Privacy Policy

Shiftctl ("we", "us", "our") is committed to protecting your personal information. This policy explains what data we collect, why we collect it, and your rights under applicable privacy laws — including the Australian Privacy Act 1988 (Cth), the UK GDPR, and the EU GDPR.

By using Shiftctl you agree to the practices described here.

Shiftctl is an on-call shift management platform for IT and MSP teams. For privacy enquiries, contact us at support@shiftctl.com.

• Account data — name, email address, and password (hashed). Signup is passwordless via email magiclink; you set a permanent password after first login.
• Team data — team name, member roles, and rotation configuration.
• Shift data — shift start/end times, tickets logged, pending items, warnings, and handoff notes entered during your on-call shifts.
• Billing data — payment is processed by Stripe. We store only your Stripe customer ID and subscription status — never raw card details.
• Usage data — page views and feature interactions collected via PostHog analytics to help us improve the product.
• Advertising data — if you accept optional cookies, we use the Reddit Pixel and the LinkedIn Insight Tag on our public (non-authenticated) pages to measure ad campaign performance and enable retargeting. Reddit collects a hashed (non-reversible) version of email addresses visible on the page to match site visits with Reddit ad interactions. LinkedIn collects anonymised page-visit events and professional demographic data (job title, industry, company size) derived from LinkedIn profiles — it does not receive any Shiftctl account data. Neither pixel is loaded on authenticated pages that contain sensitive user data, and neither is loaded if you decline optional cookies. This data is used solely for conversion measurement and audience retargeting, and is not used to build profiles for unrelated advertising.
• Phone number — if you enable backup SMS verification (Enterprise plan only), we collect your phone number for account recovery via Twilio Verify.
• Device data — push notification subscription tokens if you opt in to browser notifications.
• Error data — technical error reports via Sentry to help us fix bugs.

• To provide and operate the Shiftctl service.
• To send shift handoff notifications and reminders by email and push notification.
• To process payments and manage subscriptions.
• To analyse product usage and improve features (analytics data is aggregated and not sold).
• To measure the effectiveness of our advertising campaigns (only with your consent).
• To detect and fix technical errors.
• To comply with our legal obligations.

Where UK/EU GDPR applies, we process your data on the following bases:

• Contract — processing necessary to deliver the service you have subscribed to.
• Legitimate interests — analytics and error monitoring to improve service quality.
• Consent — push notifications, optional analytics cookies, and advertising/conversion tracking cookies.
• Legal obligation — where required by law.

We share data only with the services needed to operate Shiftctl:

• Supabase — database and authentication (data stored in the EU).
• Vercel — hosting and edge infrastructure.
• Stripe — payment processing.
• Resend — transactional email delivery.
• PostHog — product analytics.
• Sentry — error monitoring.
• Reddit — advertising conversion tracking via the Reddit Pixel. If you accept optional cookies, Reddit receives hashed email addresses and page-visit events to measure ad campaign performance. Reddit processes this data under its own Privacy Policy. The pixel is not loaded if you decline optional cookies.
• LinkedIn — advertising conversion tracking and retargeting via the LinkedIn Insight Tag. If you accept optional cookies, LinkedIn collects anonymised page-visit data on our public pages to measure ad performance and build retargeting audiences based on professional demographics. The Insight Tag is not loaded on authenticated pages containing user data, and is not loaded if you decline optional cookies. LinkedIn processes this data under its own Privacy Policy.
• Twilio — SMS-based account recovery verification (Enterprise plan only).
• PSA platforms (Enterprise plan only) — if you enable a PSA integration, shift and ticket data is synced with your chosen provider (ConnectWise Manage, Autotask, or HaloPSA). Data flows are initiated by you and governed by your PSA provider's own privacy policy.
• Microsoft Entra ID (Enterprise plan only) — if you enable SCIM provisioning, user identity data (name, email, role) is synced between Entra ID and Shiftctl.
• PagerDuty / Opsgenie (Team plan and above) — if you enable schedule import or live sync, your on-call schedule data is fetched from PagerDuty or Opsgenie via their APIs. Shiftctl stores a copy of the schedule locally. Data flows are initiated by you.
• Slack (Team plan and above) — when you install the Shiftctl Slack app, we collect and store an OAuth bot token (encrypted at rest using AES-256), your Slack workspace ID and name, and the Slack user ID of the person who installed the app. To enable slash commands and DM notifications, we link Slack user IDs to Shiftctl profiles — either automatically by matching email addresses or manually via a short-lived link code you generate. We store Slack user IDs, workspace IDs, and email addresses used for linking. Slash command usage (command name, timestamp, success/failure) is logged for auditing. Shift events, alerts, and digest summaries are posted to your configured Slack channel via the bot. Message content includes engineer names, shift times, and ticket summaries. If you disconnect the Slack integration, we revoke and delete the stored bot token. If you previously used a legacy Slack webhook instead of the app, the same message content applies but no OAuth tokens or user identity data are stored.
• Microsoft Teams (Team plan and above) — when you install the Shiftctl Teams bot, we store your Azure tenant ID, the bot service URL, and installation metadata. To enable chat commands and notifications, we link Teams user IDs to Shiftctl profiles by email. We store Teams user IDs, tenant IDs, and conversation IDs for message delivery. Adaptive Cards containing shift events, alerts, and digest summaries are posted to your configured Teams channel or via direct message. Message content includes engineer names, shift times, and ticket summaries. If you previously used a legacy Teams webhook instead of the bot, the same message content applies but no user identity data is stored.

If you use our iCal feed feature, a token-based URL is generated that external calendar applications (Google Calendar, Outlook, Apple Calendar) can fetch to display your on-call schedule. This URL contains your schedule data and should be treated as private.

We do not sell your data to third parties.

Shiftctl maintains audit logs of administrative and security-relevant actions performed within your team. Logged events include (but are not limited to): member invitations and removals, role changes, billing changes, schedule modifications, data exports, and security settings changes.

Audit logs record the action performed, the user who performed it, a timestamp, and associated metadata (such as IP address on Enterprise plans). Audit logs are accessible to team owners and admins.

Audit log retention follows your team's configured data retention policy. On Enterprise plans with custom retention, audit logs are retained for the duration you specify (minimum 365 days). On other plans, audit logs are retained for the lifetime of your account.

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g. financial records).

Depending on your location, you may have the following rights:

• Australia — access, correction, and complaint rights under the Privacy Act 1988.
• UK / EU — access, rectification, erasure, restriction, portability, and objection under UK/EU GDPR.
• California (US) — access, deletion, and opt-out of sale rights under CCPA (we do not sell data).

To exercise any right, email us at support@shiftctl.com. We will respond within 30 days.

We use:

• Essential cookies — required for authentication and session management. These cannot be disabled.
• Analytics cookies — used by PostHog to understand how the product is used. You can decline these via the cookie banner.
• Advertising cookies — used by the Reddit Pixel and LinkedIn Insight Tag to measure ad conversion performance and enable retargeting. These tools collect page-visit events on our public pages only. These cookies are only set if you accept optional cookies via the cookie banner. You can change your preference at any time by clearing your browser cookies and revisiting the site.

Under UK GDPR and the Privacy and Electronic Communications Regulations (PECR), we obtain your consent before setting any non-essential cookies. Under Australian law, we follow the Australian Privacy Principles (APPs) regarding transparent disclosure. Under US state privacy laws (including CCPA), the Reddit Pixel and LinkedIn Insight Tag do not constitute a "sale" of personal information — they are used solely for first-party advertising measurement and retargeting.

We honour browser Do Not Track (DNT) signals. If your browser sends a DNT signal, we will not load advertising pixels. You can also decline optional cookies via the cookie banner at any time. Under the California Consumer Privacy Act (CCPA), you have the right to opt out of the sale or sharing of personal information — we do not sell your data, and advertising cookies are only activated with your consent.

We implement industry-standard security measures including TLS encryption in transit, hashed passwords, and row-level security on our database. No system is completely secure; please use a strong unique password and keep it safe.

Your data may be processed outside your country of residence (e.g. in the EU or US) by our service providers. We rely on standard contractual clauses and other appropriate safeguards for cross-border transfers.

We may update this policy from time to time. We will notify you by email or in-app notice if we make material changes. Continued use after notice constitutes acceptance.

Privacy enquiries: support@shiftctl.com