Privacy Policy

Last updated: 2025-10-XX

This Privacy Policy explains how Shiftlify ("we", "us", "our") collects, uses, discloses and protects personal data when you use our website and services (the "Service"). Shiftlify is committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR).

1. Data Controller

The data controller for personal data collected via this website is:

Shiftlify
Address: {Your Company Address}
Email: privacy@shiftlify.app
Register / Tax ID: {optional}

2. Which personal data we collect

We collect personal data you provide directly and data we process automatically:

Waitlist / Contact data: name, company, email, job title (if provided) — when you join the waitlist or request a demo.
Account data: if you sign up for the product later: user credentials, role, related organization unit assignments.
Scheduling data: shift records, presence/absence, role assignment — collected when you use the product and necessary to provide the service.
Usage & technical data: IP address, browser, device, and analytics (if enabled).
Support data: messages, attachments, logs when you contact support.

3. Legal basis & Purposes

We process personal data for the following purposes and legal bases:

Providing the service: necessary to perform the contract with you (Art. 6(1)(b) GDPR).
Communications & marketing: where you consent (Art. 6(1)(a)) — we use opt-in and double opt-in for email marketing.
Compliance & legal obligations: to comply with employment and tax laws where applicable (Art. 6(1)(c)).
Legitimate interests: detection of fraud, improving product and service quality (Art. 6(1)(f)), balanced with your rights and expectations.

4. Waitlist / Double opt-in

When you join our waitlist on the landing page we will ask for your email and optional company data. We implement a double opt-in process: after your sign-up, we send a confirmation email. We will only store and process your contact data after you have confirmed.

5. Cookies & tracking

Our coming-soon site uses minimal cookies. If we enable analytics or marketing cookies in future, we will request consent via a cookie banner. You may withdraw consent at any time.

6. Data sharing & third parties

We may share personal data with:

Service providers: providers that host data or provide services (e.g. PocketBase, email sending providers). We use processors under written Data Processing Agreements (DPAs).
Legal & compliance: where required by law or to enforce our Terms.
Acquirers: in the event of a corporate transaction (we would notify users).

Hosting & EU data residency: We endeavour to host customer data in the EU. We will confirm hosting locations per customer and sign a DPA. If data is transferred outside the EEA we will use appropriate safeguards (Standard Contractual Clauses or equivalent).

7. Data retention

We retain personal data only as long as necessary for the purposes described:

Waitlist & marketing contacts: until you unsubscribe or after 3 years of inactivity (configurable).
Account & scheduling data: retention depends on customer contract and legal requirements (typically 3–7 years for payroll/reporting purposes).
Support logs & backups: retained up to 1 year unless longer retention is required.

8. Your rights

You have the right to:

Request access to your personal data (Article 15 GDPR).
Request correction of inaccurate data (Article 16).
Request erasure ('right to be forgotten') where legal grounds permit (Article 17).
Request restriction of processing (Article 18).
Object to processing based on legitimate interests (Article 21).
Request data portability (Article 20) for structured machine-readable data.
Lodge a complaint with a supervisory authority (e.g. your national DPA).

To exercise your rights, contact: privacy@shiftlify.app.

9. Security

We implement technical and organizational measures to protect personal data: TLS encryption in transit, encrypted storage where applicable, role-based access controls, periodic security reviews and backups. Access to production data is restricted to authorized personnel only.

10. Data processing agreements & subprocessors

We sign DPAs with all subprocessors. Current key subprocessors include: {PocketBase host / provider}, {email provider e.g. SendGrid or Mailgun}, and cloud hosting (e.g. Azure / Hetzner) — details available on request.

11. Children

Our services are not directed at children under the age of 16 and we do not knowingly collect personal data from minors.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will publish the updated policy here and update the “Last updated” date. For material changes we will inform registered users by email.

13. Contact

If you have questions about this Privacy Policy or want to exercise your rights, please contact:

Data Protection Contact:
privacy@shiftlify.app
Address: {Your Company Address}