Shft← Back to home

Privacy Policy

Last updated: March 2025 · Product of Ethos Ltd

1. Introduction

Ethos Ltd (“we”, “us”, “our”) operates the Shft platform (“Service”). This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use Shft, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using the Service, you acknowledge that you have read and understood this policy. If you do not agree with how we handle your data, please discontinue use of the Service.

2. Data Controller

Ethos Ltd is the data controller for personal data collected through the Shft platform. If you are a Worker whose data has been entered by an Admin (your employer or manager), the Admin organisation is a joint controller for that data. Our contact for data-related enquiries is privacy@shftapp.info.

3. Information We Collect

We collect the following categories of personal data:

Account & Identity Data

  • Full name, email address, phone number
  • Company name, job title, and role within Shft (Admin, Manager, Worker)
  • Password (stored in hashed form — never in plain text)

Schedule & Workforce Data

  • Shift schedules, rosters, and assignments
  • Availability preferences and time-off requests
  • Shift swap requests and approval history
  • Skills, roles, certifications, and pay rates (where entered by an Admin)

Time & Attendance Data

  • Clock-in and clock-out timestamps
  • Location data (geofencing) at the point of clock-in/out, if enabled by your Admin
  • Auto-generated timesheet records

Usage & Technical Data

  • IP address, device type, browser type, and operating system
  • Pages visited, features used, and session duration
  • Error logs and diagnostic information
  • Cookie identifiers (see Section 9)

4. How We Use Your Data

We use your personal data for the following purposes:

  • Providing the Service — creating and managing accounts, publishing schedules, processing shift swaps, and generating timesheets.
  • Communications — sending shift notifications, swap alerts, approval updates, and system announcements via push notification or email.
  • Billing & Payments — processing subscription payments and issuing invoices.
  • Security & Fraud Prevention — monitoring for suspicious activity, enforcing our Terms & Conditions, and protecting users.
  • Product Improvement — analysing aggregated, anonymised usage patterns to improve features and performance.
  • Legal Compliance — meeting obligations under applicable law, responding to lawful requests from authorities, and resolving disputes.

5. Legal Basis for Processing

We rely on the following legal bases under UK GDPR:

  • Contract — processing is necessary to fulfil our agreement with you when you use the Service.
  • Legitimate Interests — improving the Service, preventing fraud, and ensuring platform security.
  • Legal Obligation — complying with legal requirements such as tax or employment record-keeping.
  • Consent — for optional features such as location-based clock-in, where we will ask for your explicit consent.

6. Data Sharing

We do not sell your personal data. We may share data with:

  • Service Providers — trusted third parties who assist us in operating the platform (e.g. cloud hosting, email delivery, payment processing). These providers act as data processors and are contractually bound to handle data securely.
  • Payroll & Calendar Integrations — only if you or your Admin explicitly enables an integration. Data shared is limited to what is necessary for that integration.
  • Legal & Regulatory Authorities — where required by law or to protect the rights and safety of our users.
  • Business Transfers — in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction, subject to equivalent privacy protections.

7. Data Retention

We retain your personal data for as long as your account is active and for a reasonable period afterwards in case you wish to reactivate. Specifically:

  • Account data is retained for 90 days after account closure, after which it is permanently deleted.
  • Shift, timesheet, and attendance records may be retained for up to 7 years to comply with employment and tax record-keeping obligations.
  • Usage and diagnostic logs are retained for up to 12 months.

You may request earlier deletion of your data, subject to our legal retention obligations (see Section 8).

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of Access — request a copy of the personal data we hold about you.
  • Right to Rectification — ask us to correct inaccurate or incomplete data.
  • Right to Erasure — request deletion of your data where there is no legitimate reason for us to continue processing it.
  • Right to Restrict Processing — ask us to limit how we use your data in certain circumstances.
  • Right to Data Portability — receive your data in a structured, machine-readable format.
  • Right to Object — object to processing based on legitimate interests.
  • Right to Withdraw Consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@shftapp.info. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

Shft uses cookies and similar tracking technologies to operate the Service. We use:

  • Essential Cookies — required for authentication and session management. The Service cannot function without these.
  • Analytics Cookies — used to understand how users interact with the platform so we can improve it. These are anonymised and aggregated.
  • Preference Cookies — store your settings and preferences (e.g. language, timezone).

You can manage cookie preferences through your browser settings. Disabling essential cookies will impair your ability to use the Service.

10. Data Security

We implement industry-standard technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, regular security reviews, and vulnerability monitoring. However, no method of transmission over the internet is 100% secure. If you suspect a security breach affecting your account, contact us immediately at security@shftapp.info.

11. International Transfers

Your data is primarily stored and processed within the UK and European Economic Area (EEA). If we transfer data outside these regions (for example, to a cloud provider with servers in the US), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the ICO.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notice. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after changes take effect constitutes your acceptance.

13. Contact Us

For any privacy-related questions, requests, or concerns, please contact our Data Protection contact at:

Ethos Ltd

privacy@shftapp.info

Copyright © 2025 Product of Ethos Ltd