Data Collection Policy
Effective Date: May 1, 2026
Overview
This policy explains exactly what data ShiftFlow collects from you, why we collect it, how long we keep it, and what happens when you delete it. We believe transparency is non-negotiable when an app touches your payroll and financial records.
ShiftFlow is designed on a data minimisation principle: we collect only what is necessary to deliver the features you use, and nothing more.
What We Collect
Account Information
- Email address (required for account creation and recovery)
- Display name
- Password hash (bcrypt — we never store your plaintext password)
- Apple ID or Google ID if you use Sign In with Apple / Google
- Timezone and currency preference
- Country code (two-letter ISO code, used for tax and payroll rules)
Shift & Payroll Data
- Shift start and end times
- Break durations
- Employer / job name, hourly rate, overtime configuration
- Tips, mileage, and expense entries
- Tags and shift notes
- Calculated gross pay, net pay, and overtime hours (server-computed — we never trust client-side calculations for financial figures)
- Pay schedule (frequency, anchor date, next payday)
Financial Calculations
- Tax rate (user-configured)
- Tax profile (filing status, deductions — optional)
- Invoice data (client name, line items, amounts, due dates)
- Paycheck anomaly detection results
Device & Session Data
- Device token for push notifications (APNs) — deleted when you log out
- Device name and OS version (for the Security Centre session list)
- IP address hash (hashed, not stored in plaintext — used for suspicious login detection)
- JWT access tokens (short-lived, 1 hour) and refresh tokens (30 days, httpOnly cookie)
Analytics & Crash Data
- Anonymised feature usage events via PostHog (e.g. “shift_logged”, “paywall_viewed”)
- Crash reports and performance traces via Sentry (device model, OS version, stack trace — no PII)
- Session counts and retention metrics (aggregate only)
Subscription Data
- Subscription status, plan, and expiry date (synced from RevenueCat)
- RevenueCat customer ID
- Trial start and end dates
- We never store credit card numbers, CVVs, or bank account details — all billing is handled exclusively by Apple in-app purchase
AI & Wellbeing Data
- Energy scores and mood entries (logged per shift — optional)
- Stress scores (1–10, optional)
- AI Memory Profile: preferred shift patterns, financial goals, burnout triggers, income priorities — stored server-side and used only to personalise your AI recommendations
- Work journal entries (text, optional)
What Is Optional
The following data is never required to use ShiftFlow's core features:
- Energy scores, mood, and stress entries per shift
- Work journal entries
- AI Memory (can be disabled in Profile → AI Settings → AI Memory)
- Location data for automatic clock-in (requires explicit permission, can be revoked at any time in iOS Settings)
- Push notifications (can be declined or disabled in iOS Settings)
- Analytics participation (anonymised — cannot be opted out of individually, but contains no PII)
- Tax profile details beyond your basic tax rate
- Invoice client details
AI Memory Behaviour
ShiftFlow's AI assistant maintains an optional memory profile that stores preferences and patterns to personalise responses. This memory:
- Is stored in our database under your user ID, encrypted at rest with AES-256
- Is used only to improve AI recommendations within your account — it is never used to train models or shared with any third party
- Can be cleared at any time: Profile → AI Settings → Delete AI History
- Can be disabled entirely: Profile → AI Settings → Disable AI Memory
- Is deleted permanently on account deletion (no grace period)
Work journal entries that you choose to share with the AI within a chat session are processed by your configured AI provider (DeepSeek or Claude) and are subject to that provider's privacy policy. We redact payroll amounts and personal identifiers before sending any text to AI providers.
AI Training Usage
ShiftFlow does not use your personal data to train AI models.
Your shift data, payroll records, journal entries, and AI conversations are never used as training data for any machine learning model — by ShiftFlow or any third party we work with. We use AI APIs (DeepSeek, Anthropic Claude) in API mode, which means your data is processed for inference only and is not retained by the AI provider for training.
Third-Party Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| RevenueCat | Subscription management | User ID, subscription events — no payment card data |
| Apple App Store | In-app purchase billing | Handled entirely by Apple — we receive only a receipt and subscription status |
| PostHog | Product analytics | Anonymised event names and properties — no PII, no payroll data |
| Sentry | Crash monitoring | Stack traces, device model, OS version — no user data, no payroll data |
| DeepSeek / Anthropic | AI responses (opt-in) | Sanitised prompt text — PII and payroll figures are redacted before sending |
| Railway / Cloudflare | Cloud hosting and CDN | Encrypted data at rest — providers cannot read your financial records |
Retention Periods
| Data Type | Retention Period |
|---|---|
| Active account data (shifts, invoices, payroll) | Kept until account deletion |
| Soft-deleted shifts and invoices | 30-day grace period, then hard-deleted |
| Account data after deletion request | 30-day grace period for recovery, then hard-deleted |
| AI Memory Profile | Deleted immediately on account deletion or manual clear |
| Audit logs (admin-only) | 90 days |
| Push notification tokens | Deleted on logout or account deletion |
| Analytics events (PostHog) | Anonymised — no user-linked retention period |
| Crash reports (Sentry) | 90 days per Sentry's default policy |
| OCR-processed paystub files | Not stored server-side — processed and discarded immediately |
Deletion Behaviour
When you delete your account (Profile → Settings → Delete Account), ShiftFlow initiates a full deletion sequence:
- Your account is immediately soft-deleted — you cannot log in, and your data is no longer accessible
- You have a 30-day window to contact support and recover your account
- After 30 days, a scheduled job hard-deletes all records associated with your account: shifts, invoices, payroll records, journals, AI memory, goals, device tokens, notification preferences, and analytics identifiers
- AI Memory is deleted immediately — no grace period
- Your anonymised analytics events (PostHog) remain but cannot be linked back to you
- RevenueCat retains your subscription history for their own legal compliance requirements
To request account deletion directly: shiftflowx.net/delete or email support@shiftflowx.net.
Your Rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of all data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your account and all associated data
- Portability — export your shifts and earnings as CSV or JSON
- Restriction — request that we stop processing your data while a complaint is investigated
- Objection — object to any processing based on legitimate interests
- Withdraw consent — disable AI Memory, revoke notification permissions, or delete your AI chat history at any time
GDPR users (EEA/UK): You may lodge a complaint with your local supervisory authority.
CCPA users (California): We do not sell personal information. You have the right to know, delete, and opt-out of sale (not applicable — we do not sell).
To exercise any of these rights, contact privacy@shiftflowx.net.
Contact
For questions about this policy, data requests, or privacy concerns:
- Email: privacy@shiftflowx.net
- Support: shiftflowx.net/support
We aim to respond to all data requests within 30 days.