Privacy Policy

We, the operators of Shadow, strive to be upfront and transparent with any data we process. We encourage you to read this Privacy Policy to ensure you use Shadow in a way that's right for you.

In this document, we will use "we", "us", and "our" to refer to the owners and operators of Shadow. We will use "Shadow" or "the service" to refer to this site and related services like our Discord bot. We will use "you" or "your" to refer to you, the reader.

This privacy policy explains how we use the personal data we collect about you from your usage of Shadow.

  1. Changes to our privacy policy
  2. What data do we collect?
  3. How will we use and collect your data?
  4. How do we store your data?
  5. (EU Users) What are your data protection rights?
  6. (California Users) What are your data protection rights?
  7. Cookies
  8. How do we use cookies?
  9. Privacy policies of other websites
  10. How to contact us

Changes to our privacy policy

We keep Shadow's privacy policy under regular review and place any updates on this web page. This is v1.0 of this privacy policy and was last updated on 21 May 2025.

When changes are made, we will publish a separate web page that details the specific changes to the policy and rationales for they were made.

What data do we collect?

The information we collect depends in part on how you use Shadow. We collect different information if you're simply browsing the site and viewing art, interacting with artists by leaving comments or reacting to pictures, or are an artist yourself and are choosing to host and share your artwork on Shadow.

Discord

We use Discord as our authentication service provider. Additionally, we integrate with certain Discord features such as servers and roles. Information is provided directly from Discord when you connect your account.

We collect, depending on your usage of Shadow, the following information from Discord

Account ID
[Everyone] Your user account ID. Stored. Never displayed publicly.
Access Token
[Everyone] A token to let us retrieve info about you, such as your role in a sever. Retrieved from Discord, used for its intended purpose, and then immediately discarded; never stored.
Servers in which you are a member
[Everyone] We need to know the server's you're in to see if any of them are on Shadow. That lets us add you to the server on here (or remove you if you leave).
Roles granted to you in any member servers
[Everyone] We need to know the roles you have in a server to also grant you those roles on Shadow. This lets you see art the artist has chosen to gate behind those roles.
Username
[Optional] If you choose to show your username on comments you leave.
Display name
[Optional] If instead you choose to show your display name on comments.
Nicknames used in any member servers
[Optional] If instead you choose to show your server-specific nickname on comments.
Servers you own
[Artists] When you onboard a Discord server to Shadow, we need to know which servers you own (to let you pick which one(s) to onboard) and, once chosen, we store some info about the server, such as its id, name, and icon.
The full list of roles in servers you own
[Artists] When you import a role from Discord to use on Shadow for gating artwork, we need to see the full list (to let you pick which one(s) to onboard) and, once chosen, we store some info about the roles, such as its id, name, and color.
The full list of channels in servers you own
[Artists] If you would like Shadow to announce when posts are created/updated in your server, we need to see the full list of channels in the server (to let you pick which one to use) and, once chosen, we store some info about it like the ID and name.

The information we collect may change over time as we add or adjust features on Shadow. We will ask for new consent before collecting new info or using existing info for a new purpose. We will update this Privacy Policy–before we start collecting new information–to describe the new information, how and when we will collect it, and how we will use it.

Site data

Shadow has a variety of features you may choose to use. These features collect additional information, but the exact information collected depends on whether and how you use them.

We collect and store the following information from your usage of Shadow

Web request information
Headers, IP address, etc.
Login times and session information
Number of logins, time of last activity, and cookies to keep you logged in
Reactions
Reactions you add to art and related metadata (such as the time the reaction was added).
Comments
Contents of any comments you create, time the comment was created or edited, and the attribution information (whether it was left anonymously or not).
Favorites
Artwork you've favorited (bookmarked) and metadata such as the time you favorited it.
Artwork
[Artists] Artwork you upload, variants we create (such as thumbnails), alt-text provided, and related metadata (such as MIME type, file name and extension, and dimensions).
Posts
[Artists] Contents of posts you make, the artwork in those posts (even if not published) and related metadata (such as time created, published, or edited).
Tags
[Artists] Tags you create or apply to your artwork and related metadata (such as time created and tags used for each piece of art).
Emotes
[Artists] Emotes you create, their contents, and related metadata (such as time created, MIME type, file name and extension).

How will we use and collect your data?

You directly provide Shadow with all of the data we collect and it should be readily apparent when that data is being collected (such as when you are using a feature of the site). We do not receive any data indirectly from third parties.

Our lawful bases for processing personal data under the GDPR include user consent (for account creation), contract performance (providing the service), and our legitimate interest (site security, fraud prevention, and improving functionality).

Discord

The information collected from Discord powers your identity on the site (account, display name, etc.) and core functionality like determining the visibility of content (posts, artwork, etc.).

We collect and use information from Discord to

  • Create and log in your account
  • Determine which servers on Shadow you are a member of
  • Determine which art you're able to see (based on your roles)
  • (Artists) Onboard your Discord server to Shadow and manage its settings
  • (Artists) Display your server information like name and picture
  • (Artists) Manage the visibility of art (such as limiting it to users with certain roles)
  • (Artists) Send activity notifications to specific channels in your Discord server
  • (Shadow Admins) Perform content moderation such as banning accounts

Site data

The information collected on the site is to enable features and functionality.

We collect and use information on the site to

  • Display artwork and relevant content warnings
  • Add reactions (emotes) to artwork
  • Favorite (bookmark) artwork
  • Leave and reply to comments on posts
  • (Artists) Create and edit posts
  • (Artists) Upload and manage artwork (add content warnings, add tags, and control visibility)
  • (Artists) Create and add tags to artwork
  • (Artists) Create or import emotes for reactions
  • (Shadow Admins) Perform content moderation such as removing violating posts, comments, and artwork, or suspending and terminating accounts

In addition to site functionality, we use your information to monitor the site, improve site features and performance, and identify and issues and bugs.

Third parties

Shadow uses third party service providers to help power the site. These third parties have access to some of the information we collect.

Hetnzer

Hetzner is a data center operator and cloud services provider. Shadow's site code, databases, and file storage are all hosted on a server provided by Hetzner.

As our webhost, Hetzner has access to all collected data by virtue of their physical access to the computers that power the site.

We trust Hetzner: they are a popular, well-known name in the space and take precautions to protect your data and prevent unauthorized or malicious access.

Discord

Discord is a social communication platform. Shadow uses Discord extensively for account registration, login (authentication), sever creation (by artists), role-based access control (to manage who can see artwork), and social features like reaction emotes.

Shadow does not share information you provide to use with Discord. However, since we use their API for certain features, they are able to determine some information about your usage of Shadow such as when you log in or when you onboard a server to the site.

Cloudflare

Cloudflare is an internet infrastructure and service provider. They can manage DNS for a site, help speed up sites by caching site data closer to users, and secure sites from attacks like DDoS. Shadow uses Cloudflare for DNS record management, caching of static assets (such as JavaScript and CSS), aggregate analytics, and security (DDoS protection).

Shadow uses Cloudflare's CDN to cache some static assets such as JavaScript and CSS files. We do not cache artwork and so that is not stored or collected by Cloudflare. Cloudflare does collect your network information (such as your IP address) for operational logging.

We trust Cloudflare: they are a popular, well-known name in the space and take precautions to limit the amount of data they collect and protect what data they do.

How will we not use your data?

We have no interest in selling your data. We do not supplement or acquire information about you from third parties other than our service providers. We do not share your data with third parties other than our service providers. We do not attempt to deanonymize or determine your identity beyond the data we receive from you directly or via Discord.

How do we store your data?

Shadow securely stores your data in a Hetzner data center in Ashburn, Virginia, United States.

If you are located outside the United States, this would constitute an international data transfer. We have Standard Contractual Clauses (SCCs) in place with Hetzner to enable this transfer in the form of a signed Data Protection Agreement (DPA).

We take security very seriously and want to protect your data to the best of our abilities. We encrypt our database (and backups) at rest using AES with a key rotated at least annually. Connections to-and-from Shadow are secured with TLS using version 1.2 or greater. Our accounts with our third party service providers have strong passwords of 20 characters at minimum and require multi-factor authentication or passkeys. Access to Shadow's webserver is protected with a strong password of at least 20 characters and requires multi-factor authentication.

We retain your data so long as you have an account with us. You can delete your account at any time by visiting your account settings. Accounts that have not been logged in to for two years will be automatically deleted. Lastly, banned accounts will be deleted once the appeal window has lapsed. We keep a hashed version of the banned account's Discord ID to prevent evasion. We do not intend to keep your data any longer than necessary.

Data that has been deleted either directly or as a consequence of account deletion may still be stored by us temporarily in caches and backups for up to 90 days. After that, the data will be fully gone and cannot be recovered. This retention is necessary for data integrity and disaster recovery purposes. These backups are taken frequently such that in the unlikely event we must restore data using one of them, the amount of previously-deleted data should be minimal, but we will do whatever we can prior to restoration to avoid returning any permanently deleted data. We will notify all users of Shadow in the event we must restore from a backup, to ensure they can take the necessary actions and re-delete any data, if needed.

In the unlikely event of a data breach that may impact your data, we will notify you as soon as possible via notice on the Shadow website or via a message to your Discord account. This notification will include a summary of the breach, the data affected, potential consequences of the breach, and steps we are taking to mitigate the issue. We will take prompt and appropriate measures to secure any affected systems and address any deficiencies that led to the breach, to ensure it will never happen again.

To summarize our data retention practices,

User-generated content
Retained until you delete your account or content (may be present in backups)
Account data
Deleted after two years of inactivity (may be present in backups)
Backups
Retained for a maximum of 90 days
Banned user identifiers
Retained indefinitely as a hash of your Discord ID

(EU Users) What are your data protection rights?

For EU users subject to GDPR, the following rights are guaranteed to you. Users in other jurisdictions may not have these rights explicitly granted or protected by your local laws and regulations, but Shadow will nonetheless do our best to uphold these rights globally.

The right to access
You have the right to request us for copies of your personal data. We do not charge any fee for this service.
The right to rectification
You have the right to request that we correct any information you believe is inaccurate. You also have the right to request Shadow to complete the information you believe is incomplete.
The right to erasure
You have the right to request that Shadow erase your personal data, under certain conditions.
The right to restrict processing
You have the right to request that Shadow restrict the processing of your personal data, under certain conditions.
The right to object to processing
You have the right to object to Shadow's processing of your personal data, under certain conditions.
The right to data portability
You have the right to request that Shadow transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at our email: contact#@example.shadow.comspace.

Should you wish to report a complaint or if you feel that we have not addressed your concerns in a satisfactory manner, you may contact your relevant data protection authority, if applicable to your jurisdiction.

Shadow does not currently require an EU representative under GDPR Article 27. Should this change, we will update our policy accordingly.

(California Users) What are your data protection rights?

If you are a resident of California in the United States, you have rights under the California Consumer Privacy Act and the California Privacy Rights Act.

Right to know
You have the right to know what information we have collected about you, including the categories, specific pieces of information, and how it's used and shared.
Right to delete
You have the right to request that we delete any personal information we've collected about you.
Right to opt-out
You have the right to opt-out of the sale or sharing of personal information. We do not sell or share your personal information.
Right to non-discrimination
You cannot be discriminated against for choosing to exercise any of these rights.
Right to correct
You have the right to request we correct inaccurate or incomplete personal information.
Right to limit the use of sensitive information
You have the right to limit the use sensitive personal information. We do not currently collect any information considered sensitive by the CCPA/CPRA.
Right to portability
You have the right to request a copy of your personal information in a readily usable format to transfer it to another entity.

To exercise your rights, please email us at contact#@example.shadow.comspace.

Cookies

Cookies are small text files that websites place on your device as you are browsing. They are processed and stored by your web browser. In and of themselves, cookies are harmless and serve crucial functions for websites. Cookies can also generally be easily viewed and deleted.

For further information, visit allaboutcookies.org.

You can tell your web browser to not accept cookies, but the site will not function. The below section outlines how we use cookies and why they are necessary.

How do we use cookies?

Shadow only uses cookies that are strictly-necessary for the site to function.

We use cookies for two reasons

  1. Keeping you signed in
  2. Powering sign-in with Discord

We do not use any third party cookies, tracking cookies, or ad pixels.

Privacy policies of other websites

Shadow's website contains links to other websites. Our privacy policy only applies to our site, so if you click a link to another website, you should read their privacy policy.

How to contact us

If you have any questions about our privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

Email us at contact#@example.shadow.comspace