Skip to main content

Privacy Policy

We provide a service that allows you and your team to be more productive in your product management processes.

Our privacy policy is reviewed at regular intervals to ensure it meets the current statutory requirements.

This policy covers ProdPad and CreateShift websites, interaction with the company and use of the Services where CreateShift is acting as the Data Controller. By using CreateShift websites, interacting with the company and using the Services, you are agreeing to this privacy policy.

For details on the data protection and privacy while using the Services where CreateShift is acting as the Data Processor, see the Terms and Conditions.

For the purposes of this Privacy Policy, CreateShift Ltd (a UK registered company (8092272) with the registered office 11 Kingsley Court, 142 Kings Road, Brighton, BN1 2LP) is the data controller “CreateShift”.

Our cookie policy is detailed here.

General Policy

Customer Data

Content and information submitted by users to the Services is referred to in this policy as “Customer Data”. As further explained below, Customer Data is controlled by the organization or other third party that created the account (the “Customer”). Where ProdPad collects or processes Customer Data, it does so on behalf of the Customer.

If you join an account and create a user profile, you are a “user,” as further described in the Terms of Service. If you are using the Services by invitation of a Customer, whether that Customer is your employer, another organization, or an individual, that Customer determines its own policies regarding storage, access, modification, deletion, sharing, and retention of Customer Data which may apply to your use of the Services. Please check with the Customer about the policies and settings it has in place.

CreateShift employees or contractors only access Customer Data at the request of Customer in order to provide support.

Customer Data is retained until a Hard Delete is requested by the Customer.

Customer Feedback

As part of providing Services to the Customer, CreateShift collects customer feedback and customer details (name, email, social media, telephone and avatar images) on behalf of the Customer and serves as a processor of that data for the Customer.

For the purposes of GDPR, we are a data processor of customer feedback on behalf of our clients. If you wish to exercise your data subject rights, you’ll need to contact the client who is the data controller. If you make a request of us in relation to this, we will redirect your request to the client and let you know we have done so.

Billing Information

Billing information is collected in order to fulfill the contract of providing Services to the Customer. The collected billing information includes credit card details, billing address and billing contact. According to UK law, we are obliged to retain these details for a period of 6 years.

The billing information is processed by Recurly Inc. and Stripe Inc., both of which process the data in the US. The data is transferred to the US under the Standard Contractual Clauses.

Personal Information


When creating a user account with the Services, you’ll be asked to provide your email and name. These are required in order to set up a unique account and for the transactional emails within the Services. Your email will also be used to help onboard you to the Services and provide you information about the Services. All of the emails can be opted out of by clicking on the link in the email or going to the notifications control center in the Services.

You can optionally add an avatar image if you choose. During registration, we check Gravatar to see if you have made an avatar available and, if so, use that. At any time you can delete your avatar image from your profile.

Your email and name is also used with our in-application tracking for the legitimate interest of improving the Service. This tracking is used to identify issues, bugs and help us improve the product. We retain the information until you delete your account.

We also use your email and name for providing the legitimate interest of technical and sales support. We retain this information indefinitely. You can object to the processing of this information by contacting

Appendix A and Appendix B have more details about usage, lawful basis, processors, processing location, and retention period.


If you sign up to our newsletter, you are consenting to receiving newsletter and marketing communications about the Services from us. You can withdraw consent at any time by clicking “unsubscribe” in the emails.

If you request a physical resource (such as a physical copy of The Handy Guide for Product People), we require your name, email address and mailing address in order to fulfill the sending of the resource to you. When you request the resource, you can opt-in to joining our newsletter as well. We only use the entered details to fulfill the request.

If you join one of our e-courses or webinars, we’ll ask for your name and email address in order to fulfill your request to receive the course materials or attend the webinar. When you sign up for the course or webinar, you can opt-in to joining our newsletter as well. We only use the details provided to deliver the course or webinar to you. You can opt-out of continuing to receive the course by clicking on the “unsubscribe” link in the email. You can unsubscribe from the webinar with the link provided in the email.

We use data processors to manage the delivery of resources, newsletters, and e-courses. Those processors are based in the US, and are covered by Standard Contract Clauses and Swiss-US Privacy Shield.

Further details are available in Appendix A and Appendix B.

Other Information

Pseudo-anonymised usage data

We use analytics services to produce aggregate and pseudo-anonymised usage data on the usage of the application and websites. This data is used to help us resolve issues and improve the website and Services to provide you with the best experience possible. As part of this tracking, we capture details on your device (device type, OS type & version, browser type & version) and location (city, country).

See Appendix B for ways of opting out of the tracking.

3rd party information

We use data enrichers to enrich the data about you to help us provide better sales and support. The enriched data includes job title, information about your company. You can opt-out of the enrichment by going here.

Children’s information

Our Services are not directed to children under 16. Our clients can use our Services to collect customer feedback from children on their products or services which can include children’s personal information. It is up to our clients to ensure they have the appropriate lawful basis for collecting and processing that data.

If you feel that a child’s data is being processed without an appropriate lawful basis, you should contact the company or organization that collected the data in the first place with your concerns. You may contact us and we will redirect your enquiry to the company or organization concerned as required by the GDPR.

Data Security

We care about the trust you place in us in providing us with your company and personal information. While no one can guarantee 100% security, we have in place various methods of securing your data including:

  • Encryption-in-rest and in-transit
  • Minimization of personal data collected to what is required to deliver the Services and websites
  • Usage of firewalls, regular vulnerability scans, and intrusion detection

You can get more information about our security here.

Your Individual Data Rights

You have various rights over your personal information. Those rights are:

  1. Being informed about data collected and how it is processed
  2. Access to the data we have on you
  3. Being able to correct and update the data we have on you
  4. Erasure of the data we have on you
  5. Restricting of the processing of the data we have on you
  6. Being able to move the data we have on you to another service
  7. Knowledge of what automated decision-making and/or profiling we do with your personal information

There are circumstances when your data rights can be overridden, such as in the case of billing information which is required to be maintained for 6 years under UK law.

We don’t do any automated decision-making or profiling.

We provide you with information about the data collected and how it is processed via this privacy policy and the privacy notices displayed when we collect the data.

You can access and update (rectify) the Personal Information we have on you by logging into the Service. If you wish to rectify information in other services please email

You can erase the data we have on you by closing and deleting your Service account. This will also anonymize the tracking data we have collected in the process of using the Service.

You can restrict various processing of your Personal Information by opting out of various services (see Appendix B).

Your Company Data Rights

You own the copyrights, IP, and other similar rights to the Company Data entered into the Service.

If you wish to close your company account with us you can request to cancel the subscription within the app. At that time you can export the data from your company account using the various export tools provided within the Service.

Tracking and Targeted Advertising

We may allow service providers and other third parties to use cookies and other tracking technologies to track your browsing activity over time and across our Site and third party websites. We may also partner with a third party ad network to either display advertising on our Site, to manage our advertising on other sites, or to provide you targeted advertisements based upon your interests on our Site or on third party sites.

We will update our cookie policy of details on advertising/targeting cookies if they are implemented.

You may opt out of having your personal information used for targeted ads by clicking here or if you are in the European Union, here, but you may still receive untargeted ads.

Other companies’ use of their tracking technologies is subject to their own privacy policies. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to do not track or similar signals. To find out more about “Do Not Track,” please visit

In some of our communications, we use tracking means, such as a “click-through URL” linked to content on the Site. We track this data to help us measure the effectiveness of our customer communications.


We will not disclose Customer Data or Personal Information to any government, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order).

If a law enforcement agency sends us a demand for Customer Data or Personal Information, we will attempt to redirect the law enforcement agency to request that data directly from Customer or Individual. As part of this effort, we may provide Customer or Individual’s basic contact information to the law enforcement agency.

If compelled to disclose Customer Data or Personal Information to a law enforcement agency, then we will give Customer or Individual reasonable Notice of the demand to allow the Customer or Individual to seek a protective order or other appropriate remedy unless we are legally prohibited from doing so.

Change of Ownership or other Business Transaction

In the event that CreateShift enters into a business transition, such as a merger, acquisition, or the sale of all or part of its assets (a “Business Transition”), users’ data (including personally identifiable information and non-personally identifiable information associated with the ProdPad services) will likely be part of the assets transferred.

In this event, we will notify you of any Business Transition. We will also notify you of any subsequent material changes to this Privacy Policy as a result of a Business Transaction and give you the opportunity to opt-out for information that we have collected before, or may collect after, a new Privacy Policy containing material changes takes effect.

Supervisory Authority

For the purposes of the GDPR legislation our Supervisory Authority is the UK’s Information Commissioner’s Office. If you wish to lodge a complaint about your data subject rights or the lawfulness of processing, you can do so by contacting the ICO.

Changes to this Privacy Policy

CreateShift may change this Privacy Policy from time to time. Laws, regulations and industry standards evolve, which may make those changes necessary, or we may make changes to our business. We will post the changes to this page and encourage you to review our Privacy Policy to stay informed.

If we make changes that materially alter your privacy rights, CreateShift will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Policy, you should deactivate your Services account. Contact the Customer if you wish to request the removal of Personal Data under their control.

You understand and agree that if you use the CreateShift services after the effective date of the updated Privacy Policy, CreateShift will consider your use as acceptance of the updated Privacy Policy.

Learn more

Access to your information. If you wish to see the personal information we hold about you, please log in to the Settings section. If you have any further queries or concerns, please contact us at

Last Updated: November 2020.

Appendix A – Personal Information Collected

Personal InformationProcessingLawful Basis of ProcessingRetention Period
EmailStored and used to provide a unique account. Used to send transactional emails and product related updatesContractual, Various Legitimate InterestsUntil you request the deletion of your account
Used to send product newsletter, e-courses and provision of other resources to you (including webinars)Consent for the product newsletter and Contractual for the provision of resources and e-coursesUntil you unsubscribe from the newsletter, 6 months after completion of a course or 6 months after a resource is delivered
Used to provide support, sales/customer success and marketingContractual to provide support to trialists and subscribes and legitimate interest to ensure customer success with the product3 years after subscription or trial end for support & customer success.Sales/marketing on unsubscribe from campaigns
NameStorage and display in the application and transactional emails sent to you and other account usersContractual, Various Legitimate InterestsUntil you request the deletion of your account
Used to send product newsletter, e-courses and provision of other digital resources to you (including webinars)Consent for the product newsletter and Contractual for the provision of resources and e-coursesUntil you unsubscribe from the newsletter, 6 months after completion of a course or 6 months after a resource is delivered
Used to provide support, sales/customer success and marketingContractual to provide support to trialists and subscribes and legitimate interest to ensure customer success with the product3 years after subscription or trial end for support & customer success.Sales/marketing on unsubscribe from campaigns
Profile ImageStorage and display in the applicationConsent based on your upload of an image either via Gravatar or manual uploadUntil you request the deletion of your account or you change your profile image
IP addressStorage and usage in application trackingLegitimate interest of securityIndefinite
Website trackingLegitimate interest in improving the website for your benefit2 years after collection
Analytics CookiesPseudo-anonymous id cookie used to aggregate session statisticsLegitimate interest of improving the application for your benefitUp to 2 years
Mailing AddressUsed to send physical resources to youConsent6 months after delivery of the resource

Appendix B – Personal Information Processors

ProcessorInformation ProcessedLocation of ProcessingPrivacy ProtectionsOpt-out
Amazon Web Services, Inc.Email, Name, IP address, Profile Image, IP addressEUGDPR, Standard Contract Clauses, Data Processing AddendumDelete your account
Help Scout PBCEmail, Name to provide customer supportUSStandard Contract Clauses, Data Processing AddendumN/A
FullStory, IncEmail, Name, IP, analytics cookie for customer support and analyticsUSStandard Contract Clauses, Data Processing AddendumOpt-out
The Rocket Science Group, LLC d/b/a MailChimpEmail, Name for product newsletterUSStandard Contract Clauses, Data Processing AddendumUnsubscribe, Inc.

Email, Name for product analytics

USStandard Contract Clauses, Data Processing Addendum
Delete your account
HubSpot, IncEmail, Name, and other contact information for sales, marketing, and support purposesUS/EUStandard Contract Clauses, Data Processing AddendumEmail sales to have your profile removed, unsubscribe from campaigns
Recurly, IncName, Email for billing purposesUSStandard Contract Clauses, Data Processing AddendumN/A
Stripe, IncName, Email for billing and fraud purposesUSStandard Contract Clauses, Data Processing AddendumN/A
Google, Inc (G Suite)Email, name when contact usUS/EUStandard Contract Clauses, Data Processing Addendum 
Google LLCAnalytics Cookie for anonymous trackingUSStandard Contract Clauses, Data Processing AddendumOpt-out with browser add-on
APIHub, Inc d/b/a ClearbitEnrichment with non personal information (job title, company details)USStandard Contract Clauses, Data Processing AddendumOpt-out
Zoom IncEmail, Name for signup to the webinar and also to receive notifications about the webinarUSStandard Contract Clauses, Data Processing AddendumClick on emails sent by service