Skip to main content

Privacy Policy

Last updated: 9 April 2026

1. Who We Are

Shyft (“we”, “us”, “our”) is a shift and pay-cycle tracking service. For the purposes of UK data protection law (the UK General Data Protection Regulation and the Data Protection Act 2018), we are the data controller for the personal information collected through this service.

You can contact us at: contact@example.com

2. What Personal Data We Collect

We collect and store the following personal data:

  • Name — the display name you provide at registration or update in your profile.
  • Email address — used to identify your account and for authentication.
  • Profile photo URL — provided by GitHub or Google when you sign in with OAuth. We store a link to the image; we do not upload or host it ourselves.
  • Password (hashed) — if you register with email and password. We store a one-way bcrypt hash; the original password is never stored.
  • OAuth account tokens — access tokens and refresh tokens provided by GitHub or Google to maintain your login session. These are stored encrypted and are never shared.
  • Shift and pay-cycle data — the shift records, pay cycles, rates, and settings you create while using the service. Any free-text notes fields may contain personal information you choose to enter.
  • Two-factor authentication secret — if you enable two-factor authentication (2FA), we store an AES-256-GCM encrypted TOTP secret. The raw secret is never stored or logged; only the encrypted form is retained.
  • Security tokens (hashed) — short-lived, single-use tokens used for email verification, password reset, and 2FA verification. We store only the SHA-256 hash of each token; the raw value is sent to you by email and immediately discarded from memory.
  • Trusted-device token (hashed) — if you choose to trust a browser after completing two-factor authentication, we store the SHA-256 hash of a random token in our database for up to 30 days. This lets us recognise your browser and skip the 2FA prompt on future logins. The raw token is stored only in a cookie on your device; it is never retained on our servers. You can revoke this at any time by clearing your browser cookies, which will restore the standard 2FA prompt on your next login.
  • Email verification status — a boolean flag recording whether your email address has been verified.

We do not collect IP addresses, device fingerprints, location data, or behavioural analytics.

3. How We Use Your Data and Our Lawful Basis

We process your personal data to provide and operate the Shyft service. Our lawful basis under UK GDPR Article 6(1)(b) is performance of a contract — processing is necessary to deliver the service you have signed up for.

We also process limited pseudonymous operational identifiers (internal database IDs) for the purpose of system monitoring, error detection, and service reliability. This is based on our legitimate interests (UK GDPR Article 6(1)(f)) in maintaining a secure and reliable service. This processing does not involve names, email addresses, or any directly identifying information.

4. Data Processors (Sub-processors)

We share your data with the following third-party service providers who process it on our behalf:

Neon, Inc.

Database hosting — stores all your account and shift data.

Location: United Kingdom (AWS eu-west-2, London)

Transfer basis: Data remains in the UK. No international transfer.

GitHub, Inc.

OAuth sign-in — only processes your GitHub account information during the authentication flow. We store only an account token.

Location: United States

Transfer basis: Transfer covered by Standard Contractual Clauses (SCCs) under the UK International Data Transfer Agreement (IDTA).

Google LLC

OAuth sign-in — only processes your Google account information during the authentication flow. We store only an account token.

Location: United States

Transfer basis: Transfer covered by SCCs under the UK IDTA.

Axiom, Inc.

Operational monitoring and error logging — receives pseudonymous internal identifiers (user ID, workspace ID, shift ID) and error descriptions for system diagnostics. No names, email addresses, or shift content are transmitted.

Location: United States

Transfer basis: Transfer covered by SCCs under the UK IDTA.

Resend, Inc.

Transactional email delivery — sends account-related emails such as password reset links, email verification, 2FA codes, and security notifications. Your email address is transmitted solely to deliver these messages.

Location: United States

Transfer basis: Transfer covered by SCCs under the UK IDTA.

5. International Data Transfers

Some of our sub-processors are located outside the UK (see section 4). Where personal data is transferred to the United States — currently GitHub, Inc., Google LLC, Axiom, Inc., and Resend, Inc. — we rely on Standard Contractual Clauses (SCCs) incorporated into the UK International Data Transfer Agreement (IDTA) as the lawful transfer mechanism under UK GDPR Chapter V.

6. How Long We Keep Your Data

We retain your personal data for as long as your account is active. If you delete your account, all personal data — including your profile, shifts, pay cycles, rates, settings, and linked OAuth accounts — is permanently and irreversibly deleted from our systems, typically within minutes.

We do not retain backups of deleted user data beyond the normal database backup retention window of our hosting provider (Neon, Inc.), which is subject to their own data retention policies.

7. Your Rights Under UK GDPR

As a UK data subject, you have the following rights regarding your personal data:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification — you can update your name directly in your profile settings at any time.
  • Right to erasure — you can permanently delete your account and all associated data from the Profile page.
  • Right to data portability — you can download a machine-readable copy of all your data from the Profile page at any time.
  • Right to restriction of processing — you can ask us to stop processing your data in certain circumstances.
  • Right to object — you can object to processing based on legitimate interests.

To exercise any of these rights, contact us at contact@example.com. We will respond within one calendar month as required by UK GDPR.

8. Cookies

Shyft uses two categories of cookies:

  • Strictly necessary cookies — a session token, a CSRF protection token, and transient OAuth state tokens used only during login. These are exempt from consent requirements under the UK Privacy and Electronic Communications Regulations (PECR) and cannot be opted out of without losing access to the service.
  • Trusted-device cookie (__Secure-td) — set only when you explicitly click “Trust for 30 days” after completing two-factor authentication. It contains a random token that allows us to recognise your browser and skip the 2FA prompt for up to 30 days. This cookie is set solely on the basis of your prior, explicit consent given in the app. You can remove it at any time by clearing your browser cookies; doing so will restore the standard 2FA prompt on your next login.

No tracking, advertising, or analytics cookies are used.

9. Right to Lodge a Complaint

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

We would, however, appreciate the opportunity to address your concerns before you contact the ICO.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page will reflect any changes. Continued use of the service after a change constitutes acceptance of the updated policy.