← Back to ShiftDesk

Privacy Policy

Last updated: 26 March 2026 — Effective immediately

1. Who we are

ShiftDesk is a workforce management platform operated by ShiftDesk Ltd (“we”, “us”, “our”). We are the data controller for information collected through this website and for our own business data. For employee data entered by your employer (a ShiftDesk tenant), your employer is the data controller and ShiftDesk acts as a data processor on their behalf.

Contact: hello@shiftdesk.co.uk

2. What data we collect

  • Account data: name, email address, business name collected at registration.
  • Employee data (entered by your employer): name, job title, department, start date, pay rate, leave records, shift schedules.
  • Authentication data: encrypted session tokens (Supabase authentication cookies).
  • Billing data: handled directly by Stripe — we do not store card numbers.

3. Lawful basis for processing

  • Contract performance (UK GDPR Article 6(1)(b)) — providing the scheduling and workforce management service.
  • Legitimate interests (UK GDPR Article 6(1)(f)) — security, fraud prevention, platform improvement.
  • Legal obligation (UK GDPR Article 6(1)(c)) — compliance with HMRC record-keeping requirements.
  • Employment law obligations (UK GDPR Article 9(2)(b), Schedule 1 DPA 2018 para. 1) — processing health/sickness data for employment purposes.

4. How we use your data

  • Providing and operating the ShiftDesk platform
  • Scheduling shifts and managing leave entitlements
  • Processing subscription payments via Stripe
  • Sending transactional emails (invite, leave notifications) via Resend
  • Improving platform reliability and security

5. Who we share data with

We use the following third-party data processors:

  • Supabase — database and authentication hosting (US-based, UK IDTA in place)
  • Stripe — payment processing (US-based, UK IDTA in place)
  • Resend — transactional email delivery (US-based, UK IDTA in place)
  • Vercel — application hosting (US-based, UK IDTA in place)

We do not sell your personal data to any third party.

6. Data retention

Employee records are retained for a minimum of 3 years after employment ends, reflecting HMRC payroll record-keeping guidance. Working Time Regulations records are kept for a minimum of 2 years from the date of creation. Tenants may configure a longer retention period. The exact period depends on your business circumstances; we recommend taking independent legal advice on your obligations. Upon a valid right-to-erasure request, personal data is anonymised and health/sickness data is permanently deleted. Some records may be retained where required by law (e.g. tax records).

7. Your rights

Under UK GDPR you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request erasure (“right to be forgotten”)
  • Restrict or object to processing
  • Data portability
  • Withdraw consent (where processing is based on consent)

For account owners: Contact us at hello@shiftdesk.co.uk. We will respond within 30 days.

For employees: Contact your employer (the data controller) to exercise your data rights. ShiftDesk will assist your employer in responding to your request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We use industry-standard security measures including AES-256-GCM encryption for sensitive payroll data at rest, TLS encryption in transit, row-level security on all database tables, and role-based access controls.

9. Data breach notification

If we discover a personal data breach, we are legally required to notify the Information Commissioner's Office (ICO) within 72 hours and will notify affected tenants without undue delay. We will provide details of the breach, the likely consequences, and steps we have taken to secure data and prevent recurrence.

10. Data subject rights requests (DSARs)

If you are an employee and wish to exercise your rights (access, correction, erasure, etc.), you should contact your employer in the first instance. Your employer is the data controller for employee data entered into ShiftDesk. ShiftDesk will assist your employer in responding to your request in compliance with UK GDPR timelines.

11. Changes to this policy

We may update this policy. Material changes will be communicated by email to account owners. Continued use of ShiftDesk after the effective date constitutes acceptance.

Terms of ServiceCookie PolicyHome