Privacy Policy
This policy explains what personal information we collect, how we use it, who we share it with, and the rights you have. It's plain language by design.
1. Introduction
ShiftHub is a workforce-management platform operated by ShiftHub (Pty) Ltd ("ShiftHub", "we", "us"), a private company incorporated in South Africa. We take your privacy seriously and handle personal information in line with the Protection of Personal Information Act, 2013 (POPIA) and other applicable laws.
This policy covers our public website (shifthub.co.za), our admin and worker applications, and our APIs. It applies both to you as a visitor or customer (the tenant admin), and — at a high level — to the workers managed inside a tenant workspace.
2. Who we are
Responsible Party: ShiftHub (Pty) Ltd
Country: South Africa
Contact for privacy matters: legal@shifthub.co.za
For customers (tenants) who host personnel data in ShiftHub, the tenant is the Responsible Party for that personnel data, and ShiftHub is the Operator acting on the tenant's documented instructions.
3. Information we collect
3.1 Information you give us directly
- Account creation: your name, work email, company name, workspace slug, phone number (optional), chosen password.
- Billing: company VAT number, billing address, payment details processed by PayFast (we do not store card numbers).
- Support: message content, attachments, and account context when you email, chat or call us.
3.2 Information about your workers (tenant-held data)
Tenants upload and manage data about their own workers. As Operator, we process whatever the tenant chooses to store, which typically includes:
- Name, ID/passport number, contact details, address
- Role, grade, qualifications, document expiries
- Clock events, GPS coordinates at clock-in/out, shift assignments
- Incident reports, duty-log entries, panic events
- Firearm licence numbers, ammunition draw records (if the firearms module is in use)
- Vehicle and driver-licence information (if the fleet module is in use)
3.3 Information collected automatically
- Device & log data: IP address, browser, operating system, pages viewed, timestamps.
- Cookies: session cookies for login, CSRF tokens, preference cookies. See our Cookie Policy.
- Diagnostic data: error traces (scrubbed of sensitive fields), performance metrics.
4. How we use your information
- Provide, operate and maintain the Service (including rostering, clock-in, reporting).
- Authenticate users, enforce security (2FA, session management, rate limits).
- Process subscription billing via PayFast.
- Send service-related emails (trial reminders, billing receipts, security alerts).
- Improve our product (aggregated, non-identifying analytics).
- Respond to support requests.
- Comply with legal obligations and enforce our Terms of Service.
We do not sell personal information, run third-party advertising inside the product, or use customer data to train third-party AI systems.
5. Lawful basis for processing
Under POPIA, we process personal information on one of the following grounds:
- Contract: to deliver the Service you signed up for.
- Legitimate interest: to secure our systems, prevent fraud, improve the product.
- Legal obligation: retention for tax, audit, or dispute-resolution purposes.
- Consent: where required (e.g., non-essential cookies, marketing emails to prospects).
6. Who we share with
We share personal information only as necessary and with appropriate safeguards:
| Category | Provider | Purpose |
|---|---|---|
| Cloud hosting | AWS (EU, optionally ZA for Enterprise) | Application hosting, database, storage |
| Email delivery | Mailgun / Postmark | Transactional & marketing email |
| Payment processing | PayFast | Subscription billing, card storage |
| SMS delivery | SMS Portal / Clickatell | Transactional SMS (if enabled) |
| Error monitoring | Sentry | Application error tracking (PII scrubbed) |
| Analytics | Plausible (self-hosted) | Privacy-respecting aggregate analytics |
Each processor operates under a Data Processing Agreement or equivalent. We do not transfer personal information to any third party except as listed above or required by law.
7. Data retention
- Active subscription: retained for as long as you maintain an active workspace.
- Cancelled / expired trial: retained for 30 days after trial-end or cancellation, then deleted (except where legal retention requires longer — e.g., invoicing records held for 5 years per SARS rules).
- Audit logs: retained for the life of the workspace; exported copies the tenant's responsibility.
- Backups: encrypted daily backups held for 30 days.
8. Security measures
- TLS 1.3 encryption for all traffic.
- At-rest encryption (AES-256) for sensitive fields including ID numbers and firearm licences.
- bcrypt password hashing; mandatory TOTP-based 2FA for privileged roles.
- Hardware-backed secrets management for credentials and keys.
- Automated intrusion detection and rate limiting.
- Immutable audit logging of all sensitive actions.
- Annual third-party penetration testing.
- Least-privilege access controls for ShiftHub engineers.
9. International transfers
Standard-tier tenants are hosted in EU (Ireland) data centres. Enterprise tenants may elect ZA-region hosting. Where personal information crosses borders, we rely on:
- Adequacy decisions (e.g., EU–ZA data flows under POPIA s72(1)(a)).
- Binding Corporate Rules or Standard Contractual Clauses with processors.
- Your explicit consent, where applicable.
10. Your rights under POPIA
You have the right to:
- Access the personal information we hold about you.
- Rectify inaccurate information.
- Request deletion of information we no longer have lawful basis to keep.
- Object to processing (e.g., withdraw marketing consent).
- Data portability — receive your data in a machine-readable format.
- Lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za).
To exercise any right, email legal@shifthub.co.za. We respond within 30 days (often much faster).
If you're a worker in someone else's workspace: the Responsible Party is your employer, not ShiftHub. We pass your request to them and support them in responding.
11. Children
ShiftHub is not intended for users under 18. We do not knowingly collect information from children. If a worker record of a minor is uploaded (e.g., for an apprenticeship context), the tenant must have valid consent under POPIA s34.
12. Cookies
We use strictly-necessary session and CSRF cookies for the application to function. We use privacy-respecting, server-side analytics — no third-party tracking pixels. See our Cookie Policy for the full list.
13. Changes to this policy
We may update this policy to reflect new features, legal requirements, or operational changes. When we make material changes, we'll email all active-subscription contacts at least 14 days before the change takes effect. The "Last updated" date at the top of this page always reflects the current version.
14. Contact us
Privacy or data-subject queries: legal@shifthub.co.za
General support: hello@shifthub.co.za
Information Regulator (ZA): inforegulator.org.za
Questions about this policy?
Email legal@shifthub.co.za. We reply within two business days.