SHIFTWERX PRIVACY POLICY

1. Introduction

ShiftWerx, LLC ("ShiftWerx," "we," "our," or "us") operates the ShiftWerx scheduling platform, including the ShiftLogic scheduling engine, ShiftMarket functionality, and related websites, mobile applications, and application programming interfaces (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and retain personal information when you use the Service.

This Privacy Policy is available at www.shiftwerx.com/privacy and is incorporated by reference into the ShiftWerx Terms of Service (which governs business customers) and the ShiftWerx End-User License Agreement (which governs individual end users). Additional contractual terms governing use of the Service may appear in those agreements.

2. Scope and Key Definitions

This Privacy Policy applies to personal information we process in connection with the Service.

Account Owner means the business customer or authorized representative that creates and administers a ShiftWerx account.

End User means an employee, staff member, or other worker whose information is entered into the Service by an Account Owner or who uses the Service under an Account Owner's organization account. End Users are individually subject to the ShiftWerx End-User License Agreement and Terms of Use.

Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, as defined by applicable law.

Service Data means scheduling, availability, shift, communications, and related operational data processed through the Service.

3. Our Role

ShiftWerx processes different categories of data in different roles.

3.1 Information We Process on Behalf of Account Owners

When an Account Owner enters, uploads, or manages employee or workforce-related data in the Service, including scheduling data, availability, time-off information, shift-trading activity, and related operational data, ShiftWerx generally acts as a service provider or processor on behalf of the Account Owner.

In that context: the Account Owner controls what End User information is submitted to the Service; the Account Owner is responsible for providing any required notices to End Users and obtaining any consents required by law; and ShiftWerx processes that information to provide the Service and in accordance with the Account Owner's instructions, our agreements, and applicable law.

3.2 Information We Process for Our Own Business Purposes

ShiftWerx acts as a controller or business for personal information we collect and use for our own business operations, such as: business contact and account registration information from Account Owners; billing and transaction record information; communications with our support team; and website or application usage, diagnostic, and analytics information that we use to operate, secure, and improve the Service.

3.3 End User Requests

If you are an End User and want to access, correct, or delete information associated with your employer's use of the Service, you should first contact your employer or other Account Owner, because they control that information. If you are unable to resolve your request with the Account Owner, you may contact us at support@shiftwerx.com, and we will respond as appropriate, subject to our obligations to the Account Owner and applicable law.

4. Categories of Personal Information We Collect

The categories of personal information we collect depend on how the Service is used.

4.1 Information Provided to Us Directly

We may collect the following categories of personal information: name, email address, phone number, and job title; business or employer name; employee scheduling information, shift assignments, availability, and time-off information; shift-trading or shift-marketplace activity within the Service; communications sent to us through email, support channels, or contact forms; billing contact information, billing address, and transaction-related records; and limited payment-related records from our payment processor, such as truncated card identifiers and transaction confirmations.

When you use AI-assisted features, we may also collect the files, images, or text you upload for AI processing, along with the AI-generated results and associated usage metadata (such as token counts and processing timestamps).

4.2 Information Collected Automatically

When the Service is used, we may automatically collect limited technical and usage information, such as: device type, operating system, and unique device identifiers; browser or application type and version; log data, error reports, and performance diagnostics; general usage activity, such as pages or features accessed; and device or notification tokens needed to deliver push notifications, where push notifications are enabled.

We do not describe this section to include categories of data that we do not knowingly collect as part of our ordinary operations.

4.3 Payment Information

Payment transactions are processed by third-party payment processors. We do not store full payment card numbers or full bank account details on our own systems. We may receive limited transaction details necessary for billing, recordkeeping, and customer support.

5. How We Use Personal Information

We may use personal information to: provide, operate, maintain, and improve the Service; create and administer customer accounts; manage scheduling, availability, shift-trading, and related Service functions; process transactions and send invoices, receipts, and related notices; respond to inquiries, support requests, and feedback; send service-related messages, product updates, and security notifications; monitor performance, troubleshoot issues, and improve usability; detect, investigate, and prevent fraud, misuse, unauthorized access, or other unlawful activity; enforce our agreements and protect our rights; and comply with applicable law, legal process, and regulatory obligations.

We may also use aggregated or de-identified information for internal analytics, product improvement, benchmarking, and business operations. As described in our Terms of Service, ShiftWerx owns all aggregated, anonymized, or de-identified data that does not identify any individual, Account Owner, or End User, and may use such data for any lawful purpose, including product development, industry benchmarking, and research. Such data may be retained indefinitely.

AI-Assisted Features. Certain optional features of the Service use artificial intelligence (AI) to process data you provide. These features include AI-assisted data import (which analyzes uploaded images, spreadsheets, or CSV files to extract scheduling, staffing, and organizational data) and an AI-powered support assistant. When you use these features, the data you submit — such as uploaded files, images, or support questions — is sent to our third-party AI service provider for processing. AI-assisted features are used only to perform the specific function you initiate; your data is not used to train AI models. AI features are optional, and the Service can be used without them.

6. Communications and Notifications

6.1 Service Communications

We may send service-related communications by email, push notification, in-app message, or similar means. These may include account notices, scheduling alerts, shift notifications, billing messages, service updates, and security alerts. Some of these communications are necessary to provide the Service.

6.2 Limited Text Message Communications

We do not operate a general SMS marketing program. If a prospective customer or user specifically asks to be contacted by text message, including through a contact form or other direct request, we may respond by text regarding that request or the related business inquiry. We do not send promotional text campaigns absent separate consent.

6.3 Marketing Communications

We do not currently send general marketing emails as part of the Service. If that changes, we will provide applicable choices and opt-out mechanisms as required by law.

7. How We Disclose Personal Information

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

We may disclose personal information only in the following limited circumstances:

Service Providers and Contractors. We may disclose personal information to vendors, contractors, and service providers that help us host, support, secure, analyze, maintain, communicate through, or process payments for the Service. These parties may process personal information only as reasonably necessary to perform services for us and subject to appropriate contractual restrictions. Our primary hosting infrastructure is currently provided by Vercel, Inc. Payment processing is handled by Stripe, Inc. AI-assisted features are powered by Anthropic, PBC. These and other service providers may change from time to time.

Within an Account Owner's Organization. Information may be visible to or shared among authorized users within an Account Owner's organization as necessary to operate the Service.

Legal and Safety Reasons. We may disclose personal information where we believe disclosure is reasonably necessary to comply with applicable law, legal process, or governmental request, or to protect the rights, property, safety, and security of ShiftWerx, our users, or others.

Business Transactions. We may disclose information in connection with an actual or proposed merger, acquisition, financing, asset sale, reorganization, bankruptcy, or similar business transaction, subject to appropriate confidentiality and legal safeguards.

With Consent or Direction. We may disclose information where you or the applicable Account Owner directs us to do so or where disclosure is based on consent.

We may also disclose aggregated or de-identified information that does not reasonably identify any person.

8. Data Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Service, maintain accounts, comply with legal obligations, resolve disputes, and enforce agreements.

In general: account and business contact information is retained while the customer relationship remains active and for a reasonable period afterward as needed for business and legal purposes; employee and workforce-related Service Data is generally retained while the relevant Account Owner account remains active and is typically deleted or anonymized within ninety (90) days after account cancellation or deletion, unless a longer retention period is required by law or reasonably necessary to resolve disputes or enforce agreements; billing and transaction records may be retained for longer periods where required for accounting, tax, audit, or similar legal purposes; and residual copies of deleted information may remain in backup systems for a limited period, typically up to an additional thirty (30) days, before being overwritten or permanently removed in the ordinary course.

Aggregated or de-identified information that does not identify any individual may be retained indefinitely for product improvement, analytics, benchmarking, and other lawful business purposes.

9. Security

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures may include safeguards relating to secure transmission, access controls, logging or monitoring, backups, and incident response practices. However, no method of transmitting or storing data is completely secure, and we cannot guarantee absolute security.

If you believe your account or information has been compromised, please contact us promptly at support@shiftwerx.com.

10. Privacy Rights and Choices

Depending on your jurisdiction and the nature of our relationship with you, you may have rights regarding your personal information, subject to applicable exceptions and limitations. These may include the right to: request access to personal information we hold about you; request correction of inaccurate personal information; request deletion of personal information; request a portable copy of certain information, where applicable; object to or request restriction of certain processing, where applicable; and not be discriminated against for exercising applicable privacy rights.

10.1 How to Submit a Request

To submit a privacy request, please contact us at support@shiftwerx.com. We may take reasonable steps to verify your identity and authority before responding. If you are an End User and your request relates to information controlled by your employer or other Account Owner, we may direct you to that Account Owner first or coordinate with them as appropriate.

10.2 Appeals

If we deny your privacy request in whole or in part, you may appeal that decision by replying to our response or by emailing support@shiftwerx.com with the subject line "Privacy Appeal" within thirty (30) days of our decision. We will review and respond to appeals within the time required by applicable law.

10.3 Authorized Agents

Where required by applicable law, we will honor valid requests submitted by an authorized agent acting on behalf of an individual, subject to reasonable verification of the agent's authority and the individual's identity.

11. Supplemental Notice for California Residents

This section applies only to California residents to the extent the California Consumer Privacy Act, as amended, applies.

In the preceding twelve (12) months, we may have collected the following categories of personal information: identifiers and contact information, such as name, email address, phone number, and job title; customer or employer information, such as business name; commercial or transaction information, such as billing contact details and transaction records; internet or network activity information, such as limited usage, log, and diagnostic data; and employment-related or workforce scheduling information submitted by Account Owners through the Service.

We collect these categories from: Account Owners and users directly; use of the Service; and service providers involved in payment processing or related operational support.

We use these categories for the business purposes described in Section 5 and may disclose them for the business purposes described in Section 7.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

We retain these categories of personal information for the periods described in Section 8.

California residents may submit requests to know, correct, delete, or access information as described in Section 10.

12. International Users

ShiftWerx is based in the United States, and our Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other jurisdictions where our service providers operate.

Those jurisdictions may have data protection laws that differ from the laws of your country of residence. Where applicable law requires additional safeguards for international transfers, we will implement them as required.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, and we process your personal information, we do so on one or more of the following legal bases: performance of a contract, our legitimate interests (to operate, improve, and secure the Service), your consent (where applicable), or compliance with legal obligations. You may have the right to lodge a complaint with your local supervisory authority.

13. Artificial Intelligence Features

The Service includes optional AI-assisted features that use third-party artificial intelligence services to process data you provide. These features currently include:

• AI Data Import, which analyzes uploaded images, spreadsheets, or CSV files to extract employee, scheduling, and organizational data for import into the Service; and
• AI Support Assistant, which provides in-app assistance by processing your questions and relevant account context.

When you use an AI-assisted feature, the data you submit is transmitted to our AI service provider (currently Anthropic, PBC) for processing. Only the data necessary to perform the requested function is transmitted. AI service providers process this data solely to return results to us and are contractually prohibited from using it to train or improve their models.

We log AI feature usage, including which feature was used, token counts, estimated processing costs, and timestamps, for rate limiting, billing, auditing, and service improvement purposes. These logs are associated with your user account and organization.

AI-assisted features are entirely optional. You may use the Service without enabling or interacting with any AI feature, and all equivalent functionality is available through manual entry or CSV upload.

14. Cookies and Similar Technologies

We may use cookies and similar technologies to operate, secure, and improve the Service. These technologies may be used for purposes such as: maintaining login sessions or authentication; remembering preferences; understanding general usage and performance; and supporting security, reliability, and troubleshooting.

We do not currently use third-party advertising cookies.

Where required by applicable law, we will provide any additional notice or consent choices required for non-essential cookies or similar technologies.

Do Not Track. Some browsers transmit "Do Not Track" (DNT) signals to websites. Because no universal standard for interpreting DNT signals has been established, we do not currently respond to or alter our practices upon receiving DNT signals. If an industry standard is adopted, we will reassess this position.

15. Children's Privacy and Minimum Age

The Service is intended for use by businesses and their personnel, including employees who are at least sixteen (16) years old. The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13.

Because the Service is typically provided by an employer for workforce scheduling and operations, the Account Owner is responsible for entering and managing employee information in compliance with applicable law and for providing any required notices to its personnel.

If we learn that personal information has been provided to us in violation of this Privacy Policy, we will take reasonable steps to delete that information as required by applicable law. If you believe a child has provided personal information to us in violation of this Privacy Policy, please contact us at support@shiftwerx.com.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational needs. When we make changes, we will update the "Last Updated" date above and provide additional notice where required by law.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: