and state mini-TCPA laws — are governed by Section 6 of the Terms (incorporated here). For each consent we retain: date/time, IP, the URL/form, the exact disclosure shown, the method of acceptance, the Terms version, and the contact identifiers consented — stored in our ConsentVault™ record (Supabase). We retain consent records for not less than four (4) years after consent is revoked or last used. Revoke per Section 6.9 of the Terms (STOP, oral revocation on a call, unsubscribe, dashboard, or Reply@ShiFtNow.io). We do not append or purchase phone numbers for marketing; numbers come directly from the subject.

10. AI Voice, Recordings & Transcripts

ShiFt operates an AI voice agent (VoiceOS™) for inbound/outbound calls that qualifies prospects, schedules audits, and conducts service conversations. Calls — with VoiceOS™, a human agent, or hybrid — may be recorded, transcribed, retained, and analyzed. Under the FCC AI Voice Ruling, AI-generated voices are an "artificial voice" under the TCPA; the prior express written consent in Section 6 of the Terms covers VoiceOS™ communications. 10.1 What we collect: call audio, AI transcript, call metadata, AI sentiment/intent scoring, structured qualification data, downstream events. 10.2 Purposes: deliver the Services; qualification/routing; scheduling/confirmation; QA/training/improvement of VoiceOS™; dispute resolution; fraud/security; legal compliance. 10.3 Two-party-consent states: VoiceOS™ provides a recording disclosure at/near the start of each call; continuing the call after the disclosure provides consent. 10.4 Retention: raw call audio default twelve (12) months, subject to legal hold; transcripts/derived data may be retained longer in de-identified form. 10.5 Storage: within the VoiceOS™ vendor, Supabase, and GoHighLevel as needed to deliver the Services; access restricted to authorized personnel/providers. 10.6 No biometric identifiers: we do not generate or store voiceprints or other biometric identifiers from voice audio (see Section 19). 10.7 Opt out of recording: decline at the disclosure or state "stop recording"; we may then be unable to deliver certain Services. 10.8 AI output disclaimer: AI transcripts/scoring may contain errors; the underlying audio is the source of truth.

11. Cookies & Online Tracking

We use Strictly Necessary, Functional, Analytics, and Advertising/Cross-Context cookies. Manage non-essential cookies via our banner/preferences and your browser; disabling Strictly Necessary cookies breaks parts of the Site. We honor Global Privacy Control (GPC) as a valid opt-out of sale/sharing (Section 21).

12. Advertising & Conversion Tracking

We advertise the Services via Google Ads (and Meta, if used) and send conversion events (lead submitted, appointment booked, etc.) to those platforms. Where Meta CAPI is used, identifiers are one-way hashed before transmission. Under CCPA/CPRA this may be "sharing" for "cross-context behavioral advertising"; under VCDPA/CPA/CTDPA/UCPA/TDPSA/OCPA the equivalent is "targeted advertising." Opt out via GPC, the "Do Not Sell or Share" link in our footer, the request form at shiftnow.io/privacy, or Reply@ShiFtNow.io. We perform automated lead-fit scoring but do not make decisions producing legal/significant effects without human involvement. We do not sell personal information for money.

13. Data Security

Reasonable administrative, technical, and physical safeguards: access controls, role-based permissions, encryption in transit (TLS 1.2+), encryption at rest where applicable, logging/monitoring, vendor due diligence, training, incident response. No system is 100% secure. Breach notification per applicable law (incl. Ga. Code Section 10-1-912, Cal. Civ. Code Section 1798.82).

14. Data Retention

Account/customer data: term + 7 years (tax/audit/contract). Payment records: 7 years. TCPA consent records: 4 years from revocation or last use. Voice call recordings: 12 months (extendable for legal hold). AI transcripts/derived data: lifetime of related account; longer de-identified. Marketing data: 2 years after last meaningful interaction. Cookies/tracking IDs: per expiration (up to 13 months typical). Server logs: 90 days rolling. Deletion-on-request honored subject to legal-retention exceptions (TCPA consent, financial, legal hold).

15. Children's Privacy

The Services are B2B and not directed to children; we do not knowingly collect data from anyone under 18, or under 13 within the meaning of COPPA. If we learn we collected such data, we delete it (Reply@ShiFtNow.io).

16. Your Privacy Rights — Universal

Subject to verification and exceptions: Right to Know/Access; Delete; Correct; Portability; Opt Out of Sale/Sharing/Targeted Advertising (we do not sell for money); Limit Use of Sensitive PI (Section 18); Opt Out of Profiling (state-dependent); Withdraw Consent; Appeal (state-dependent); Non-Discrimination.

17. State-Specific Privacy Rights

California (CCPA/CPRA): Notice at Collection (Section 3, Section 5, Section 6); rights to know/delete/correct/opt-out of sale & sharing/limit sensitive PI/portability/non-discrimination; authorized agents; GPC honored; Shine the Light (we make no such disclosures); no financial incentives. Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA): access, correct (where provided), delete, portability, opt out of targeted advertising/sale/profiling; sensitive data opt-in or opt-out per statute; appeal rights; we honor universal opt-out mechanisms incl. GPC. Nevada (SB 220): verified do-not-sell requests honored (we do not sell). Georgia (governing law): no comprehensive state privacy statute yet; Georgia residents are protected by federal law, Ga. Code Section 10-1-912 (breach), TCPA, and FTC Act Section 5. As policy, we extend the Universal Rights in Section 16 to Georgia residents. Other states: rights per each state's statute as it becomes effective; we honor the most consumer-protective applicable rights.

18. Sensitive Personal Information

Categories we may collect (CCPA Section 1798.140(ae)): account log-in credentials with access; contents of consumer communications (voice/voicemail/SMS/email). Purposes limited to: delivering the requested Service; security/fraud prevention; safety; short-term transient use; quality/maintenance; legal compliance (CCPA Section 1798.121(d)). California residents may limit use of sensitive PI (Section 24 or the footer link). We do not use sensitive PI to infer characteristics.

19. Biometric Information & Voice Data

We collect voice audio via VoiceOS™ but do not extract, generate, store, or compare voiceprints or other biometric identifiers for identification/authentication (relevant to IL BIPA, TX CUBI, WA RCW 19.375). If our practice changes, we will update this Policy, obtain consent where required (incl. IL BIPA), publish a retention/destruction schedule, and provide an opt-out. Retaining voice audio is not, by itself, biometric collection — voice audio is treated as audio data (Section 10).

20. International Users

ShiFt is operated from and intended for use in the United States. If you access from outside the US, your information is transferred to and processed in the US. To the extent we incidentally process EEA/UK personal data, we rely on the legal bases in Section 6 and provide the rights in Sections 16-17; EEA/UK to US transfers use appropriate mechanisms (EU-US Data Privacy Framework / Standard Contractual Clauses).

21. Do Not Track & Global Privacy Control

We honor GPC as a valid opt-out of "sale"/"sharing" under CCPA/CPRA and as a universal opt-out mechanism under CO/CT/OR and similar laws. There is no DNT standard; GPC is the recognized successor and we honor it.

22. Third-Party Links & Embedded Content

Our Sites may link to or embed third-party content (e.g., the booking calendar). We are not responsible for third-party privacy practices; review their policies.

23. Changes to This Policy

We may update this Policy. For material changes we give at least thirty (30) days' notice (email/in-platform/site notice). The "Last updated" date reflects the current version. Updates do not retroactively alter consent records (Section 9).

24. How to Exercise Your Rights

Submit via Reply@ShiFtNow.io (subject "Privacy Request"), the request form at shiftnow.io/privacy, the "Do Not Sell or Share" / "Limit Sensitive PI" footer links, or your account dashboard. We verify identity before responding. Authorized agents permitted (California). Timelines: acknowledge within 10 business days; substantive response within 45 calendar days (extendable 45 with notice); opt-outs promptly (up to 15 business days); appeals within 45 days of denial, response within 60. We may deny unverifiable/excessive/legally-exempt requests with reasons. No fee except for manifestly unfounded/excessive/repetitive requests. No discrimination for exercising rights.

25. Contact

eWorkForce Technologies, Inc. (brand "ShiFt"), 12460 Crabapple Road, Ste 202-522, Alpharetta, GA 30004. Privacy: Reply@ShiFtNow.io · TCPA opt-out: Reply@ShiFtNow.io · Security: Reply@ShiFtNow.io · Data request form: shiftnow.io/privacy · SMS Help: reply HELP or Reply@ShiFtNow.io. Website: shiftnow.io · Terms: shiftnow.io/terms. Governed by the laws of the State of Georgia.