Privacy Policy

We provide a service that allows you and your team to be more productive in your product management processes.

Our privacy policy is reviewed at regular intervals to ensure it meets the current statutory requirements.

This policy covers ProdPad and CreateShift websites (including, as well as the software and services made available through the ProdPad APIs. By using CreateShift services you are agreeing to this privacy policy.

For the purposes of this Privacy Policy CreateShift Ltd (a UK registered company with the registered office Kemp House, 152 City Road, London EC1V 2NX) is the data controller “CreateShift”.

Our cookie policy is detailed here.

General Policy

Data TypeProcessing LocationProcessorGDPR Legal BasisRetention Period
Customer DataEUCreateShift Ltd, AWS IncN/AUntil Hard Delete is requested
Personal InformationEU, USCreateShift Ltd, AWS Inc, Zendesk Inc, Mailchimp Inc, Intercom Inc, HubSpot IncLegitimate Interest, ContractualVaries (see Appendix A)
Billing InformationEU, USRecurly Inc, Stripe Inc
6 years as required by UK statutory obligations

Customer Data

Content and information submitted by users to the Services is referred to in this policy as “Customer Data”. As further explained below, Customer Data is controlled by the organization or other third party that created the account (the “Customer”). Where ProdPad collects or processes Customer Data, it does so on behalf of the Customer.

If you join an account and create a user profile, you are a “user,” as further described in the Terms of Service. If you are using the Services by invitation of a Customer, whether that Customer is your employer, another organization, or an individual, that Customer determines its own policies regarding storage, access, modification, deletion, sharing, and retention of Customer Data which may apply to your use of the Services. Please check with the Customer about the policies and settings it has in place.

CreateShift employees or contractors only access Customer Data at the request of Customer in order to provide support.

Customer Data is retained until a Hard Delete is requested by the Customer.

Customer Feedback

As part of providing Services to the Customer, CreateShift collects customer feedback and customer details (name, email, social media, telephone and avatar images) on behalf of the Customer and serves as a processor of that data for the Customer.

For the purposes of GDPR, we are a data processor of customer feedback on behalf of our clients. If you wish to exercise your data subject rights, you’ll need to contact the client who is the data controller. If you make a request of us in relation to this, we will redirect your request to the client and let you know we have done so.

Billing Information

Billing information is collected in order to fulfill the contract of providing Services to the Customer. The collected billing information includes credit card details, billing address and billing contact. According to UK law, we are obliged to retain these details for a period of 6 years.

The billing information is processed by Recurly Inc. and Stripe Inc. both of which process the data in the US. The data is transferred to the US under the US-EU Privacy Shield and US-Swiss Privacy Shield.

Personal Information


When creating a user account with the Services, you’ll be asked to provide your email and name. These are required in order to set up a unique account and for the transactional emails within the Services. Your email will also be used to help onboard you to the Services and provide you information about the Services. All of the emails can be opted out of by clicking on the link in the email or going to the notifications control center in the Services.

You can optional add an avatar image if you choose. During registration we check Gravatar to see if you have made an avatar available and if so, use that. At any time you can delete your avatar image from your profile.

Your email and name is also used with our in-application tracking for the legitimate interest of improving the Service. This tracking is used to identify issues, bugs and help us improve the product. We retain the information until you delete your account.

We also use your email and name for providing the legitimate interest of technical and sales support. We retain this information indefinitely. You can object to the processing of this information by contacting

Appendix A and Appendix B has more details about usage, lawful basis, processors and retention period.


If you sign up to our newsletter you are consenting to receiving newsletter and marketing communications about the Services from us. You can withdraw consent at any time by clicking unsubscribe in the emails.

If you request a resource (such as our handy guide) we require your name, email address and mailing address in order to fulfill the sending of the resource to you. When you request the resource you can opt-in to joining our newsletter as well. We only use the entered details to fulfill the request.

If you join one of our e-courses or webinars, we’ll ask for your name and email address in order to fulfill your request to receive the course materials or attend the webinar. When you sign up for the course or webinar, you can opt-in to joining our newsletter as well. We only use the details provided to deliver the course or webinar to you. You can opt-out of continuing to receive the course by clicking on the unsubscribe link in the email. You can unsubscribe from the webinar with the link provided in the email.

We use data processors to manage the delivery of resources, newsletters and e-courses. Those processors are based in the US and are covered by EU-US Privacy Shield, Swiss-US Privacy Shield along with Model Contract Clauses to regulate the transfer of data outside of the EU.

Further details are available in Appendix A and Appendix B.

Other Information

Pseudo-anonymised usage data

We use analytics services to produce aggregate and pseudo-anonymised usage data on the usage of the application and websites. This data is used to help us resolve issues and improve the website and Services to provide you with the best experience possible. As part of this tracking we capture details on your device (device type, os type & version, browser type & version) and location (city, country).

See Appendix B for ways of opting out of the tracking.

3rd party information

We use data enrichers to enrich the data about you to help us provide better sales and support. The enriched data includes job title, information about your company. You can opt-out of the enrichment by going here.

Children’s information

Our Services are not directed to children under 16. Our clients can use our Services to collect customer feedback from children on their products or services which can include children’s personal information. It is up to our clients to ensure they have appropriate lawful basis for collecting and processing that data.

If you feel that a child’s data is being processed without an appropriate lawful basis, you should contact the company or organization that collected the data in the first place with your concerns. You may contact us and we will redirect your enquiry to the company or organization concerned as required by the GDPR.

Data Security

We care about the trust you place in us in providing us with your company and personal information. While no one can guarantee 100% security, we have in place various methods of securing your data including:

  • Encryption-in-rest and in-transit
  • Minimization of personal data collected to what is required to deliver the Services and websites
  • Usage of firewalls, regular vulnerability scans and intrusion detection

You can get more information about our security here.

Your Individual Data Rights

You have various rights over your personal information. Those rights are:

  1. Being informed about data collected and how it is processed
  2. Access to the data we have on you
  3. Being able to correct and update the data we have on you
  4. Erasure of the data we have on you
  5. Restricting of the processing of the data we have on you
  6. Being able to move the data we have on you to another service
  7. Knowledge of what automated decision-making and/or profiling we do with your personal information

There are circumstances when your data rights can be overridden, such as in the case of billing information which is required to be maintained for 6 years under UK law.

We don’t do any automated decision-making or profiling.

We provide you with information about the data collected and how it is processed via this privacy policy and the privacy notices displayed when we collect the data.

You can access and update (rectify) the Personal Information we have on you by logging into the Service and Zendesk Inc. If you wish to rectify information in other services please email

You can erase the data we have on you by closing and deleting your Service account. This will also anonymize the tracking data we have collected in the process of using the Service.

You can restrict various processing of your Personal Information by opting out of various services (see Appendix B).

Your Company Data Rights

You own the copyrights, IP and other similar rights to the Company Data entered into the Service.

If you wish to close your company account with us you can request to cancel the subscription within the app. At that time you can export the data from your company account using the various export tools provided within the Service.

Tracking and Targeted Advertising

We may allow service providers and other third parties to use cookies and other tracking technologies to track your browsing activity over time and across our Site and third party websites. We may also partner with a third party ad network to either display advertising on our Site, to manage our advertising on other sites, or to provide you targeted advertisements based upon your interests on our Site or on third party sites.

We will update our cookie policy of details on advertising/targeting cookies if they are implemented.

You may opt out of having your personal information used for targeted ads by clicking here or if you are in the European Union, here, but you may still receive untargeted ads.

Other companies’ use of their tracking technologies is subject to their own privacy policies. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to do not track or similar signals. To find out more about “Do Not Track,” please visit

In some of our communications, we use tracking means, such as a “click-through URL” linked to content on the Site. We track this data to help us measure the effectiveness of our customer communications.


We will not disclose Customer Data or Personal Information to any government, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order).

If a law enforcement agency sends us a demand for Customer Data or Personal Information, we will attempt to redirect the law enforcement agency to request that data directly from Customer or Individual. As part of this effort, we may provide Customer or Individual’s basic contact information to the law enforcement agency.

If compelled to disclose Customer Data or Personal Information to a law enforcement agency, then we will give Customer or Individual reasonable Notice of the demand to allow the Customer or Individual to seek a protective order or other appropriate remedy unless we are legally prohibited from doing so.

Change of Ownership or other Business Transaction

In the event that CreateShift enters into a business transition, such as a merger, acquisition, or the sale of all or part of its assets (a “Business Transition”), users’ data (including personally identifiable information and non-personally identifiable information associated with the ProdPad services) will likely be part of the assets transferred.

In this event, we will notify you of any Business Transition. We will also notify you of any subsequent material changes to this Privacy Policy as a result of a Business Transaction and give you the opportunity to opt-out for information that we have collected before, or may collect after, a new Privacy Policy containing material changes takes effect.

Supervisory Authority

For the purposes of the GDPR legislation our Supervisory Authority is the UK’s Information Commissioner’s Office. If you wish to lodge a complaint about your data subject rights or the lawfulness of processing about the you can do so by contacting the ICO.

Changes to this Privacy Policy

CreateShift may change this Privacy Policy from time to time. Laws, regulations and industry standards evolve, which may make those changes necessary, or we may make changes to our business. We will post the changes to this page and encourage you to review our Privacy Policy to stay informed.

If we make changes that materially alter your privacy rights, CreateShift will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Policy, you should deactivate your Services account. Contact the Customer if you wish to request the removal of Personal Data under their control.

You understand and agree that if you use the CreateShift services after the effective date of the updated Privacy Policy, CreateShift will consider your use as acceptance of the updated Privacy Policy.

Learn more

Access to your information. If you wish to see the personal information we hold about you, please log in to the Settings section. If you have any further queries or concerns, please contact us at

Last Updated: April 24, 2018.

Appendix A – Personal Information Collected


Personal InformationProcessingLawful Basis of ProcessingRetention Period
EmailStored and used to provide a unique account. Used to send transactional emails and product related updatesContractual, Various Legitimate InterestsUntil you request the deletion of your account
NameStorage and display in the application and transactional emails sent to you and other account usersContractual, Various Legitimate InterestsUntil you request the deletion of your account
Profile ImageStorage and display in the application6.1(a) Consent based on your upload of an image either via Gravatar or manual uploadUntil you request the deletion of your account or you change your profile image
IP addressStorage and usage in application trackingLegitimate interest of securityIndefinite
Analytics CookiesPseudo-anonymous id cookie used to aggregate session statisticsLegitimate interest of improving the application for your benefitUp to 2 years


Personal InformationProcessingLawful basis of processingRetention Period
EmailUsed to send product newsletter, e-courses and provision of other resources to you (including webinars)Consent for the product newsletter and Contractual for the provision of resources and e-coursesUntil you unsubscribe from the newsletter, 6 months after completion of a course or 6 months after a resource is delivered
NameUsed to send product newsletter, e-courses and provision of other resources to you (including webinars)Consent for the product newsletter and Contractual for the provision of resources and e-coursesUntil you unsubscribe from the newsletter, 6 months after completion of a course or 6 months after a resource is delivered
Mailing AddressUsed to send resources to youConsent6 months after delivery of the resource
IP addressWebsite trackingLegitimate interest in improving the website for your benefit2 years after collection
Analytics CookiesPseudo-anonymous id cookie used to aggregate session statisticsLegitimate interest in improving the website for your benefitUp to 2 years

Appendix B – Personal Information Processors


ProcessorInformation ProcessedLocation of ProcessingPrivacy ProtectionsOpt-out
Amazon Web Services, Inc.Email, Name, IP address, Profile Image, IP addressEUGDPR, Privacy Shield, Data Processing AddendumDelete your account
Zendesk, IncEmail, Name to provide customer supportUSPrivacy Shield, Data Processing AddendumN/A
FullStory, IncEmail, Name, IP, analytics cookie for customer support and analyticsUSPrivacy Shield, Data Processing AddendumOpt-out
The Rocket Science Group, LLC d/b/a MailChimpEmail, Name for product newsletterUSPrivacy Shield, Data Processing AddendumUnsubscribe
Avenue 81, Inc. d/b/a LeadpagesEmail, Name for product operationsUSPrivacy Shield, Data Processing AddendumClick on unsubscribe link in emails
Salesmachine, IncEmail, Name for customer successEUGDPR, Data Processing AddendumClick on unsubscribe link in emails, Inc.Email, Name for product analyticsUSPrivacy Shield, Data Processing AddendumDelete your account
Recurly, IncName, Email for billing purposesUSPrivacy Shield, Data Processing AddendumN/A
Stripe, IncName, Email for billing and fraud purposesUSPrivacy Shield, Data Processing AddendumN/A
Google LLCAnalytics Cookie for anonymous trackingUSPrivacy Shield, Data Processing AddendumOpt-out with browser add-on
APIHub, Inc d/b/a ClearbitEnrichment with non personal information (job title, company details)USPrivacy Shield, Data Processing AddendumOpt-out


ProcessorInformation ProcessedLocation of ProcessingPrivacy ProtectionsOpt-out
Google, Inc (G Suite)Email, name when contact usUS/EUPrivacy Shield, Data Processing Addendum 
Google, Inc (Google Analytics)Google analytics tracking cookieUSPrivacy Shield, Data Processing AddendumOpt-out with browser add-on
Pipedrive, IncEmail, Name for sales purposesUSPrivacy Shield, Data Processing AddendumEmail sales to have your profile removed
HubSpot, IncEmail, Name, and other contact information for sales, marketing, and support purposesUS/EUPrivacy Shield, Data Processing AddendumEmail sales to have your profile removed
FullStory, IncAnalytics Cookie for website operationsUSPrivacy Shield, Data Processing AddendumOpt-out
Webinar serviceEmail, Name for signup to the webinar and also to receive notifications about the webinarUSPrivacy Shield, Data Processing AddendumClick on emails sent by service
Sent Well LLCName and mailing address in order to send resources to youUSPrivacy Shield, Data Processing AddendumEmail to have your details removed. If you email before we have sent your the resource you’ve requested we won’t be able to send it to you
Zendesk, IncName and email when you email our support emailsUSPrivacy Shield, Data Processing AddendumEmail us requesting your profile to be deleted