Security & Privacy

Your data is protected. Always.

At ShiftFlow, security is not an afterthought — it is foundational to everything we build. Your payroll data, shift logs, earnings history, and personal financial information are among the most sensitive data you can share with any application. We treat that responsibility seriously.

ShiftFlow was designed from the ground up with a security-first architecture. Every feature, every data flow, and every third-party integration is evaluated through a security lens before it is shipped to you. Our commitment: your data is encrypted, private, and never sold.

Security Measures

ShiftFlow employs multiple layers of protection to safeguard your data:

TLS 1.3 Encryption in Transit

All communication between your device and ShiftFlow servers uses TLS 1.3 — the most current and secure version of the Transport Layer Security protocol. This ensures that your shift data, payroll figures, and personal information cannot be intercepted in transit.

AES-256 Encryption at Rest

Your data stored on ShiftFlow servers is encrypted at rest using AES-256, the same encryption standard used by financial institutions, healthcare providers, and government agencies. Even in the unlikely event of unauthorized server access, your data remains unreadable.

iOS Keychain Token Storage

Authentication credentials and session tokens are stored exclusively in the iOS Keychain — Apple's secure, hardware-backed credential storage system. ShiftFlow never stores plaintext tokens, passwords, or sensitive credentials in app storage or local databases.

GDPR & CCPA Compliance

ShiftFlow is fully compliant with the General Data Protection Regulation (GDPR) for users in the European Union and the California Consumer Privacy Act (CCPA) for California residents. You have the right to access, correct, delete, and export your data at any time.

30-Day Soft-Delete + Data Purge

When you delete your account, ShiftFlow initiates a 30-day soft-delete period during which your data is queued for permanent removal. After 30 days, all personal data — shift logs, earnings, chat history, and profile information — is permanently purged from our systems. This process is irreversible.

No Data Selling — Ever

ShiftFlow does not sell your personal data to third parties. Period. We do not participate in data broker marketplaces, advertising networks, or any scheme that monetizes your personal information. Our revenue comes from subscriptions, not from your data.

SOC2-Aligned Practices

Our internal security practices are aligned with the SOC2 framework, covering security, availability, processing integrity, confidentiality, and privacy. Access to production data is restricted to authorized personnel only, with multi-factor authentication required for all administrative access.

AI & OCR Safety

ShiftFlow uses AI models to power payroll analysis, the AI financial assistant, and payslip scanning. Here is exactly how we handle your data in these contexts:

Payslip OCR Processing

When you photograph a payslip using ShiftFlow's scanner, the image is transmitted via encrypted TLS 1.3 to our OCR processing service. The image is processed in a secure, isolated environment and the extracted text data is immediately associated with your account. Payslip images are not permanently stored — they are retained for a maximum of 30 days to allow for re-processing in case of errors, then automatically and permanently deleted.

AI Financial Assistant

When you interact with the AI assistant, your queries and relevant account context are processed by our AI provider under strict data processing agreements. Your queries are not used to train AI models without your explicit consent. Conversation history is stored securely and encrypted within your ShiftFlow account.

Payroll Anomaly Detection

Payroll anomaly detection processes your shift logs on secure servers to identify discrepancies. The underlying detection model is trained exclusively on anonymized, aggregated data — it is never trained on individually identifiable payroll records. Your specific payroll data is never shared with or used to improve models that serve other users.

Your Rights

You have full control over your data. At any time, you may:

• Access: Request a complete export of all personal data ShiftFlow holds about you
• Correction: Update or correct any inaccurate personal information in your account
• Deletion: Delete your account and all associated data — permanently and irreversibly
• Portability: Receive your data in a structured, machine-readable format (JSON or CSV)
• Opt-out: Opt out of analytics data collection at any time in Settings → Privacy

To exercise any of these rights, contact us at privacy@shiftflowx.net or visit the Account Deletion page. We respond to all data requests within 30 days.

Contact

For security or privacy questions, contact our team:

• Privacy inquiries: privacy@shiftflowx.net
• Security vulnerabilities: privacy@shiftflowx.net
• General support: support@shiftflowx.net

If you believe you have discovered a security vulnerability in ShiftFlow, please contact us immediately. We take all security reports seriously and will respond within 24 hours.