Privacy Policy

Last updated: 2026-07-02

Controller Information

The controller responsible for data processing under the General Data Protection Regulation (GDPR) is:

ShiftCal (independent developer) Spain

Contact email for privacy matters: [email protected]

Scope of this Policy

This Privacy Policy applies to the ShiftCal mobile application and the website shiftcal.app (the “Service”). It explains what data we collect, how we use it, and your rights under the GDPR.

Data You Provide

Offline Use

You can use ShiftCal without creating an account. In this case, all your data (shifts, notes, calendars) is stored locally on your device and is not transmitted to us.

Account, Calendar Connections & Cloud Sync

If you create an account or enable calendar-related features, we may process:

  • Email address – used for authentication, account access, and essential service communication
  • Shift data, notes, and related schedule settings that belong to your ShiftCal account – used to display your schedule, calculate statistics, and, if you enable sync or backup, stored encrypted on secure servers to synchronize your data between devices
  • Connected or imported calendar information available on your device – such as calendars or calendar events you choose to display, import, export, or analyze locally in ShiftCal

Health-Related Insights and Derived Data

ShiftCal may analyze the shift schedules, work hours, rest intervals, night shifts, late finishes, and calendar events that you create, import, or connect in order to generate optional in-app wellbeing insights.

These insights may include:

  • Rest and recovery metrics
  • Night work percentage
  • Quick turnaround alerts
  • Estimated sleep debt
  • Circadian disruption indicators
  • Recovery estimates
  • A schedule or health score shown inside the stats section

In the current version of the app, these calculations are generated locally on your device from the shift and calendar data available in the app.

ShiftCal does not access or import data from Google Fit, Health Connect, Apple Health, medical records, wearable devices, or biometric sensors.

Health-related insight values are not stored separately on our servers. They are recalculated locally from the schedule data available on your device whenever needed.

Data Collected Automatically

When you use the Service, some limited technical data may be processed to ensure functionality, reliability, and security, such as:

  • Device type and operating system version
  • Basic server logs (e.g., connection timestamps)
  • App version and technical diagnostics needed to maintain service stability
  • Crash logs and diagnostic data used to detect, investigate, and fix errors
  • Analytics events related to app usage, such as screen views, onboarding steps, login flows, purchases, and feature interactions
  • Pseudonymous identifiers or internal account identifiers needed for analytics, diagnostics, subscriptions, sync, or abuse prevention

This information is used to operate, secure, improve, and measure the Service. Where required by law, non-essential analytics or advertising-related processing is used only after obtaining the required consent.

Advertising

ShiftCal may display advertisements to support the development of the app.

We use third-party advertising providers such as Google AdMob. These providers may process:

  • Device advertising identifiers
  • Approximate location derived from IP address
  • Basic device information required to serve ads

Where required by law, non-essential advertising technologies are only used after obtaining your consent via the system permission prompt or consent dialog.

You can manage or withdraw advertising consent at any time through your device privacy settings.

Legal Bases for Processing (GDPR)

We process personal data on the following legal grounds:

  • Contract (Art. 6(1)(b) GDPR): To provide account, calendar, sync, backup, and requested schedule analysis features
  • Consent (Art. 6(1)(a) GDPR): For personalized advertising, analytics, or other non-essential technologies where consent is required
  • Legitimate Interests (Art. 6(1)(f) GDPR): To maintain service security, prevent abuse, ensure technical stability, investigate crashes, and improve core functionality where permitted

Data Sharing and Processors

We do not sell your personal data.

We may share data only with trusted service providers that process information on our behalf, such as:

  • Cloud hosting providers (for account and sync storage)
  • Analytics and crash reporting providers
  • Advertising providers (for displaying ads)
  • Infrastructure services required to operate the app

These providers process data only under contractual obligations and appropriate safeguards required by the GDPR.

International Data Transfers

Some service providers may process data outside the European Economic Area (EEA), including in the United States.

When this occurs, we rely on appropriate safeguards such as:

  • EU Standard Contractual Clauses (SCCs)
  • Providers participating in recognized data protection frameworks where applicable

Data Retention

  • Locally stored shift, calendar, and notes data remains on your device until you delete it
  • Account data is stored while your account remains active
  • If you delete your account, your personal data is deleted from active systems
  • Backup copies may remain for a limited period for security reasons and are automatically removed thereafter
  • Health-related insight values shown in the app are generated locally from your schedule data and are not stored separately on our servers

Your GDPR Rights

If you are located in the European Union, you have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your data
  • Request restriction of processing
  • Object to processing based on legitimate interests
  • Request data portability where applicable

You can exercise your rights by contacting: [email protected]

You also have the right to lodge a complaint with your local data protection authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD).

Children’s Privacy

ShiftCal is not intended for children under the age of 14 in accordance with Spanish data protection law. We do not knowingly collect personal data from children under this age.

Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • Encrypted data transmission (HTTPS / TLS)
  • Secure authentication mechanisms
  • Access controls on infrastructure systems

Payments and Subscriptions

ShiftCal may offer optional in-app purchases and subscriptions. All payments are processed directly by the Apple App Store or Google Play Store. We do not receive or store your payment card number or other financial details.

We only receive your purchase or subscription status (for example, whether a subscription is currently active), linked to a pseudonymous store or account identifier, which we use to unlock premium features, provide support, and prevent abuse. You can manage or cancel a subscription at any time through your Apple ID or Google Play account settings.

Device Permissions

Depending on the features you use, ShiftCal may ask for the following device permissions. You can grant or revoke each of them at any time in your device settings:

  • Calendar – to display, import, or export the shifts and events you choose to sync
  • Notifications – to send the shift reminders and alerts you enable

We access this data only for the feature you activate. Denying a permission simply disables that specific feature; the rest of the app keeps working.

Sharing Your Schedule

ShiftCal lets you share your schedule with other people, for example through a share link. Any shift information you choose to share becomes accessible to anyone who has the link. You are responsible for managing these shares and for revoking access when it is no longer needed.

Analytics and Crash Reporting

To keep the Service stable and understand how it is used, we rely on the following processors:

  • PostHog – product analytics (screen views, feature usage, and similar events)
  • Sentry – crash reporting and error diagnostics

ShiftCal does not use Firebase Analytics, Crashlytics, Apple Health, Google Fit, or Health Connect. Where the law requires it, non-essential analytics is used only after you give consent.

Account and Data Deletion

You can delete your account and all associated personal data at any time directly in the app via Settings > Account > Delete Account, or by emailing [email protected]. Deletion removes your data from our active systems; backup copies are removed automatically within a limited period for security reasons.

Changes to this Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify users through the app or website and update the “Last updated” date above.

Contact

For any privacy or data protection questions, contact:

[email protected]

AI Assistant

When you use the in-app AI Assistant, the messages you send (including any text or files you provide) and the assistant's responses are processed by our AI provider to generate replies and are stored on our servers, linked to your account.

Purpose and legal basis. We retain these conversations to provide the feature and keep your chat history, and — on the basis of our legitimate interest (Art. 6(1)(f) GDPR) — to detect, prevent and investigate abuse, security incidents and misuse of the assistant.

Retention. Conversations are kept for up to 12 months after your last activity in them and are then deleted automatically. When you delete a conversation it disappears from your account immediately; a copy may be retained for the rest of that period for the security purposes above.

Processors and international transfers. Assistant messages are sent to our AI model provider, acting as a processor on our behalf, which may involve transfers outside the EEA under appropriate safeguards (such as Standard Contractual Clauses). Please do not enter unnecessary personal or sensitive data into the assistant.