SHOR INC. — PRIVACY POLICY
Effective Date: April 7, 2026 Last Updated: April 7, 2026
1. INTRODUCTION
Shor Inc. ("Shor," "we," "us," or "our") operates the Shor platform at app.shorpay.com (the "Platform"). This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our Platform and Services.
This Policy applies to all users of the Platform, including Employers (businesses) and Contractors (individuals), as defined in our Terms of Service.
By using the Platform, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.
2. INFORMATION WE COLLECT
2.1 Information You Provide Directly
Employer Account Information:
- Business legal name, trade name, and entity type
- Business address, phone number, and email
- Tax identification numbers (EIN, VAT, etc.)
- Authorized representative names, titles, and contact information
- KYB (Know Your Business) verification documents (certificates of incorporation, articles of organization, proof of address)
- Ultimate Beneficial Owner (UBO) information as required by applicable law
- Banking and payment information (bank account details, routing numbers)
Contractor Account Information:
- Full legal name, date of birth, and nationality
- Residential address, phone number, and email
- Government-issued identification documents (passport, national ID, driver's license)
- Tax identification numbers (SSN, TIN, or local equivalents)
- Banking and payment information (bank account details for direct deposit)
- Work authorization and visa documentation where applicable
- Professional qualifications and resume/CV where relevant to compliance
Engagement and Payroll Data:
- Employment or contractor agreements
- Compensation details (salary, rates, bonuses, benefits)
- Work hours, leave records, and time-off balances
- Tax withholding elections and forms (W-8, W-9, or local equivalents)
- Expense reports and reimbursement requests
2.2 Information Collected Automatically
When you access the Platform, we automatically collect:
- Device and Browser Information: IP address, browser type and version, operating system, device identifiers, screen resolution
- Usage Data: Pages visited, features used, click patterns, session duration, timestamps
- Log Data: Server logs, error reports, API call records
- Cookies and Similar Technologies: See Section 8 below
2.3 Information from Third Parties
We receive information from third-party services integrated into our Platform:
| Provider | Data Received | Purpose |
|---|---|---|
| WorkOS | Authentication tokens, session data, organization metadata, SSO/directory sync | User authentication, access management, and enterprise SSO |
| AiPrise | KYB/KYC verification results, identity verification scores, document validation status | Employer and contractor identity verification |
| Cadana | Payroll processing data, compliance verification, employment records, tax filings | EOR services, payroll administration, and regulatory compliance |
| Stripe | Payment method details, billing history, transaction records | Billing and payment processing |
| PostHog | Anonymized usage analytics, feature interaction data | Product analytics and improvement |
3. HOW WE USE YOUR INFORMATION
We use personal information for the following purposes:
3.1 Providing Services
- Processing payroll and contractor payments
- Administering EOR employment relationships
- Generating and managing employment/contractor agreements
- Managing onboarding workflows
- Facilitating tax withholding, reporting, and filings
3.2 Identity Verification and Compliance
- Conducting KYB and KYC verification
- Complying with anti-money laundering (AML) regulations
- Performing sanctions screening
- Meeting tax reporting obligations (e.g., 1099, W-2, or local equivalents)
- Complying with employment law requirements in applicable jurisdictions
3.3 Billing and Payments
- Processing subscription fees and service charges
- Managing payment methods via Stripe
- Generating invoices and financial records
3.4 Platform Operations
- Maintaining and improving the Platform
- Monitoring for security threats and fraud
- Debugging and resolving technical issues
- Analyzing usage patterns to improve features (via PostHog)
3.5 Communications
- Sending transactional notifications (payroll confirmations, payment receipts, verification status updates)
- Providing customer support
- Sending service-related announcements
- With your consent, sending product updates and marketing communications
3.6 Legal and Regulatory
- Complying with applicable laws, regulations, and legal processes
- Responding to lawful requests from public authorities
- Enforcing our Terms of Service
- Protecting the rights, property, or safety of Shor, our users, or the public
4. LEGAL BASES FOR PROCESSING (GDPR / INTERNATIONAL USERS)
Where applicable data protection laws require a legal basis for processing, we rely on the following:
| Legal Basis | Examples |
|---|---|
| Performance of Contract | Processing payroll, managing contractor payments, providing EOR services |
| Legal Obligation | Tax reporting, AML compliance, sanctions screening, employment law obligations |
| Legitimate Interest | Platform security, fraud prevention, product improvement, customer support |
| Consent | Marketing communications, optional analytics, non-essential cookies |
Where we rely on consent, you may withdraw it at any time by contacting privacy@shorpay.com. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.
5. HOW WE SHARE YOUR INFORMATION
5.1 Service Providers and Partners
We share personal information with third-party service providers who assist in delivering our Services:
| Category | Providers (Current) | Data Shared |
|---|---|---|
| Payroll & EOR Infrastructure | Cadana | Employer info, worker details, compensation data, tax info, banking details |
| Identity Verification | AiPrise | Business documents, personal ID documents, UBO information |
| Payment Processing | Stripe | Billing details, payment method info, transaction records |
| Authentication | WorkOS | Email, name, organization membership, SSO identifiers |
| Cloud Infrastructure | Google Cloud Platform (GCP) | All Platform data (encrypted at rest and in transit) |
| Product Analytics | PostHog | Anonymized usage data, feature interaction events |
| Secrets Management | Doppler | Environment configuration (no user data) |
All service providers are bound by data processing agreements that restrict their use of personal information to providing services to Shor and require them to maintain appropriate security measures.
5.2 Employer-Contractor Data Sharing
- Employers can view Contractor profile information, payment status, and engagement details as necessary to manage the working relationship.
- Contractors can view relevant Employer information (company name, engagement terms, payment status).
- Neither party has access to the other's full account data, banking details, or identity documents.
5.3 Legal Disclosures
We may disclose personal information when required by law, regulation, legal process, or governmental request, including:
- Tax authorities (IRS, HMRC, or local equivalents)
- Employment regulatory bodies
- Law enforcement, when legally compelled
- Courts, in response to valid subpoenas or court orders
5.4 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred to the successor entity. We will provide notice before personal information becomes subject to a different privacy policy.
5.5 No Sale of Personal Information
Shor does not sell personal information. We do not share personal information with third parties for their own marketing purposes.
6. DATA RETENTION
6.1 Active Accounts. We retain personal information for as long as your account is active and as needed to provide Services.
6.2 Post-Termination. Following account termination:
- Account data is available for export for thirty (30) days
- We retain certain data as required by law, including:
- Tax records: Minimum 7 years (IRS requirements) or longer per local law
- Employment records: Per applicable employment law retention requirements (varies by jurisdiction, typically 3-7 years)
- KYB/KYC records: Minimum 5 years after the business relationship ends (AML requirements)
- Financial transaction records: Minimum 5 years (financial regulations)
- Billing records: 7 years (tax/accounting requirements)
6.3 Anonymized Data. We may retain anonymized, aggregated data indefinitely for analytics, benchmarking, and service improvement purposes. This data cannot be used to identify any individual.
7. DATA SECURITY
7.1 We implement commercially reasonable technical and organizational measures to protect personal information, including:
- Encryption: Sensitive data (banking information, identity documents, access tokens) is encrypted at rest and in transit using industry-standard encryption (AES-256, TLS 1.2+)
- Access Controls: Role-based access control and principle of least privilege; multi-factor authentication is supported for internal systems where appropriate
- Infrastructure Security: Hosted on Google Cloud Platform with SOC 2 Type II certified infrastructure
- Application Security: Regular security assessments, dependency scanning, and code review practices
- Secrets Management: Centralized secrets management via Doppler; no credentials stored in code
- Monitoring: Continuous logging and monitoring for unauthorized access and anomalous activity
7.2 Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will promptly notify affected users and relevant authorities of any data breach in accordance with applicable law.
7.3 Breach Notification. In the event of a security breach involving personal information, we will:
- Notify affected users within seventy-two (72) hours of confirmed discovery
- Notify relevant supervisory authorities as required by law
- Provide details of the breach, potential impact, and remediation steps
8. COOKIES AND TRACKING TECHNOLOGIES
8.1 Types of Cookies We Use:
| Category | Purpose | Duration | Can You Opt Out? |
|---|---|---|---|
| Strictly Necessary | Authentication, security, core functionality (WorkOS sessions) | Session | No (required for Platform to function) |
| Functional | User preferences, language settings | Persistent (up to 1 year) | Yes |
| Analytics | Usage patterns, feature interaction (PostHog) | Persistent (up to 1 year) | Yes |
8.2 We do not use advertising or cross-site tracking cookies.
8.3 Managing Cookies. You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may prevent the Platform from functioning properly.
9. YOUR RIGHTS
9.1 All Users
Regardless of your location, you have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information
- Export your data in a standard, machine-readable format
- Delete your account (subject to legal retention requirements)
- Opt out of marketing communications
9.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know: Categories and specific pieces of personal information collected
- Right to Delete: Request deletion of personal information (subject to exceptions)
- Right to Opt-Out of Sale: We do not sell personal information; this right is not applicable
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
- Right to Correct: Request correction of inaccurate personal information
- Right to Limit Use of Sensitive Information: You can limit our use of sensitive personal information to what is necessary to provide the Services
Categories of Personal Information Collected (CCPA Disclosure):
- Identifiers (name, email, address, SSN/TIN, government ID)
- Financial information (bank account details, payment records)
- Professional/employment information (work history, compensation)
- Internet/electronic network activity (usage data, IP address)
- Geolocation data (approximate location from IP)
9.3 EEA/UK Residents (GDPR/UK GDPR)
If you are located in the European Economic Area or United Kingdom, you have additional rights:
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restriction: Request we limit processing of your data
- Right to Object: Object to processing based on legitimate interests
- Right to Data Portability: Receive your data in a structured, commonly used format
- Right to Withdraw Consent: Where processing is based on consent
- Right to Lodge a Complaint: With your local data protection authority
9.4 Exercising Your Rights
To exercise any of these rights, contact us at:
- Email: privacy@shorpay.com
- Response Time: We will respond within thirty (30) days (or sooner as required by applicable law)
- Verification: We may need to verify your identity before processing your request
We will not charge a fee for exercising your rights unless the request is manifestly unfounded or excessive.
10. INTERNATIONAL DATA TRANSFERS
10.1 Shor is based in the United States. If you are located outside the US, your personal information will be transferred to and processed in the United States.
10.2 For transfers from the EEA/UK, where required by applicable law we will rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission, executed as part of an Order Form or DPA where applicable
- Data processing agreements with sub-processors
- Technical safeguards including encryption and access controls
10.3 Our infrastructure provider (Google Cloud Platform) maintains certifications for international data transfer mechanisms including the EU-US Data Privacy Framework.
11. CHILDREN'S PRIVACY
The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, contact us at privacy@shorpay.com.
12. THIRD-PARTY LINKS
The Platform may contain links to third-party websites or services (e.g., Stripe's payment portal, our payroll partner's portal). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing personal information.
13. CHANGES TO THIS POLICY
13.1 We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated Policy on the Platform with a revised "Last Updated" date
- Sending an email notification to the address associated with your account at least thirty (30) days before material changes take effect
13.2 Your continued use of the Platform after the effective date of a revised Privacy Policy constitutes acceptance of the changes.
14. DATA PROTECTION OFFICER / CONTACT
For questions, concerns, or requests related to this Privacy Policy or your personal data, contact:
Shor Inc. Privacy Team Email: privacy@shorpay.com General: legal@shorpay.com