Privacy Policy

Last updated: April 10, 2026

1. Introduction

Shot ("we", "us", "our") operates a GTM intelligence platform that unifies revenue tools and deploys AI agents for revenue teams. This Privacy Policy explains how we collect, use, and protect your personal data when you use our website, dashboard, AI agents, MCP server, and OAuth integrations.

This policy applies to all users, including those who access Shot through third-party AI assistants via the Model Context Protocol (MCP), including but not limited to ChatGPT.

2. Data We Collect

We collect only the minimum data necessary to provide the service. We do not collect data beyond what is required for the purposes described below.

Account Data

When you sign up we collect your name, email address, and profile picture (from Google or GitHub OAuth).

Memory Data

Memories you create via the dashboard, AI agents, or through connected AI assistants are stored in our database. Each memory includes its content, type (decision, fact, procedure, insight, context, or log), tags, the project it belongs to, and the user who created it.

Agent Data

When you use Shot's AI agents, we store agent conversation history, proposed plans, approval decisions, and execution results within your organization's scope.

Data Processed Through AI Assistants (ChatGPT, Claude, etc.)

When you use Shot through a connected AI assistant:

  • Queries you send (e.g., "what's the status of the Acme deal?") are processed to search your memories. The query text is sent to OpenAI's API for embedding generation and, when the LLM Query Rewriter is used, for query optimization. This processing is ephemeral — OpenAI does not store or train on API data.
  • Memories you save are stored in our EU database. The content is sent to OpenAI's API for embedding generation only.
  • We do not receive or store your full conversation with the AI assistant. We only process the specific tool calls (search, save, update) that the assistant sends to our MCP server.
  • We do not return diagnostic data, telemetry, internal identifiers, session IDs, or trace IDs in tool responses.

Data from Connected Revenue Tools

When you connect third-party tools (HubSpot, Salesforce, Gmail, Slack, etc.) via Composio, Shot accesses data from these tools to provide context to AI agents. This data is processed in real-time and stored as memories within your organization's projects.

OAuth & Integration Data

When you connect a third-party AI assistant via our OAuth 2.1 flow, we store:

  • A dynamically registered OAuth client record (client ID, redirect URIs).
  • Authorization codes (short-lived, single-use, 10-minute expiry).
  • Refresh tokens (rotated on each use, 30-day expiry).
  • Access tokens are JWTs signed by our server and are not stored in our database.

Usage & Audit Data

We log tool invocations, agent actions, and administrative actions for security auditing. Audit logs include user IDs, action types, project IDs, and timestamps. We do not log memory content or search query text in audit logs.

Embeddings

When you store or search memories, we generate vector embeddings of the text content using the OpenAI Embeddings API. The text is sent to OpenAI for embedding generation only. OpenAI does not use API data for training (zero-retention). The resulting embedding vectors are stored alongside memories in our EU database.

3. Data Returned to AI Assistants (Tool Response Disclosure)

When you use Shot through a connected AI assistant (such as ChatGPT), our tools return specific data categories to the assistant. This section discloses exactly what data each tool returns.

Tool-by-Tool Data Disclosure

| Tool | Data Returned | User Data Included | |------|--------------|-------------------| | list_projects | Project ID, name, slug, description, memory count, member count | None | | search_memories | Memory ID, title, content, type, similarity score, tags, creation date, project name | None | | add_memory | Memory ID, title, content, type, tags, creation date, classification info, project name | None | | get_memory | Memory ID, title, content, type, tags, metadata, source, archive status, creation/update dates | None | | update_memory | Memory ID, title, content, type, tags, update date, project name | None | | delete_memory | Success confirmation, project name | None | | get_project_context | Project name, description, memory statistics (counts by type), recent memory titles, team size (aggregate count only) | None — team member names and identities are not returned | | check_contradictions | Contradiction ID, the two conflicting memories (content and titles), confidence score, explanation, project name | None | | export_project_context | Project name, memory content, titles, types, and tags in bulk export format | None | | import_context_file | Import count (imported/skipped/total), project name | None |

Data Not Returned

The following data categories are never returned in tool responses to AI assistants:

  • User email addresses
  • User account IDs or internal identifiers
  • Team member names, roles, or profile information
  • Authentication tokens or API keys
  • IP addresses or session data
  • Audit log entries
  • Embedding vectors

4. How We Use Your Data

  • Provide the service: store, search, and retrieve memories; run AI agents; authenticate users; authorize third-party integrations.
  • Improve the service: analyze aggregate usage patterns (never individual memory content).
  • Security: detect abuse, enforce rate limits, maintain audit logs.

We do not sell your data. We do not use your memory content for training AI models. We do not share your data with advertisers.

5. Data Minimization

We follow data minimization principles:

  • We collect only the data necessary to provide the service described above.
  • Tool responses to AI assistants contain only the data directly relevant to the user's request.
  • We do not collect or process sensitive health information (HIPAA) or payment card data (PCI-DSS).
  • Search queries are processed ephemerally for embedding generation and are not retained by our AI sub-processors beyond the API call.

6. Data Storage & Security

  • Location: All persistent data (memories, user accounts, OAuth tokens, audit logs) is stored in the European Union (Supabase, Frankfurt, Germany).
  • Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Access control: Row-level security (RLS) ensures users only access data within their organization and projects.
  • Token security: OAuth refresh tokens are rotated on each use. Authorization codes are single-use and expire after 10 minutes. PKCE (S256) is required for all OAuth flows.
  • Rate limiting: API endpoints are protected by IP-based and per-key rate limits.

7. Third-Party Services (Sub-Processors)

| Service | Purpose | Data Shared | Location | |---------|---------|------------|----------| | Supabase | Database hosting | All persistent data | Frankfurt, EU | | OpenAI | Embedding generation, query rewriting | Memory text, search queries (ephemeral, zero-retention) | US (API) | | Composio | Revenue tool integrations | Tool access tokens, action payloads (ephemeral) | US (API) | | Google OAuth | Authentication | Email, name, avatar | US | | GitHub OAuth | Authentication | Email, name, avatar | US | | Railway | Application hosting | Application runtime | EU |

For OpenAI, we use their API under zero-retention terms: text sent for embedding generation and query rewriting is not stored or used for model training by OpenAI. OpenAI's data processing is governed by their API Data Usage Policy.

8. Data Retention

  • Memories: retained until you delete them. Deleted memories are soft-deleted (archived) and can be restored. Permanently purged after 30 days.
  • Agent data: conversation history and plans are retained while the organization is active.
  • OAuth tokens: refresh tokens expire after 30 days. Revoked tokens are retained for 90 days for audit purposes, then purged.
  • Audit logs: retained for 1 year.
  • Account data: retained while your account is active. Deleted within 30 days of account deletion request.
  • Embeddings: deleted when the associated memory is permanently purged.

9. Your Rights & User Controls (GDPR)

If you are in the EU/EEA, you have the right to:

  • Access: request a copy of your personal data.
  • Rectification: correct inaccurate personal data.
  • Erasure: request deletion of your data ("right to be forgotten").
  • Portability: receive your data in a structured, machine-readable format (JSON export via the dashboard or the export_project_context tool).
  • Restriction: restrict processing of your data.
  • Object: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent.

User Controls

  • Delete memories: You can delete individual memories from the dashboard or via the delete_memory tool. Deleted memories are archived (soft-deleted) and permanently purged after 30 days.
  • Export data: You can export all your project memories in JSON, Markdown, or CLAUDE.md format via the dashboard or the export_project_context tool.
  • Revoke AI assistant access: You can revoke OAuth connections to third-party AI assistants from the dashboard at any time. Revoking access immediately invalidates all access tokens.
  • Revoke tool connections: You can disconnect revenue tools (HubSpot, Gmail, etc.) from the Integrations page at any time.
  • Delete account: You can request full account deletion by contacting us at the email address below. All data is deleted within 30 days.
  • API key management: You can create, view, and revoke API keys from the dashboard. Revoked keys are immediately invalidated.

To exercise these rights, contact us at the email address below. We will respond within 30 days.

10. International Data Transfers

Your persistent data is stored in the EU (Frankfurt, Germany). Some data is processed ephemerally by OpenAI and Composio in the United States for embedding generation and tool integrations, under the EU-US Data Privacy Framework and zero-retention API terms where applicable.

11. Cookies

We use essential cookies for session management and authentication. We do not use tracking cookies or third-party advertising cookies.

12. Children

Our service is not directed at children under 16. We do not knowingly collect data from children under 16.

13. Changes

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or in-app notification. The "Last updated" date at the top indicates when the policy was last revised.

14. Contact

For privacy questions or GDPR requests, contact:

Shot Email: privacy@memorize-ai.com

Privacy Policy