Privacy Policy
Last Updated: May 16, 2026
Summary: ShiftSync is a B2B workforce scheduling platform. When your employer uses ShiftSync, the business that engaged ShiftSync is the data controller responsible for employee data. ShiftSync acts as a data processor on behalf of that business. We do not sell employee data and we retain it only as long as necessary to provide the service.
1. Who We Are
ShiftSync ("we," "us," or "our") operates the employee scheduling and workforce management platform at shiftsynch.com. ShiftSync is a business-to-business (B2B) service: our customers are businesses (referred to as "Organizations"), and employee data is entered into ShiftSync by those businesses. This Privacy Policy explains how we collect and handle data from both Organizations (account holders) and the employees whose data Organizations enter into the platform.
2. Controller and Processor Roles
Important distinction for employees: If your employer uses ShiftSync, your employer is the data controller — they control what information is entered into the system, how long it is retained, and who has access to it. ShiftSync is the data processor, acting on your employer's instructions. For questions about your personal data in ShiftSync, please first contact your employer's HR or management team.
2.1 Organization Accounts (Data Controllers)
When a business subscribes to ShiftSync, an Organization account is created. The business administrator controls:
- Which employee data is entered into the platform
- Who within the organization can access the platform
- How long the organization's subscription remains active
2.2 ShiftSync as Processor
ShiftSync processes employee data only as directed by the subscribing Organization, and only to provide the scheduling and workforce management service. We do not use employee data for any purpose beyond operating the platform on behalf of the Organization.
3. Information We Collect
3.1 Organization Account Data
- Business name and contact information
- Administrator name and email address
- Subscription plan and billing information (processed via MemberPress/BooksAndGuidesPro)
- Organization settings and team structure
3.2 Employee Data (entered by Organization)
Organizations may enter the following data about their employees into ShiftSync:
- Employee name
- Email address (used for login and schedule notifications)
- Employee role and team assignment
- Shift schedules and assignments
- Qualifications or certifications relevant to scheduling
- FTE codes and availability information
Organizations should only enter data that is reasonably necessary for workforce scheduling purposes and must ensure they have a lawful basis for providing employee data to a third-party processor.
3.3 Usage Data
- Login timestamps and session data
- IP address and browser type (standard server logs)
- Feature usage within the scheduling interface
3.4 Mobile App Data (push notifications & location)
If you install the ShiftSync mobile app (iOS or Android), we additionally process:
- Push notification token: a device-specific identifier issued by Apple Push Notification service (APNs) or Google Firebase Cloud Messaging (FCM). We use it only to deliver schedule, time-off, and shift-coverage notifications to your device. You can disable notifications at any time in your device settings.
- Precise location (optional): if your employer enables geofenced clock-in, the app reads your device location only at the moment you clock in or out to verify you are at the worksite. The location is checked against the worksite boundary and the result is stored with the time punch. We do not track your location in the background or when the app is closed, and we never use it for advertising.
- Basic device information: app version and device model, used to support the app and diagnose issues.
This mobile data is used solely to provide app functionality. It is encrypted in transit, is not sold, and is not shared with third parties for their own purposes.
4. How We Use Information
- To provide and operate the scheduling and workforce management platform
- To send schedule notifications and alerts to employees (on behalf of the Organization)
- To process Organization subscription payments
- To authenticate users and enforce access controls
- To detect and prevent security threats or abuse
- To fulfill legal and regulatory obligations
5. Data Sharing
We do not sell employee data or Organization data to third parties.
Data may be shared with:
- Within your Organization: Administrators and authorized managers can view employee schedules and data as configured by your Organization
- BooksAndGuidesPro: Subscription and authentication management is handled through BooksAndGuidesPro.com (parent platform)
- Legal requirements: If required by applicable law, court order, or governmental authority
- Business transfers: In connection with a merger, acquisition, or sale of assets; affected Organizations will be notified
6. Data Storage and Security
All ShiftSync data is stored on a server located in the United States. Security measures include:
- HTTPS/TLS encryption for all data in transit
- Hashed password storage
- JWT-based authentication for API access
- Access controls limiting data access to authorized users within each Organization
- Regular security updates
7. Data Retention
We retain Organization account data and associated employee data for as long as the Organization's subscription is active. Upon account termination:
- Organization and employee data is deleted or anonymized within 30 days of subscription cancellation
- Billing records may be retained for up to 7 years for accounting and legal compliance
- Backups are purged on a rolling 30-day cycle
8. GDPR — European Union Users
If your Organization is based in the EU/EEA or processes data of EU residents: ShiftSync acts as a data processor under the General Data Protection Regulation (GDPR). The subscribing Organization is the data controller and is responsible for ensuring there is a lawful basis for processing employee personal data in ShiftSync. Organizations may request a Data Processing Agreement (DPA) by contacting us at the address below.
Under GDPR, EU data subjects have rights including:
- Access (Article 15): Request a copy of your personal data
- Rectification (Article 16): Request correction of inaccurate data
- Erasure (Article 17): Request deletion of your data ("right to be forgotten")
- Restriction (Article 18): Request restriction of processing
- Portability (Article 20): Request data in a portable format
- Object (Article 21): Object to processing based on legitimate interests
Because your employer is the controller, many of these requests should initially be directed to your employer. We will cooperate with your employer to fulfill valid requests. If your employer is unresponsive, contact us directly and we will assist where we can as the processor.
9. Your Rights (US Users)
US users (including California residents under CCPA) may contact us to:
- Request access to or a copy of personal data we hold
- Request correction of inaccurate data
- Request deletion of personal data
We do not sell personal information. We will respond to requests within 45 days.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to Organization administrators by email, and the "Last Updated" date above will be revised accordingly.