Privacy Policy

Shiftctl ("we", "us", "our") is committed to protecting your personal information. This policy explains what data we collect, why we collect it, and your rights under applicable privacy laws — including the Australian Privacy Act 1988 (Cth), the UK GDPR, and the EU GDPR.

By using Shiftctl you agree to the practices described here.

Shiftctl is an on-call shift management platform for IT and MSP teams. For privacy enquiries, contact us at support@shiftctl.com.

• Account data — name, email address, and password (hashed) when you sign up.
• Team data — team name, member roles, and rotation configuration.
• Shift data — shift start/end times, tickets logged, pending items, warnings, and handoff notes entered during your on-call shifts.
• Billing data — payment is processed by Stripe. We store only your Stripe customer ID and subscription status — never raw card details.
• Usage data — page views and feature interactions collected via PostHog analytics to help us improve the product.
• Device data — push notification subscription tokens if you opt in to browser notifications.
• Error data — technical error reports via Sentry to help us fix bugs.

• To provide and operate the Shiftctl service.
• To send shift handoff notifications and reminders by email and push notification.
• To process payments and manage subscriptions.
• To analyse product usage and improve features (analytics data is aggregated and not sold).
• To detect and fix technical errors.
• To comply with our legal obligations.

Where UK/EU GDPR applies, we process your data on the following bases:

• Contract — processing necessary to deliver the service you have subscribed to.
• Legitimate interests — analytics and error monitoring to improve service quality.
• Consent — push notifications and optional analytics cookies.
• Legal obligation — where required by law.

We share data only with the services needed to operate Shiftctl:

• Supabase — database and authentication (data stored in the EU).
• Vercel — hosting and edge infrastructure.
• Stripe — payment processing.
• Resend — transactional email delivery.
• PostHog — product analytics.
• Sentry — error monitoring.

We do not sell your data to third parties.

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g. financial records).

Depending on your location, you may have the following rights:

• Australia — access, correction, and complaint rights under the Privacy Act 1988.
• UK / EU — access, rectification, erasure, restriction, portability, and objection under UK/EU GDPR.
• California (US) — access, deletion, and opt-out of sale rights under CCPA (we do not sell data).

To exercise any right, email us at support@shiftctl.com. We will respond within 30 days.

We use:

• Essential cookies — required for authentication and session management. These cannot be disabled.
• Analytics cookies — used by PostHog to understand how the product is used. You can decline these via the cookie banner.

We implement industry-standard security measures including TLS encryption in transit, hashed passwords, and row-level security on our database. No system is completely secure; please use a strong unique password and keep it safe.

Your data may be processed outside your country of residence (e.g. in the EU or US) by our service providers. We rely on standard contractual clauses and other appropriate safeguards for cross-border transfers.

We may update this policy from time to time. We will notify you by email or in-app notice if we make material changes. Continued use after notice constitutes acceptance.

Privacy enquiries: support@shiftctl.com