Your data, your business.

The way we handle data depends on whose data it is. Shiftly is used by businesses to manage their staff, which means we hold data on two distinct groups of people, and our role is different for each.

Staff who want to exercise their data rights should contact their employer first, as the employer is the controller. We'll assist where required by law and have a Data Processing Agreement (DPA) available to any business customer on request.

We try to collect as little as possible, and only what's needed to make Shiftly work. Here's everything:

What we don't collect: we don't track you across other websites, we don't use advertising cookies, we don't fingerprint your device, and we don't ask for your phone number or address unless you choose to provide it.

We use the information we collect to:

• Run the service. Generate rotas, sync data across devices, keep your account secure.
• Generate fair schedules. Run our deterministic OR-Tools solver against your staff data, contracted hours, and rules to produce balanced rotas.
• Keep things working. Fix bugs, prevent abuse, improve features based on what's actually being used.
• Talk to you when we must. Important account notices, billing receipts, security alerts, or material changes to this policy. No marketing spam.
• Meet legal obligations. Respond to lawful requests, resolve disputes, and enforce our terms.

Under the UK GDPR and EU GDPR, we rely on the following lawful bases:

• Contract. Running your account, generating rotas, processing payments — necessary to deliver the service you signed up for.
• Legitimate interests. Basic logging, security monitoring, and fraud prevention. We've weighed this against your privacy and kept collection minimal.
• Consent. Where we ask for something optional, we only act on it if you say yes. You can withdraw consent at any time.
• Legal obligation. When we have to respond to a lawful request from a court or regulator, or to keep records as the law requires.
• Processor instructions. For staff data, we process under the documented instructions of the business that signed up — not our own decisions.

We don't sell your data. We don't rent it. We share personal data only with a small set of infrastructure providers that help us run Shiftly, each bound by a data processing agreement.

We may also disclose information if required by law or to protect the rights, safety, or property of Shiftly or its users. If we're ever compelled to hand something over, we will push back where we lawfully can and notify the person affected where we're allowed to.

If we add a new infrastructure vendor, we'll update this list before that vendor starts handling your data.

Your data is stored on servers located in the UK and European Union where possible. Some of our infrastructure providers (such as Clerk and Stripe) are based in the United States and may process data there.

When personal data leaves the UK or EEA, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or an equivalent safeguard to ensure your data keeps the same level of protection wherever it goes.

Your account and the data inside it stick around for as long as your subscription is active. If you cancel and delete your account, we delete your personal data within 30 days, with the exception of:

• Backups. Encrypted backups may retain your data for up to 60 days before rotation.
• Financial records. We keep records of payments for as long as UK tax law requires (currently six years).
• Legal holds. If we're under a legal obligation to retain something, we'll keep only what's strictly required and for no longer than necessary.

Technical logs are rotated out automatically, typically within 30 days.

We take reasonable technical and organisational measures to protect your data: encryption in transit (TLS), encryption at rest, hashed passwords (handled by Clerk), and access controls on our infrastructure. Payroll data is protected by an additional password layer.

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours (as UK GDPR requires) and, where the risk is significant, we will notify you directly as soon as we reasonably can.

Depending on where you live, you have a set of rights over the personal data we hold about you. We honour these globally where we reasonably can.

To exercise any of these rights as an account holder, write to shiftly@seedcraft.co. We'll respond within 30 days with no charge and no need to justify your request.

If you're a staff member added to Shiftly by a business, your employer is the data controller. Please contact them first. We'll support them in responding to your request.

Shiftly accounts are for businesses, and account holders must be 18 or older.

We recognise that hospitality and retail employ workers from age 16 in many UK roles. Where a business adds a 16- or 17-year-old staff member to Shiftly, the business must ensure their participation complies with UK employment and data protection law, and that the staff member (or their parent/guardian where appropriate) is informed about how their data is used.

We don't knowingly process data on anyone under 16. If you believe a child under 16 has been added to Shiftly, please contact us and we'll investigate.

We use a small number of cookies to keep you signed in, remember your preferences, and measure basic site performance. We don't use advertising cookies, cross-site trackers, or third-party analytics tools that build profiles on you.

You can block or delete cookies through your browser settings. If you do, some parts of Shiftly may stop working properly.

When we make material changes, we'll notify active users by email or in-app before the change takes effect. Minor updates will just show a new “last updated” date.

If Shiftly is ever incorporated separately, sold, or restructured, we will tell you before any personal data moves and give you the chance to delete your account first.

This policy is governed by the laws of Scotland. Any disputes shall be subject to the exclusive jurisdiction of the Scottish courts, without prejudice to your rights as a consumer under the laws of your own country.