Privacy Policy

This Privacy Policy explains how ShortGigs LLC ("ShortGigs," "we," "us," or "our"), a Delaware limited liability company located at 8 The Green, #20630, Dover, DE 19901, collects, uses, shares, and protects personal information when you use our platform at shortgigs.ai.

By creating an account or using ShortGigs, you agree to this Privacy Policy. If you do not agree, please do not use our services. ShortGigs is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18.

1. Information We Collect

A. Information you provide directly

• Account information: name, email address, password
• Profile information: bio, profile photo, portfolio links (Instagram, TikTok, YouTube, Behance)
• Payment and payout information (processed through Stripe; we do not store full card numbers)
• Identity verification data collected by Stripe Connect (for creators receiving payouts)
• Gig listings, applications, messages, deliverables, and reviews
• Communications with our support team
• Invite codes and referral codes

B. Information collected automatically

• IP address and approximate location (country/region level)
• Browser type, operating system, and user agent
• Pages visited and actions taken on our platform
• Session and authentication tokens (stored in cookies)
• Usage metrics (via Vercel Analytics — anonymized)

C. Information from third parties

• Google account information (if you sign in with Google OAuth)
• Stripe Connect identity verification data
• Bot detection signals (via Cloudflare Turnstile)

2. How We Use Your Information

We use your personal information for the following purposes:

Performance of Contract / Provision of Services

• To create and manage your account
• To deliver and facilitate the delivery of gig services between Buyers and Creators
• To enable user-to-user communications (messaging)
• To process payments and route payouts to creators
• To fulfill and manage orders, contracts, and deliverables
• To respond to your support inquiries
• To send transactional notifications (payment receipts, delivery updates, dispute notices)

Legitimate Interests

• To protect our platform against fraud, abuse, and security threats
• To enforce our Terms of Service and community standards
• To improve the ShortGigs platform through analytics and user feedback
• To comply with sanctions screening and financial regulatory requirements
• To maintain audit logs for dispute resolution and platform integrity

Consent (where required)

• To send marketing or promotional communications (only with your opt-in)
• To use non-essential cookies or tracking technologies for analytics

3. How We Share Your Information

We do not sell your personal information. We share it only as follows:

With other users

When you post a gig or apply to one, certain profile information (name, bio, portfolio links, ratings, and reviews) is visible to other users of the platform, as necessary to operate the marketplace.

With service providers (sub-processors)

• Stripe — Payment processing, creator identity verification (KYC/AML), and international payouts
• Supabase — Database hosting, authentication services (PostgreSQL on AWS)
• OpenAI — Large-language-model and embedding APIs for platform AI features (gig drafts, coaching, semantic search, delivery quality scan) and as the fallback provider for in-product Guardian advisory features when xAI is not configured. Relevant content you provide (briefs, gig text, profile fields, delivery notes, dispute context) is transmitted to OpenAI's API under our Data Processing Agreement. We do not use the data-training opt-in — your data is not used to train OpenAI models.
• xAI (Grok) — When our platform is configured with xAI API access, Guardian advisory features route to xAI's Grok models (currently grok-4.3) instead of OpenAI. Guardian receives contextual excerpts you would already see on the platform (gig briefs, profiles, applications, deliveries, dispute records) to generate suggestions and summaries. xAI acts as a data processor under our agreement with xAI; see xAI's Data Processing Addendum. xAI does not process payments on our behalf.
• Resend — Transactional email delivery
• Vercel — Platform hosting and anonymized analytics
• Cloudflare — CDN, DDoS protection, and bot detection (Turnstile)
• Google — OAuth sign-in provider; subject to Google's privacy policy
• Sentry — Error monitoring, and with your consent, client-side session replay and user-behaviour performance tracing. Error events may include browser metadata, anonymized page URLs (query parameters containing OAuth tokens or invite codes are stripped before transmission), and JavaScript stack traces. Client-side session replay and user-behaviour tracing are only activated when you accept analytics cookies (legal basis: consent). Server-side and edge error sampling (tracesSampleRate <= 5%) operates on the basis of legitimate interests in platform reliability and does not involve session replay or user-behaviour analytics. Sentry operates under a Data Processing Agreement and SCCs for EU/UK data transfers.

All service providers are contractually bound to process your data only as instructed and in compliance with applicable privacy law.

For legal and compliance reasons

We may disclose your information if required by law, court order, regulatory authority, or to protect the rights, property, or safety of ShortGigs, our users, or the public. This includes cooperation with OFAC/sanctions screening and financial crime prevention.

Business transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the acquiring entity, subject to this Privacy Policy.

4. Cookies and Tracking Technologies

We use the following types of cookies and tracking technologies:

• Essential cookies: Required for authentication, session management, and platform security. These cannot be disabled without breaking core functionality.
• Analytics (cookieless, consent-required): Vercel Analytics collects anonymized page-view data server-side. Vercel Analytics does not set browser cookies or use localStorage. We nonetheless treat it as requiring your consent under the ePrivacy Directive because it collects page-view data. It is only activated when you accept analytics.
• Security cookies: Cloudflare Turnstile uses browser signals to distinguish humans from bots during authentication flows.

We do not currently use advertising cookies or cross-site tracking cookies. If this changes, we will update this policy and request your consent.

You can control cookie settings through your browser settings. Disabling essential cookies may impair your ability to use ShortGigs.

5. Data Retention

We retain your personal information for as long as necessary to provide our services and comply with legal obligations:

• Active accounts: Retained for the duration of your account
• Deleted accounts: Profile data is anonymized immediately upon deletion; transaction records required for financial/legal compliance are retained for 7 years; AI matching event records and experiment assignment records are permanently deleted
• Messages and communications: Retained for 3 years to support dispute resolution
• Audit logs and security events: Retained for 1 year
• Payment records: Retained for 7 years as required by US financial regulations
• AI matching events and experiment data: Retained for up to 1 year from creation and permanently deleted upon account deletion. Profile embedding vectors stored in our vector database are also deleted upon account deletion.
• AI coaching reports: Not stored — generated transiently per session and returned only to you.

6. International Data Transfers

ShortGigs is based in the United States. If you are located in the European Union, United Kingdom, or another jurisdiction outside the US, your personal information will be transferred to and processed in the United States, which may have different data protection laws than your country.

We and our sub-processors rely on Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Art. 46(2)(c) as the lawful mechanism for transfers of EU/UK personal data to the United States. Our key sub-processors and their transfer mechanisms include:

• Supabase — DPA with SCCs; data hosted on AWS EU-West-1 by default
• Stripe — DPA with SCCs and Privacy Shield successor commitments
• Vercel — DPA with SCCs; edge network nodes within the EEA available
• OpenAI — DPA with SCCs; API data not used for model training
• xAI (Grok) — DPA with SCCs; Guardian routing when xAI API access is configured
• Resend — DPA with SCCs for transactional email
• Sentry — DPA with SCCs; error events include anonymized browser metadata and (with consent) session replay; data processed in the US

You may request a copy of the relevant SCCs by contacting us at privacy@shortgigs.ai.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

• Right to access: Request a copy of the personal data we hold about you
• Right to correction: Update inaccurate or incomplete information through your account settings
• Right to deletion: Request deletion of your account and personal data (subject to legal retention requirements)
• Right to portability: Download your data directly from your account settings, or request it via privacy@shortgigs.ai. Machine-readable JSON export available at /api/user/export (authentication required)
• Right to restrict processing: Request that we limit how we process your data in certain circumstances
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent (e.g., marketing emails), you may withdraw at any time
• Right to lodge a complaint: If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data protection supervisory authority. EU residents may contact the DPA of their member state — a full list is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO).

To exercise any of these rights, submit a request via our Contact page or email privacy@shortgigs.ai. We will respond within 30 days (or as required by applicable law).

You can also delete your account directly from your account settings. Upon deletion, your profile data is immediately anonymized, and a full data purge occurs within 30 days, except for data we are legally required to retain.

8. Email Communications

We send transactional emails related to your account activity (payments, deliveries, disputes, messages). These are essential to platform operations and may not be fully disabled while your account is active.

You can manage your email notification preferences through Settings → Notifications. You can also unsubscribe from non-essential emails by clicking the unsubscribe link at the bottom of any email we send.

In compliance with the CAN-SPAM Act, all commercial emails from ShortGigs include our physical mailing address and a clear unsubscribe mechanism.

9. Security

We implement technical and organizational security measures to protect your personal information, including:

• Encryption in transit (TLS/HTTPS) and at rest
• Row-level security (RLS) on all database tables
• Rate limiting and brute-force protection on authentication endpoints
• Bot detection (Cloudflare Turnstile) on signup and login
• Audit logging of sensitive operations
• Principle of least privilege for system access

No system is perfectly secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by law (within 72 hours under GDPR).

10. US State Privacy Rights (CCPA / CPRA)

If you are a resident of California, Virginia, Colorado, Connecticut, Texas, Florida, or another US state with a comprehensive privacy law, you may have additional rights under those laws, including the right to know what personal information we collect, the right to delete, and the right to opt out of the sale or sharing of personal information.

We do not sell or share personal information as defined under the California Consumer Privacy Act (CCPA / CPRA) or similar state laws. We may share anonymized or aggregated analytics data with analytics providers, which does not constitute a "sale" or "sharing" under applicable law.

California residents additionally have the right to:

• Know the categories and specific pieces of personal information collected about you
• Request deletion of your personal information (subject to legal exceptions)
• Correct inaccurate personal information we maintain about you
• Opt out of the sale or sharing of your personal information (we do not sell or share)
• Non-discrimination for exercising your privacy rights

To submit a verifiable consumer request or any privacy inquiry, contact us at privacy@shortgigs.ai or through our Contact page. We will respond within 45 days as required by CCPA.

11. Children's Privacy

ShortGigs is not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we discover that we have collected information from a minor, we will delete it promptly. If you believe we have inadvertently collected data from a minor, please contact us at support@shortgigs.ai.

12. AI and Automated Processing

Guardian advisory features

Guardian is ShortGigs' in-product advisory layer. It helps brands and creators understand fit, risk, and quality before they act — but does not hire, pay, approve delivery, or resolve disputes on its own. When you interact with a Guardian surface, relevant context is sent to our configured large-language-model provider (see Provider routing below). Guardian features include:

• Delivery review — Summarizes a submitted delivery against the gig brief for brand review before approval.
• Payment assessment — Summarizes creator–gig fit and reliability signals before you confirm payment (advisory only; payment is processed by Stripe, not by any AI provider).
• Fit explanations — Explains why a creator, application, invite, or smart-match result may be a good fit for a gig.
• Brief risk scan — Flags clarity or scope risks when a brand drafts a gig.
• Revision guidance — Suggests revision messaging when a brand requests changes.
• Dispute support summary — Produces a neutral evidence summary during an open dispute.
• Profile optimization suggestions — Suggests profile improvements on your creator profile.

Other AI features

Additional platform AI features call OpenAI's API directly (not through Guardian routing). Each transmits specific data as described below:

• AI Creator Matching — Your public profile (name, bio, role, country, portfolio) is converted into a numerical embedding vector and stored in our database for similarity scoring. This processing happens at profile creation/update.
• AI Campaign Assistant & Gig Assistant — Your free-text campaign brief or gig description (up to 2,000 characters) is sent to OpenAI to generate a structured gig draft.
• AI Creator Coaching — Profile fields, reliability metrics, and payment statistics are assembled into a coaching prompt and sent to OpenAI. The report is processed transiently and not stored permanently.
• AI Team Assembly — Your project brief (up to 2,000 characters) is sent to OpenAI to generate a multi-role team plan.
• Semantic Search — Your search query is converted to an embedding vector for similarity-based creator and gig discovery.
• Delivery quality scan — When a creator submits a delivery, the delivery note and gig brief are sent to OpenAI for a pre-submission quality scan. Scan outputs may be stored; source inputs are not persisted.

Provider routing

Guardian routes each request to a single large-language-model provider chosen by platform configuration — not by individual users. When xAI API access is configured for our deployment, Guardian uses xAI Grok (grok-4.3). When xAI is not configured (for example in some development or test environments), Guardian falls back to OpenAI models (gpt-4o for higher-stakes summaries and gpt-4o-mini for lighter advisory calls). The other AI features listed above always use OpenAI (and, for embeddings, may use an additional embedding provider when configured). We do not sell your data to AI providers, and AI providers do not process card payments or execute payouts — those operations are handled exclusively by Stripe.

Assistive — not determinative

All AI and Guardian outputs on ShortGigs are advisory tools to help Buyers discover Creators, draft gigs, and understand contract context. Buyers and creators always make the final hiring, payment, delivery, and dispute decisions. No automated decision with legal or similarly significant effects is made solely by AI without human review.

AI event data and retention

Platform AI activity (such as which creators were shown in a search, which invites were sent, and which campaigns were generated) is logged in our ai_matching_events database table for operational analytics, A/B experimentation, and service improvement. This table stores profile identifiers and event metadata. These records are retained for the lifetime of your account and are permanently deleted when you delete your account.

Your rights regarding AI processing

You have the right to object to processing based on legitimate interests, including AI-based profiling (GDPR Article 21; Colorado CPA; Connecticut CTDPA). If you do not wish your profile data to be used for AI matching or coaching, you may:

• Delete your account (which permanently erases your AI event records and profile embeddings), or
• Contact us at privacy@shortgigs.ai to request that your profile embedding be removed from our vector index.

Note that opting out of AI matching will significantly reduce your discoverability to Buyers who use AI-powered search on the platform.

AI provider data processing

We transmit your data to our AI sub-processors under Data Processing Agreements:

• OpenAI — configured not to use API-submitted data to train its models. See OpenAI API Data Usage Policies.
• xAI (Grok) — used for Guardian when configured; xAI does not use business API inputs or outputs to train models without explicit permission. See xAI Data Processing Addendum and xAI API security FAQ.

13. Updates to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by posting a notice on the platform or by email. The "Last updated" date at the top of this page reflects the most recent revision.

For processing based on our contract with you or our legitimate interests, your continued use of ShortGigs after any changes constitutes acceptance of the updated terms. For processing that relies on your consent (such as analytics cookies or marketing communications), we will request fresh consent where required by applicable law — continued use alone does not constitute consent for such processing.

14. GDPR Art. 27 — EU & UK Representative

ShortGigs LLC is established in the United States. Under GDPR Article 27 and UK GDPR Article 27, a controller not established in the EU/EEA (or UK) that processes personal data of EU/EEA and UK data subjects on a non-occasional basis must designate a representative in those jurisdictions.

15. Contact Us

For privacy-related questions, data requests, or to exercise your rights, please contact us:

We aim to respond to all privacy inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (for EU/UK residents, this is your national Data Protection Authority or the ICO).