Back to home

Privacy Policy

Last updated: April 2, 2026

1. Overview

ShiftFlow ("we", "us", "our") is a cloud-based software-as-a-service (SaaS) platform for workforce scheduling and management. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service. ShiftFlow operates as a data processor on behalf of your organization (the data controller). Your organization's administrator determines what data is collected and how it is used within the platform.

2. Information We Collect

We collect information in the following categories:

Account Information

  • Name, email address, password (hashed), phone number, profile photo
  • Role and permissions within your organization
  • Notification and timezone preferences

Organization Data

  • Company name, industry, team size, custom branding assets (logo, colors)
  • Subscription plan and billing information (processed by third-party payment providers)

Work Data

  • Schedules, shifts, time punches, check-ins, time-off requests
  • Tasks, checklists, performance metrics, scorecard data
  • Chat messages, announcements, and notifications within the platform

Technical Data

  • Browser type, operating system, IP address, device identifiers
  • Usage patterns, feature interactions, and error logs
  • Location data — only when you explicitly enable geofencing or location-based features

3. How We Use Your Information

  • Provide, maintain, operate, and improve the Service
  • Process schedules, time tracking, and workforce management operations
  • Send notifications related to shifts, tasks, and team activity
  • Generate analytics, reports, and AI-powered insights for your organization
  • Provide customer support and respond to inquiries
  • Communicate service updates, maintenance notices, and security alerts
  • Detect, prevent, and address security issues, fraud, and abuse
  • Comply with legal obligations and enforce our terms
  • Generate anonymized, aggregated analytics to improve the Service (no individual identification)

4. Multi-Tenant Data Isolation

ShiftFlow is a multi-tenant platform. Each organization's data is logically isolated using organization-level access controls and database-level tenant identifiers. This means: your organization's data is never accessible to other organizations; all API requests and database queries are scoped to your organization; role-based access controls further restrict data visibility within your organization. We regularly audit our isolation mechanisms to prevent cross-tenant data leakage.

5. Data Sharing and Sub-Processors

We do not sell your personal data. We share information only with trusted service providers ("sub-processors") necessary to operate the Service:

ProviderPurposeData Processed
VercelApplication hosting and CDNRequest data, logs
SupabaseDatabase and file storageAll customer data
StripePayment processingBilling info, plan details (no card data stored by us)
ResendEmail deliveryEmail addresses, notification content
Google (Gmail API)Email integration for data importOAuth tokens (encrypted), email attachments (processed, not stored)
PusherReal-time messagingChat events, check-in status updates
SentryError monitoringError logs, user IDs for debugging
Anthropic (Claude)AI-powered features (opt-in only)Operational context for the specific AI feature — see section 5a below

We may also share information: (a) within your organization based on role permissions; (b) when required by law, court order, or governmental authority; (c) in connection with a merger, acquisition, or sale of assets (with prior notice to affected users).

5a. AI Features and Third-Party AI Processing

ShiftFlow offers optional AI-powered features. These features are processed by Anthropic, PBC via their Claude API. No data is sent to Anthropic unless you (the user) have explicitly consented in the in-app "Enable AI Features" dialog. You can grant or revoke consent at any time in Settings → Privacy & Security → AI Features.

The specific data sent depends on which AI feature is used:

  • AI chat assistant (managers): your typed message, the last 10 messages of that conversation, and operational context drawn from your organization: employee names and job titles, today's shift assignments, weekly shift counts, 7-day safety-violation summaries, vehicle status, open route issues, delivery-performance averages (DPMO, package counts), pending time-off counts, and messages from group/announcement chat rooms in the last 24 hours.
  • Chat-message issue detection: when you send a chat message that contains keywords suggesting a vehicle or route issue, the message text is analyzed to extract the issue details.
  • AI write-up drafting: incident type, category, employee name (if provided), and any additional context the manager enters.
  • AI report summary: the JSON contents of the report being summarized (capped at 3,000 characters).
  • AI onboarding suggestions: role, department, and job title only.
  • AI benefits Q&A: the employee's typed question, employment type, and enrolled benefit plan names.
  • PDF scorecard import: the contents of the PDF the user uploads.

The following are never sent to Anthropic: passwords, email addresses, phone numbers, exact location / GPS coordinates, or payment / billing details.

Anthropic processes this data under their own terms and privacy policy. ShiftFlow does not permit Anthropic to use your data to train AI models. For more information on Anthropic's practices, see anthropic.com/legal/privacy.

Revoking consent stops all future AI calls on your account. It does not delete AI-generated outputs that have already been saved to your organization's records (for example, a previously drafted write-up remains on the employee file unless the organization deletes it).

6. Data Storage and Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2+
  • Encryption at rest: Stored data is encrypted using AES-256
  • Authentication: Passwords are hashed using bcrypt; sessions use signed JWT tokens
  • Access controls: Role-based permissions limit data access within organizations
  • Infrastructure: Hosted on SOC 2 compliant cloud infrastructure
  • Monitoring: Automated security monitoring and alerting for suspicious activity

While we strive to protect your data, no method of transmission or storage is 100% secure. We encourage you to use strong passwords and enable available security features.

7. Data Retention

  • Active accounts: Data is retained for as long as your account and subscription are active
  • After cancellation: Your data is available for export for 30 days, then permanently deleted
  • Account deletion: Personal data is deleted within 30 days of request
  • Backups: Data may persist in encrypted backups for up to 90 days after deletion
  • Legal holds: Data required for legal or compliance purposes may be retained longer as required by law
  • Anonymized data: Aggregated, anonymized data that cannot identify individuals may be retained indefinitely for analytics and Service improvement

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data ("right to be forgotten")
  • Portability: Receive your data in a structured, machine-readable format (JSON/CSV)
  • Restriction: Request restriction of certain processing of your data
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Where processing is based on consent, withdraw at any time

To exercise any of these rights, contact us at the email below. We will respond within 30 days. Note that some requests may need to be directed to your organization's administrator, as they are the data controller for your work data.

9. Data Processing Agreement

For organizations that require a formal Data Processing Agreement (DPA) — such as those subject to GDPR, CCPA, or other data protection regulations — we offer a DPA that covers our obligations as a data processor. Enterprise customers can request a DPA by contacting us. The DPA supplements this Privacy Policy and governs our processing of personal data on your behalf.

10. International Data Transfers

Our Service is hosted in the United States. If you are located outside the US, your data will be transferred to and processed in the US. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where required. By using the Service, you consent to the transfer of your information to the United States.

11. Google API Data & Gmail Integration

ShiftFlow offers an optional Gmail integration that allows organization owners to automatically import delivery scorecard and performance data from Amazon emails. This section describes how we handle Google user data in compliance with Google's API Services User Data Policy, including the Limited Use requirements.

What We Access

  • We request read-only access to your Gmail account (gmail.readonly scope)
  • We only read emails matching specific subject filters (e.g., "Scorecard", "DOR", "Daily Report") configured by the organization owner
  • We extract CSV and Excel file attachments from matching emails for data import
  • We do not read, store, or process the body text of your emails

How We Use Gmail Data

  • Extracted scorecard data (delivery metrics, safety violations) is imported into your ShiftFlow organization's dashboard
  • We do not use Gmail data for advertising, market research, or any purpose unrelated to the ShiftFlow Service
  • We do not share Gmail data with third parties except as required to operate the Service (see Sub-Processors above)

Data Storage & Security

  • Gmail OAuth tokens (access and refresh tokens) are encrypted at rest using AES-256-GCM
  • Tokens are stored in our database and are never exposed to client-side code
  • Email attachment data is processed in memory and only the extracted metrics are stored
  • Raw email content and attachments are not permanently stored after processing

Revoking Access

  • You can disconnect Gmail at any time from ShiftFlow Settings, which deletes all stored OAuth tokens
  • You can also revoke access from your Google Account at myaccount.google.com/permissions
  • Previously imported scorecard data remains in your ShiftFlow account after disconnection

Google API Services User Data Policy

ShiftFlow's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google data to provide and improve the ShiftFlow Service for the user who authorized access.

12. Cookies and Tracking

ShiftFlow uses the following types of cookies and similar technologies:

  • Essential cookies: Required for authentication, session management, and security. Cannot be disabled
  • Functional cookies: Remember your preferences (theme, timezone, language)
  • Analytics: We may use privacy-respecting analytics to understand usage patterns and improve the Service. No third-party advertising cookies are used

13. Children's Privacy

ShiftFlow is a workplace tool not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or through the Service. Your continued use after changes take effect constitutes acceptance. Previous versions of this policy will be archived and available upon request.

15. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or need to report a security concern, contact us at candidoenter@gmail.com.