1. Who We Are
ShiftSign ("we", "us", "our") is a timesheet management platform. This policy explains how we collect, use, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Contact: privacy@shiftsign.co.uk
2. Data We Collect
We collect the following categories of personal data:
- Account data: name, email address, role, company affiliation
- Timesheet data: hours worked, site, expenses, dates, approval history
- Financial data: hourly rate (set by agency), estimated earnings
- Contact data: phone number (if provided for SMS notifications)
- Usage data: login timestamps, activity logs, IP address
- Billing data: subscription plan, payment status (card details held by Stripe, not us)
3. How We Use Your Data
We use personal data to:
- Provide and operate the timesheet management service
- Process timesheet submissions, approvals, and payroll exports
- Send transactional notifications (submission confirmations, approval alerts)
- Manage subscriptions and billing via Stripe
- Detect fraud and maintain platform security
- Comply with legal obligations
4. Legal Basis for Processing
- Contract performance: processing timesheets, managing accounts
- Legitimate interests: security monitoring, fraud prevention, platform improvement
- Legal obligation: tax records, data retention requirements
- Consent: SMS/WhatsApp notifications (where opted in)
5. Data Sharing
We share data only where necessary:
- Supabase: database and authentication hosting (EU data residency)
- Stripe: payment processing (PCI DSS compliant)
- Twilio: SMS/WhatsApp notifications (if enabled)
- Vercel: application hosting (EU region)
We do not sell personal data to third parties.
6. Data Retention
We retain personal data for as long as your account is active and for 7 years thereafter for financial/legal compliance purposes. Timesheet data exported by agencies is subject to that agency's own retention policy. You may request deletion of your data at any time (see Your Rights below).
7. Your Rights (UK GDPR)
You have the right to:
- Access: request a copy of your personal data
- Rectification: correct inaccurate or incomplete data
- Erasure: request deletion of your data ("right to be forgotten")
- Portability: receive your data in a machine-readable format
- Restriction: limit how we process your data in certain circumstances
- Objection: object to processing based on legitimate interests
To exercise any of these rights, email privacy@shiftsign.co.uk. We will respond within 30 days.
8. Security
We implement industry-standard security measures including: encrypted data in transit (TLS), encrypted data at rest, row-level security policies, and access controls based on user roles. We conduct regular security reviews.
9. Cookies
We use strictly necessary cookies for authentication session management. We do not use tracking or advertising cookies. No third-party analytics are embedded in the application.
10. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
11. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated to registered users by email. The "Last updated" date at the top reflects the most recent revision.