Privacy Policy
Last updated: June 2026
1. General
Shifts-360 ("the Service", "we") is committed to protecting user privacy. This policy explains what information we collect, how we use it, and how we protect it, in accordance with Israel's Privacy Protection Law (1981, Amendment 13 – 2023) and the EU General Data Protection Regulation (GDPR).
2. Information We Collect
- Account details: businesses name, username, email address, encrypted password.
- Business data: employees, shifts, suppliers, products, inventory, cash flow — all data you enter.
- Usage data: pages visited, login times, IP address.
- Cookies: authentication cookie (auth_token) to maintain login state.
- Payment data: processed by LemonSqueezy (our Merchant of Record) — credit card details are never stored by us.
3. How We Use Your Information
- Operating the service and providing access to features.
- Sending system messages (email verification, password reset).
- Improving the service and diagnosing issues.
- Communicating about subscription renewal or service changes.
We do not sell or share your information with third parties for marketing purposes.
4. Legal Basis for Processing
- Contract performance: processing is necessary to provide the purchased service.
- Legitimate interest: service improvement, fraud prevention, system security.
- Consent: sending marketing communications (only with explicit consent).
5. Data Sharing with Third Parties
Data is shared only with service providers necessary to operate the platform:
- LemonSqueezy — payment processing and invoicing (acts as our Merchant of Record).
- Neon (PostgreSQL) — database hosting on AWS infrastructure.
- Vercel — application hosting, delivery, and traffic analytics (Vercel Analytics).
- Resend — transactional email delivery.
- Google — usage analytics (Google Analytics, Google Tag Manager).
- Meta (Facebook) — advertising conversion measurement (Meta Pixel).
- Hotjar — user-experience analytics and anonymized session recordings.
6. Data Storage & Retention
Data is stored on Neon (PostgreSQL) secure servers on AWS infrastructure in the United States. Passwords are encrypted with bcrypt and never stored in readable form. Because some data is stored in the United States, transfers outside the European Economic Area rely on the EU Standard Contractual Clauses (SCCs). In the event of a security incident affecting personal data, we will notify the relevant supervisory authority and affected users within 72 hours, as required.
- Active account data: for the duration of the subscription.
- Backups and logs: up to two years after subscription ends.
- After account deletion: all data is permanently deleted within 30 days.
7. Your Rights
- Access: you can view all your data through the user interface.
- Rectification: you can update your details at any time.
- Deletion: full account deletion is available in Account Settings.
- Portability: export all your data as JSON or Excel from the interface.
- Objection: you can object to certain processing by contacting us.
- Complaint: you have the right to lodge a complaint with the Israeli Privacy Protection Authority or your EU member state's supervisory authority.
8. Cookies
We use the following types of cookies: (1) Essential — auth_token, an encrypted JWT cookie that maintains login state (expires in 7 days); (2) Analytics — Google Analytics, Google Tag Manager, and Hotjar, to measure usage and improve the service; (3) Marketing — Meta Pixel, to measure advertising performance. We are currently rolling out a cookie-consent tool that will let you accept or reject non-essential cookies. Until then, you can block cookies via your browser settings.
9. Minors
The service is not directed at users under 18. We do not knowingly collect information from minors. If we become aware that such data has been collected, we will delete it immediately.
10. Supervisory Authority
Users in Israel: you may contact the Israeli Privacy Protection Authority. Users in the EU: you may contact the data protection authority in your member state.