ShiftFlow Privacy Policy

Last updated: October 6, 2025

This Privacy Policy explains how ShiftFlow Inc. (“ShiftFlow,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you visit our websites, use our mobile or kiosk apps, interact with our APIs, or otherwise use our products and services (the “Services”).

If you are in the EEA, UK, or Switzerland, see Section 13. If you are a California resident or reside in a US state with similar privacy rights, see Section 14.

Applicability

This Policy applies to:

Website visitors who browse our sites
Customers and administrators who set up and manage a ShiftFlow workspace
Authorized users or workers who use ShiftFlow under a Customer account

If you use ShiftFlow on behalf of your employer, your employer is our Customer and controls the workspace.

1. Roles and responsibilities

ShiftFlow as controller. For our marketing sites, account administration, billing, fraud prevention, security monitoring, and similar activities, we act as controller.
ShiftFlow as processor. For workforce data inside a Customer workspace, we act as processor and process personal information under the Customer’s instructions and our Data Processing Addendum.
Customer as controller. The Customer decides which features are enabled, what data to collect, retention settings, and which users can access data. Workers should send workspace data requests to their employer first.

2. Information we collect

We collect personal information in the categories below. Exact data depends on features your employer enables and your device permissions.

2.1 Information provided by Customers and admins

Account setup: business name, admin contact details, billing contact, plan and seat counts
Configuration: teams, roles, wage rates or differentials if provided, job or project codes, policies and geofences
Support: issue descriptions, attachments, and communications with our support team

2.2 Information about workers provided by the Customer or by the worker

Profile: name, email, phone, role, team, manager, eligibility or qualifications if entered
Scheduling and timekeeping: shift assignments, availability, time off, clock in and out times, breaks, approvals, tips or adjustments if used
Communications: messages and comments within the workspace
Files and media: documents or photos attached to shifts or policies
Photo verification: clock in photos if enabled by the Customer

2.3 Information collected automatically

Technical and usage: device and app identifiers, IP address, browser and OS, language, crash logs, diagnostic data, interaction events and feature usage
Location and device signals: precise location for geofencing, job site verification, or mileage if enabled and if you grant permission. In some configurations the app may use background location to detect arrival or departure events.

2.4 Information from third parties

Integrations you or your employer connect, such as SSO, payroll, HRIS, communications, or point of sale systems
Payment processors that tokenize your payment method for Customer billing
Service providers that supply analytics, error reporting, email, push, or SMS delivery

We do not require government IDs, Social Security numbers, or biometric templates for core features. If any future feature requires biometric identifiers, we will present a separate notice and obtain any required consent before collection.

3. How we use personal information

We use personal information to:

Provide, secure, and support the Services, including authentication, timekeeping, scheduling, messaging, approvals, and audit logging
Process orders, subscriptions, invoicing, and payments, and send related communications
Send operational notifications such as shift updates or policy changes
Operate, analyze, and improve the Services, including through aggregated or de-identified statistics
Detect, prevent, and investigate security incidents, fraud, abuse, or violations of our terms
Comply with legal obligations and enforce our agreements
With consent or where permitted by law, send product updates, surveys, and promotions

3.1 Purposes and legal bases for EEA and UK

We rely on:

Contract to provide the Services to Customers and users
Legitimate interests for security, fraud prevention, analytics, and product improvement that do not override your rights
Consent for marketing and for non-essential cookies or similar tracking
Legal obligation for tax, accounting, and compliance record keeping

Illustrative mapping

Data category	Primary purpose	Legal basis
Customer admin and billing data	Set up and administer the Customer account, billing, and support	Contract, legal obligation
Worker profile and scheduling data	Provide timekeeping and scheduling features	Contract, legitimate interests
Time entries, approvals, and audit logs	Provide core Services and maintain records	Contract, legitimate interests, legal obligation where applicable
Location signals and clock in photos	Verify attendance and geofence features when enabled	Contract, legitimate interests, consent at device level
Technical, usage, and crash data	Security, debugging, analytics, and service improvement	Legitimate interests
Marketing site identifiers and cookies	Measure site performance and deliver updates or ads	Consent where required, legitimate interests

4. Location, photo, and similar device permissions

When a Customer enables location or photo verification, the app will request your permission at the device level. You can decline or revoke permission in your device settings. Certain features may not work without these permissions.

Location. Used for geofenced clock in, job site verification, or optional mileage tracking.
Background location. In some configurations the app can detect arrival or departure at a geofence.
Photos. Used to capture a clock in photo for fraud deterrence if enabled.
Biometrics. Not collected for core features. If a future biometric feature is offered, we will provide a separate notice and obtain any required consent.

Retention note: Location events and clock in photos are retained as part of the workspace records and follow the Customer’s retention settings where available. If the Customer does not set retention periods, we keep records for as long as necessary to provide the Services and to comply with law, after which we delete or de-identify them.

5. How we disclose personal information

We disclose personal information to:

Service providers that host, support, and deliver the Services, including cloud hosting, analytics, email, push, and SMS
Integration partners that you or your employer connect, such as payroll, HRIS, SSO, or communications tools
Customer administrators within your workspace based on roles and permissions
Professional advisors and authorities to comply with law, protect rights and safety, and prevent fraud or abuse
Successors in a merger, acquisition, or asset sale, subject to this Policy

We do not sell personal information for money. On our marketing sites we may “share” identifiers and internet activity with advertising or analytics partners for cross context behavioral advertising. You can opt out. See Section 8 and Section 14.

6. Cookies and similar technologies

We use cookies, SDKs, and similar technologies to remember settings, keep you signed in, measure site traffic, and improve the Services. Where required, we obtain consent for non-essential cookies. You can control cookies in your browser or device. We honor Global Privacy Control signals on our sites for opt out of sale or sharing. See our Cookie Policy for details.

7. Data security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, logging, and monitoring. No system can be guaranteed 100 percent secure. Keep your password and account details confidential.

8. Your privacy choices and rights

Opt out of sale or sharing on our marketing sites using the “Your Privacy Choices” link or a valid Global Privacy Control signal
Marketing communications. Unsubscribe using links in the email
SMS. Reply STOP to opt out of non-essential texts. Carrier rates may apply
Device permissions. Disable location, camera, and notifications in your device settings
Access, deletion, and correction
- If you use ShiftFlow through a Customer, contact your employer’s administrator first for workspace data rights
- For site or account data that we control, email privacy@shiftflow.app
Appeals. If we deny your request, reply to our decision email or write to privacy@shiftflow.app with “Appeal” in the subject line

9. Data retention

We retain personal information for as long as needed to provide the Services, to comply with legal obligations, to resolve disputes, and to enforce agreements. Customers can export or delete workspace data using available tools or by contacting us. Backup copies may persist for a limited period.

10. Optional payments and payouts modules

If a Customer activates modules that facilitate payments, reimbursements, tips, or other funds movements, we process additional information such as linked bank account tokens, disbursement instructions, and transaction metadata. Payments and payouts are provided by third-party processors governed by their terms. We use and disclose transaction data only to operate the module, comply with law, and prevent fraud.

11. Children

The Services are not directed to children under 13, and we do not knowingly collect personal information from them. If you believe a child under 13 has provided personal information, contact us and we will take appropriate steps.

12. International data transfers

We are based in the United States and generally process and store personal information in the United States. When we transfer personal information internationally, we use approved mechanisms such as the EU-U.S. Data Privacy Framework, the UK Extension to the DPF, and Standard Contractual Clauses with any required country-specific addenda. Additional contractual and technical safeguards may apply.

13. Additional information for EEA and UK individuals

Controller. For marketing, account administration, and security, ShiftFlow Inc. is the controller. For workspace data, the Customer is the controller and ShiftFlow is the processor.

Legal bases. Contract, legitimate interests, consent, and legal obligation as described in Section 3.1.

Your rights. Subject to law, you can request access, correction, deletion, restriction, portability, and objection. You can lodge a complaint with your supervisory authority. If we appoint an EU or UK representative or Data Protection Officer, we will provide those details here.

14. California Notice at Collection and state privacy rights

Notice at Collection. We collect the categories listed below for the purposes described in Sections 3 through 6. We do not sell personal information for money. We may “share” identifiers and internet activity with advertising or analytics partners for cross-context behavioral advertising on our sites unless you opt out.

Categories Identifiers and contact info, customer records and commercial info, employment-related info, internet or network activity, geolocation (only if enabled and permitted), audio or visual info such as clock in photos if enabled, and inferences from product analytics. Sensitive personal information includes precise geolocation if enabled and any other sensitive fields your employer enters.

Rights Depending on your state, you may have rights to access, correct, delete, opt out of sale or sharing, restrict the use of sensitive personal information, receive information about automated decision making, and appeal. Use the “Your Privacy Choices” link on our site or contact privacy@shiftflow.app. We honor valid Global Privacy Control signals on our sites.

We do not knowingly sell or share the personal information of consumers under 16.

Retention. See Section 9. Sources. See Section 2. Disclosure. See Section 5.

15. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will provide reasonable notice, such as by email or in-product notice.

16. Contact us

Privacy requests: privacy@shiftflow.app
Legal notices: legal@shiftflow.app