S
ShiftBox

Privacy Policy

v1.0 GLOBAL · en

This Privacy Policy describes how ShiftBox collects, uses, and protects personal data from users of our services available at https://shift-box.com.

Privacy and data-rights requests: hello@shift-box.com.

1. Data controller and processor roles

1.1. For your account data (e.g. e-mail, name, company profile), Denis Nikolaevich Zakharov acts as the Data Controller for this segment, to the extent Controller rules apply in your jurisdiction (including the GDPR in the EU/EEA and UK GDPR where relevant).

1.2. For personal data relating to your employees or contractors that you upload into ShiftBox, the Provider generally acts as a Data Processor, processing such data on your instructions and pursuant to these terms and the functionality of the Service. You represent that you have obtained any required consents and lawful bases to upload that data. The Provider is not responsible for your lack of appropriate legal grounds. For such third-party data, you act as (or appoint) the controller towards your employees, and the Provider processes data on your behalf within the product’s features.

1.3. For any question about this Policy or your personal data, including export, deletion of your account, or withdrawal of consent, contact hello@shift-box.com.

2. Data we process

  • Account identifiers and profile information you provide.
  • Operational workforce data you enter (employees, shifts, schedules, rates, locations as configured).
  • Technical data (IP address, device/browser metadata, cookies) for security, reliability, and product improvement.
  • Where enabled: analytics data from Google Analytics (GA4) and similar web-analytics tools.
  • Integration-related data where you use them (for example Telegram bot identifiers, or information received via Google sign-in / OAuth).
  • Support communications you send us.

3. Children’s privacy

The Service is intended primarily for business use (B2B). It is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete such information.

4. Purposes and legal bases

We process data to provide and secure the Service, authenticate users, send service-related notices (including shift and schedule notifications by e-mail, Telegram, or other channels you configure), provide support, improve reliability, send billing and payment-related messages through our payment processors, and comply with legal obligations applicable to us. Depending on context, we rely on contract performance, legitimate interests (where balanced against your rights), and consent where required (for example certain cookies or marketing, if enabled).

5. Storage, sharing, and transfers

5.1. Hosting (global segment). For this segment, customer content and operational personal data are processed using cloud infrastructure in the European Union. Unless the product or administrator settings say otherwise, primary databases and processing run on Amazon Web Services (AWS) in the Frankfurt (Germany) region. Backups and subprocessors may use other EU regions (for example Ireland) or vendors (for example Google Cloud in Belgium) as described in our subprocessors list or product documentation. Material changes to primary regions will be reflected in updates to this Policy.

5.2. By using the Service as a global user, you acknowledge that personal data may be stored and processed in these locations and transferred as needed to operate the Service, subject to appropriate safeguards where required by law (including GDPR mechanisms such as Standard Contractual Clauses where applicable).

5.3. Disclosures to third parties. We do not sell your personal data. We also do not “sell” or “share” your personal information as those terms are defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). We may disclose information where required by competent authorities, to subprocessors bound by confidentiality and data-processing commitments (hosting, support, payment processing, analytics, etc.), or where you give explicit consent.

5.4. Web analytics (Google). Where Google Analytics (GA4) or similar tools are enabled, Google Ireland Limited and other Google group companies may process pseudonymous technical data (such as cookies, truncated IP, browser/device metadata, and interaction events) for statistics and product improvement. Some processing may occur outside the EEA (including the United States) under Google’s terms and applicable transfer tools (such as the EU–US Data Privacy Framework and/or Standard Contractual Clauses, as updated from time to time). You can use browser controls and, where shown, cookie preferences to limit non-essential analytics cookies.

6. Security and retention

We apply industry-standard safeguards (including TLS in transit, access controls, and backups). Personal data is generally processed until the processing purposes are achieved, or until you delete your account or withdraw consent where that applies, unless a longer period is required by law.

After account deletion at your request, data linked to your account and workforce data you entered may remain in backups and operational logs for up to ninety (90) days to comply with law, resolve disputes, and maintain security, after which it is deleted or anonymized to the extent technically feasible, unless mandatory law requires a different period.

7. Your rights (including GDPR)

Depending on your jurisdiction, you may have rights to access, rectify, delete, restrict, or object to certain processing, data portability, and to lodge a complaint with a supervisory authority.

  • Erasure / delete account: request deletion of your account and associated personal data (subject to lawful exceptions and minimal retention).
  • Access / export: request a copy or export of your personal data in a structured, machine-readable form where applicable — contact hello@shift-box.com.
  • Withdraw consent / other requests: request withdrawal of consent or restriction, blocking, or rectification of processing, where applicable — contact hello@shift-box.com.

Send requests from your account e-mail or with enough information to verify your identity. Where the GDPR applies, we will respond to requests under Chapter III without undue delay and in principle within one month of receipt; that period may be extended by two further months where necessary, taking into account the complexity and number of requests, in line with Article 12(3) GDPR.

Where applicable, you may also object to processing based on legitimate interests or to marketing processing.

8. Cookies and analytics

We use cookies and similar technologies for authentication, preferences, security, and analytics. You can control cookies through your browser settings; disabling certain cookies may limit functionality.

Analytics tools may use cookies or similar identifiers; details are in section 5.4. Reports are mainly aggregated; it is not technically possible to guarantee that identification can never occur.

Continued use of the Service may be treated as acceptance of strictly necessary cookies where required for operation; where consent is required for non-essential cookies, we rely on the mechanisms shown in the product or website.

9. Updates to this Policy

We may update this Policy to reflect legal or operational changes. The current version is published on the website and takes effect on the date stated in the document (or on publication if no separate date is given).

We are not required to send an individual notice for every change unless mandatory law says otherwise; in other cases, publication on the website is sufficient. Where permitted by law, continued use of the Service after the effective date confirms that you have had a reasonable opportunity to review the update. We recommend checking this page periodically.