Privacy Policy
How we collect, use, share, and safeguard personal data across our website, SaaS platform, APIs, and related services.
Last Updated: February 2026
This Privacy Policy (“Policy”) describes how TOTALSHIFT LEFT TECH PRIVATE LIMITED (“Total Shift Left”, “Company”, “we”, “us”, or “our”) collects, uses, shares, and safeguards personal data in connection with our website, SaaS platform, APIs, and related services (collectively, the “Services”).
This Policy applies globally and is intended to comply with:
- The Digital Personal Data Protection Act, 2023 (India)
- The General Data Protection Regulation (EU) 2016/679 (“GDPR”)
- UK GDPR and Data Protection Act 2018
- California Consumer Privacy Act (CCPA), as amended by CPRA
- Other applicable U.S. state privacy laws
- Applicable international data protection standards
These policies are issued by TOTALSHIFT LEFT TECH PRIVATE LIMITED. Our primary website is totalshiftleft.ai. We also operate totalshiftleft.com, which is under the same company.
Related policies: Privacy Policy · Terms of Service · Security Policy · AI Policy · Cookie Policy
On this page
1. SCOPE AND APPLICATION
This Policy applies to personal data collected:
- When you visit our website or product domains
- When you register for, access, or use our SaaS platform
- When you request a demo, trial, or consultation
- When you communicate with us (email, phone, support portal)
- When you enter into a contract with us
- When you subscribe to marketing communications
- When we process personal data on behalf of customers under contractual arrangements
This Policy does not apply to personal data processed by customers within their own environments unless expressly stated in a data processing agreement.
2. ROLE UNDER DATA PROTECTION LAWS
Depending on the context of processing:
- Under the DPDP Act, we act as a Data Fiduciary.
- Under the GDPR / UK GDPR, we act as a Data Controller, unless processing data strictly on behalf of a customer.
- Where we process personal data pursuant to customer instructions, we act as a Data Processor.
- Under the CCPA/CPRA, we act as a Business or Service Provider, depending on context.
3. CATEGORIES OF PERSONAL DATA COLLECTED
We collect personal data that is adequate, relevant, and limited to what is necessary for defined purposes.
3.1 Identity and Contact Information
- Full name
- Business email address
- Telephone number
- Company name
- Job title and role
- Business address
3.2 Account and Authentication Information
- Username
- Encrypted passwords
- Role-based access credentials
- Login timestamps
- Multi-factor authentication data
3.3 Commercial and Transaction Information
- Billing address
- VAT/GST details
- Payment information (processed via secure third-party processors)
- Subscription details
- Contractual information
3.4 Technical and Usage Data
- IP address
- Device identifiers
- Browser type and version
- Operating system
- Log files
- Session duration
- Feature usage metrics
- API usage logs
- Error diagnostics
3.5 Support and Communication Data
- Customer service requests
- Email correspondence
- Support ticket metadata
- Call recordings (where applicable and permitted)
3.6 Customer Data Processed on Behalf of Clients
Where customers upload or process data through our platform, such data may include personal data of their employees, contractors, or end users. In such cases:
- We act as a data processor.
- Processing occurs solely under documented customer instructions.
- Processing is governed by a separate Data Processing Agreement (DPA).
- We do not intentionally collect sensitive personal data unless expressly agreed in writing.
4. PURPOSES OF PROCESSING
We process personal data for clearly defined business and legal purposes, including:
4.1 Service Provision
To provide, operate, maintain, and improve our SaaS platform and related services.
4.2 Contractual Performance
To fulfill obligations under subscription agreements, licensing arrangements, and enterprise contracts.
4.3 Account Management
To manage user accounts, authentication, permissions, and access controls.
4.4 Billing and Financial Compliance
To process payments, issue invoices, maintain financial records, and comply with tax regulations.
4.5 Security and Fraud Prevention
To detect unauthorized access, prevent misuse, protect infrastructure, and ensure system integrity.
4.6 Regulatory Compliance
To comply with statutory obligations, including accounting, data protection, and law enforcement requirements.
4.7 Product Improvement
To analyze platform performance, monitor system reliability, and enhance user experience.
4.8 Marketing Communications
To send newsletters, product updates, and promotional materials, subject to applicable consent requirements.
We do not process personal data for automated decision-making that produces legal or similarly significant effects without human oversight.
5. LEGAL BASIS FOR PROCESSING
5.1 Under GDPR / UK GDPR
Processing is based on:
- Article 6(1)(b) – Performance of a contract
- Article 6(1)(c) – Compliance with legal obligations
- Article 6(1)(f) – Legitimate interests
- Article 6(1)(a) – Consent
Where legitimate interests are relied upon, we ensure such interests are balanced against individual rights.
5.2 Under the DPDP Act, 2023
Processing is based on:
- Valid consent
- Legitimate uses permitted by law
- Contractual necessity
- Compliance with statutory obligations
5.3 Under CCPA/CPRA
We collect and process personal information for business purposes and do not sell personal information.
6. DISCLOSURE AND SHARING
We may disclose personal data to:
- Cloud infrastructure providers
- Payment processors
- CRM platforms
- IT and hosting vendors
- Professional advisors
- Regulatory and governmental authorities
All third parties are contractually bound by confidentiality and data protection obligations.
We do not sell or rent personal data.
7. INTERNATIONAL TRANSFERS
Given our global operations, personal data may be transferred outside India, the EU, or your country of residence.
Where required, we implement:
- EU Standard Contractual Clauses
- UK International Data Transfer Addendum
- Adequacy-based transfers
- Contractual safeguards
8. DATA RETENTION
Personal data is retained only for as long as necessary for legitimate business or legal purposes.
Retention periods include:
- Duration of contractual relationship
- Up to 7 years for financial records
- Up to 5 years for support records
- 12–24 months for security logs
After expiration, data is securely deleted or anonymized.
9. DATA SECURITY
We implement appropriate technical and organizational measures, including:
- Encryption in transit
- Role-based access controls
- Network security monitoring
- Logging and audit trails
- Secure cloud hosting
- Separation of development, testing, and production environments
Security controls are aligned with industry best practices and enterprise SaaS standards.
10. DATA SUBJECT RIGHTS
Depending on jurisdiction, individuals may have rights including:
- Access
- Rectification
- Erasure
- Restriction
- Objection
- Data portability
- Withdrawal of consent
- Grievance redressal
Requests may be submitted to: privacy@totalshiftleft.ai
11. CALIFORNIA PRIVACY NOTICE
California residents may request:
- Categories of personal information collected
- Categories of sources
- Categories of third parties disclosed to
- Deletion
- Correction
- Opt-out of sale or sharing
We do not sell personal information.
12. CHILDREN’S DATA
Our Services are not directed to minors. We do not knowingly collect personal data from individuals under 18 years of age.
13. GOVERNING LAW AND JURISDICTION
This Privacy Policy shall be governed by the laws of India.
Any disputes shall be subject to the exclusive jurisdiction of the courts of Delhi, India.
14. CONTACT AND GRIEVANCE OFFICER
TOTALSHIFT LEFT TECH PRIVATE LIMITED
H NO 2974 SECOND FLOOR, SECTOR 23
HUDA MARKET, Palam Vihar (Gurgaon)
Gurgaon – 122017, Haryana, India
Email: privacy@totalshiftleft.ai