Privacy Policy

Shiftlify ("we", "our", "us") operates a temporary staffing platform that connects candidates seeking work with clients who need qualified staff for events and shifts. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our platform, in accordance with the European Union General Data Protection Regulation (GDPR) and applicable national data protection laws. This policy applies to all users of our platform, including candidates seeking employment opportunities, clients posting events and shifts, and any visitors to our website. By using our services, you acknowledge that you have read and understood this Privacy Policy. We are committed to protecting your privacy and handling your personal data with transparency and care. If you have any questions about this policy or our data practices, please contact us using the details provided at the end of this document.

For the purposes of applicable data protection laws, the data controller responsible for your personal data is: MELIORAPPS INTERACTIVE SRL Mihail Sadoveanu 20/1 Chisinau, MD-2044 Moldova Email: contact@shiftlify.io We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact us at contact@shiftlify.io. We process your data in accordance with the European Union General Data Protection Regulation (GDPR) and applicable national data protection laws.

We collect and process various categories of personal data depending on how you interact with our platform: **Account Data** When you register for an account, we collect your name, email address, phone number, and login credentials. For candidates, this also includes date of birth and nationality for employment verification purposes. **Profile Data** Candidates provide additional information including professional qualifications, work experience, employment history, skills, certifications, availability preferences, and optionally a profile photograph. Clients provide company information, contact details, and billing information. **Employment Data** We process data related to your work through our platform, including shift assignments, contract details, time records, attendance data, performance ratings, and payment information. **Usage Data** We collect information about how you use our platform, including saved search criteria and report configurations. This helps us improve our services and user experience. **Emergency Contact Data** Candidates may provide emergency contact information, including name, phone number, and relationship. This data is used solely for workplace safety purposes. **Sensitive Data** Depending on your role, we may process certain categories of sensitive data, including nationality and work authorization status, health and safety certificates, and social security numbers required for employment administration. **Background Check Data** With your explicit consent, we may collect and process background check data through third-party providers, including identity verification results, criminal background check results, and employment history verification. See the Background Checks section below for more details. **Device and Technical Data** We collect technical information including your IP address, browser type and version, device identifiers, operating system, and timezone settings. When you use multi-factor authentication, we generate a device fingerprint (a hashed combination of your browser characteristics) to identify trusted devices. We also collect information through cookies and similar technologies as described in the Cookies section below. **Audit and Security Data** We maintain audit logs that record your actions on the platform, including your IP address, user agent, timestamps, and the nature of the action performed. This data is used for security monitoring, fraud prevention, and regulatory compliance.

We use your personal data for the following purposes: **Platform Operation and Account Management** To create and manage your account, verify your identity, and provide you with access to our platform features. **Matching and Staffing Services** To match candidates with suitable events and shifts based on qualifications, availability, location, and client requirements. This is the core purpose of our platform. **Contract Creation and Management** To generate, manage, and store employment contracts when candidates are assigned to shifts, including tracking contract status and maintaining records. **Compensation Records** To track and record compensation rates and work hours for candidates on completed shifts, and to maintain billing records for staffing services rendered to clients. All actual payment processing occurs outside the Platform through external payroll and invoicing systems. **Communications** To send you important notifications about your account, shifts, schedule changes, and platform updates via email and WhatsApp messaging. We may also send promotional communications where you have consented to receive them. **Legal Compliance** To comply with our legal obligations, including employment law requirements, tax reporting, and responding to lawful requests from authorities. **Security and Fraud Prevention** To monitor platform usage through audit logging, detect unauthorized access, prevent fraud, and maintain the integrity of our systems. This includes recording actions performed, IP addresses, and device information for security purposes. **Identity Verification and Background Checks** With your consent, to verify your identity and conduct background checks through authorized third-party providers to ensure workplace safety and regulatory compliance. **Platform Improvement** To analyze usage patterns, conduct research, and improve our platform features, security, and user experience. This processing is based on our legitimate interest in providing better services.

We process your personal data based on the following legal grounds: **Contract Performance** Most of our data processing is necessary to perform our contract with you. For candidates, this includes matching you with shifts, creating contracts, and recording compensation details. For clients, this includes providing staffing services and managing your account. **Legitimate Interests** We process certain data based on our legitimate business interests, such as improving our platform, preventing fraud, and ensuring security. We always balance these interests against your rights and freedoms. **Legal Obligations** We process some data to comply with legal requirements, including employment law obligations, tax reporting requirements, and responding to lawful requests from government authorities. **Consent** Where required by law, we obtain your consent before processing certain data, such as marketing communications or placing non-essential cookies. You can withdraw your consent at any time by contacting us or adjusting your preferences in your account settings. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason compatible with the original purpose. We also process data in accordance with applicable national data protection laws and their implementing regulations.

We share your personal data with the following categories of recipients: **Clients and Candidates** To facilitate staffing services, we share relevant candidate information with clients when candidates are assigned to their events, and we share relevant event information with candidates. This includes contact details, qualifications, and availability. **External Payroll and Billing Partners** We may share relevant employment and time tracking data with external payroll and billing partners to facilitate compensation processing outside the Platform. These partners only receive the data necessary to fulfill their functions. **Government Authorities** We may disclose your data to tax authorities, social security institutions, labor inspectorates, or other government bodies when required by law or in response to lawful requests. **Background Check Providers** With your explicit consent, we share personal data with background check providers (including Checkr and Sterling) to conduct identity verification, criminal background checks, and employment history verification. These providers act as independent data controllers for the checks they perform. **Service Providers** We use the following categories of third-party service providers who process data on our behalf: - Hosting and Infrastructure: Supabase (database, authentication, and file storage) - Email Delivery: Resend (transactional emails and notifications) - WhatsApp Messaging: Twilio (OTP verification codes, shift notifications, contract updates, and other platform communications via WhatsApp) - Authentication: Google (social sign-in via Google OAuth) - Font Delivery: Google Fonts (loaded for client branding customization) These providers are contractually bound to protect your data and use it only for specified purposes. We do not sell your personal data to third parties. We require all third parties to respect the security of your personal data and to treat it in accordance with applicable law.

Your personal data may be transferred to and processed in countries outside of the European Economic Area (EEA). **Transfers to Other Countries** When we transfer data to countries that do not have an adequacy decision from the European Commission, we implement appropriate safeguards to protect your data. These safeguards include: - Standard Contractual Clauses (SCCs) approved by the European Commission - Binding Corporate Rules for transfers within our corporate group - The transferee's certification under approved frameworks You can request a copy of the safeguards we use for international transfers by contacting us at contact@shiftlify.io. We only transfer personal data outside the EEA when necessary for the purposes described in this Privacy Policy, and we ensure that appropriate protection measures are in place.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. **Active Accounts** While your account is active, we retain all data necessary to provide our services. You can access, update, or delete your data through your account settings at any time. **Legal Requirements** We may retain data for longer periods if required by law, if there is an ongoing legal dispute, or if we need to enforce our agreements. **Anonymized Data** We may retain anonymized or aggregated data that can no longer identify you for analytical and statistical purposes indefinitely. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, and applicable legal requirements.

Under the EU General Data Protection Regulation (GDPR) and applicable national data protection laws, you have the following rights regarding your personal data: **Right of Access** You have the right to request a copy of the personal data we hold about you and information about how we process it. **Right to Rectification** You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. **Right to Erasure** You have the right to request that we delete your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected. **Right to Data Portability** You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. **Right to Object** You have the right to object to processing of your personal data based on legitimate interests. We will stop processing unless we have compelling legitimate grounds. **Right to Restrict Processing** You have the right to request that we restrict the processing of your personal data in certain circumstances. **Right to Withdraw Consent** Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. **Right to Lodge a Complaint** You have the right to lodge a complaint with the data protection supervisory authority in your country of residence. To exercise any of these rights, please contact us at contact@shiftlify.io. We will respond to your request within one month, or inform you if we need additional time.

We use cookies and similar local storage technologies to provide and improve our platform. **Essential Cookies** These cookies are necessary for the platform to function properly. They include: - Authentication cookies: Managed by Supabase to maintain your login session and authentication state - Sidebar preference cookie (sidebar_state): Stores your sidebar layout preference for 7 days You cannot opt out of essential cookies as they are required for the platform to function. **Local Storage** We use your browser's local storage to save certain preferences locally on your device, including: - Notification display preferences - Onboarding tour completion status This data is stored only on your device and is not transmitted to our servers. **Managing Your Preferences** You can control and manage cookies and local storage through your browser settings. Most browsers allow you to refuse or delete cookies and clear local storage. The method varies by browser, so please check your browser's help documentation. Please note that disabling essential cookies will prevent you from using the platform, as they are required for authentication and core functionality. We do not use analytics cookies, advertising cookies, or any form of interest-based advertising or tracking. For more information about the technologies we use, please contact us at contact@shiftlify.io.

We take the security of your personal data seriously and have implemented appropriate technical and organizational measures to protect it. **Technical Measures** We employ industry-standard security measures including: - Encryption of data in transit using TLS/SSL - Encryption of sensitive data at rest - Secure password hashing - Multi-factor authentication (TOTP, recovery codes, and trusted device recognition via device fingerprinting) - Comprehensive audit logging of platform actions for security monitoring - Regular security testing and vulnerability assessments - Firewalls and intrusion detection systems **Organizational Measures** We maintain strict organizational controls including: - Access controls limiting data access to authorized personnel only - Confidentiality agreements with all employees and contractors - Regular security training for staff - Data protection impact assessments for high-risk processing - Vendor security assessments for third-party providers **Incident Response** We have established procedures for detecting, reporting, and investigating personal data breaches. In the event of a breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the legally required timeframes. While we implement these safeguards, no system is completely secure. We cannot guarantee the absolute security of your data, but we are committed to protecting it to the best of our ability.

For certain roles and assignments, we may conduct background checks on candidates with their explicit consent. **Consent Process** Before initiating any background check, we obtain your explicit, informed consent. You will be presented with a clear description of the check to be performed, and you must give active consent before any verification begins. Your consent is recorded with a timestamp and audit trail. **Third-Party Providers** We use the following authorized background check providers: - Checkr: Identity verification and criminal background checks - Sterling: Employment history verification and qualification validation These providers act as independent data controllers for the verification services they provide and are subject to their own privacy policies. **Data Collected** Background checks may include identity verification, criminal record checks, employment history verification, and professional qualification validation. The specific checks performed depend on role requirements and applicable legal requirements. **Data Retention** Background check results are retained for the duration of your active account plus any legally required retention period. You may request deletion of background check data subject to our legal obligations. **Your Rights** You have the right to decline a background check, though this may affect your eligibility for certain assignments. You may request access to your background check results and dispute any inaccurate information with the respective provider.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. **How We Notify You** When we make material changes to this Privacy Policy, we will notify you by: - Posting the updated policy on our platform with a new effective date - Sending you an email notification if the changes significantly affect how we process your data - Displaying a prominent notice on our platform **Effective Date** Any changes to this Privacy Policy will be effective immediately upon posting, unless otherwise stated. The date of the last update is shown at the top of this policy. **Your Continued Use** Your continued use of our platform after we post changes to this Privacy Policy means that you accept those changes. If you do not agree with the updated policy, you should stop using our platform and contact us to close your account. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: **Privacy Inquiries** Email: contact@shiftlify.io **Postal Address** MELIORAPPS INTERACTIVE SRL Attn: Privacy Team Mihail Sadoveanu 20/1 Chisinau, MD-2044 Moldova **Response Timeframe** We aim to respond to all privacy-related inquiries within 5 business days. For formal data subject requests (access, deletion, etc.), we will respond within one month as required by law. If your request is complex or we receive many requests, we may extend this period by up to two additional months, but we will notify you if this is the case. **Supervisory Authorities** If you are not satisfied with our response, you have the right to lodge a complaint with the data protection supervisory authority in your country of residence.