Privacy policy.

In this policy, “ShiftCTRL,” “we,” “us” means ShiftCTRL, an engineering firm based in New York City. “You” means a visitor to shiftctrl.net or a person engaging us for network engineering services. “Personal data” means information that identifies you or could reasonably be linked to you.

By using the site or our services you accept this policy. If you do not, do not use the site and do not engage us. This document is not a substitute for a contract; project engagements are governed by a separate Terms of Service and any statement of work signed for the engagement.

We use personal data to do the work you have asked us to do and to run the firm. The legal bases are contract (delivering the engagement), legitimate interest (running the firm), consent (where you have given it), and legal obligation (where the law requires it).

• Plan, quote, install, and maintain network engagements.
• Communicate about scope, schedules, deliverables, and invoices.
• Operate, secure, and improve the site and the services we deliver.
• Comply with legal, tax, and regulatory obligations.
• Defend the firm against fraud, abuse, or security threats.

We do not sell personal data and we do not disclose it for cross-context behavioral advertising under California law.

Engagement records, network designs, and supporting documents are kept for the duration of the engagement and a defined retention window after it. Financial records are retained for the period required by tax and accounting rules.

• Encryption in transit (TLS) and at rest where the storage layer supports it.
• Access on a need-to-know basis; engagement materials scoped to the engineers on the project.
• MFA on the firm's primary identity provider and on credential-vault access.
• Periodic review of access logs and third-party processor configurations.

No system is unbreakable. If a breach affecting your personal data occurs we will notify you and the relevant authorities within the timeframes required by law.

We share personal data only where it is necessary to deliver the work or where we are legally required to. The categories of recipient are:

Service providers

Vendors that host, secure, or support the site and our internal systems — e.g. cloud hosting, email delivery, error monitoring, analytics. Each is bound by a data-processing agreement that limits use to the purpose for which we engaged them.

Subcontractors

Engineers we engage for specific scopes, bound by the same confidentiality and data-handling obligations that we accept under the engagement.

Equipment vendors

Where required to register a serial number, raise a warranty claim, or coordinate an RMA on your behalf.

Legal and regulatory

Where disclosure is required by court order, subpoena, or applicable law, and limited to what is required.

We do not sell or rent personal data and we do not transfer it for marketing by third parties.

Depending on where you live you may have rights under the GDPR, the UK GDPR, the California Consumer Privacy Act, or similar laws. We honor the following requests regardless of jurisdiction:

Access

A copy of the personal data we hold about you.

Correction

Fixes to data that is inaccurate or out of date.

Deletion

Removal of data that is no longer required for the engagement or by law.

Portability

An export of your data in a structured, machine-readable form.

Objection / restriction

Limits on certain processing on the basis of your particular situation.

Withdraw consent

Where the legal basis is consent, you can withdraw it at any time without affecting prior processing.

Email your request to hello@shiftctrl.net. We respond within 30 days. We may need to verify your identity before disclosing personal data. There is no fee for a reasonable request; an unjustified or repetitive request may incur a reasonable fee or be refused, with reasons.

The site uses a small number of cookies and similar storage. Categories, retention, and browser-level opt-out steps are documented in full in the Cookie Policy.

The site and our services are intended for engineers, building owners, and operators. They are not directed at children under 18 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We are based in the United States and our service providers may process data in the United States or in other countries where they operate. Where personal data is transferred out of the European Economic Area or the United Kingdom we rely on Standard Contractual Clauses or another lawful transfer mechanism, and we apply the same protections regardless of where the data is processed.

We update this policy when our practices change. The effective date at the top of this page is the date of the current version. Material changes will be summarized in a brief change log on first publication. Continued use of the site after a change is acceptance of the updated policy.

For privacy-related questions or to exercise the rights described in § 6, contact us at hello@shiftctrl.net. Mark the subject line with Privacy request so the message is routed to the right inbox.

We do not maintain a separate Data Protection Officer. A senior engineer at the firm is the responsible decision-maker for data-protection matters and can be reached at the same address.