Privacy notice

Last updated: 2026-05-09 (Pass 65 stub — biometric posture amended to cover Pass 63 mobile app-unlock alongside future clock-in/out and sign-off paths. Counsel-reviewed final version lands at Sprint 6 per the project roadmap).

Data controller

MyShift is the data controller for the personal data processed through this service. Contact: privacy@my-shift.ch.

What we collect

Account data (name, email, password hash) — provided by you on signup; legal basis: contract performance (revFADP Art 31 / GDPR Art 6(1)(b)).
Tenant + employment data (establishment name, canton, employment records, time-tracking entries) — provided by Owners + Managers; legal basis: contract performance.
Billing data (Stripe customer ID + subscription status) — handled by Stripe; we never see card numbers.
Server-side error data (anonymised stack traces) — Sentry server SDK; legal basis: legitimate interest (system security + error correction; GDPR Art 6(1)(f)). Browser SDK is currently disabled (Phase A) — see sub-processors.
Aggregated landing-page analytics — Plausible Analytics; cookieless, no persistent identifiers, no PII (per Plausible Data Policy fetched 2026-05-08).

Sub-processors

We use third-party sub-processors to deliver the service. The full list with jurisdictions and legal bases is published at /sub-processors. You will receive at least 30-day prior notice of material sub-processor changes (manual at v1; RSS feed planned for v1.5+).

Your rights

Under the revised Swiss Federal Act on Data Protection (revFADP, in force 2023-09-01) and the EU General Data Protection Regulation (GDPR, where applicable), you have the right to:

access your personal data (revFADP Art 25 / GDPR Art 15)
rectify inaccurate data (revFADP Art 32 / GDPR Art 16)
delete data when no longer needed (GDPR Art 17)
export data in a structured format (revFADP Art 28 / GDPR Art 20)
object to processing based on legitimate interest (GDPR Art 21)
withdraw consent for analytics tracking — see below or contact us.

Data residency

Phase A (current pilot environment): data is stored at Vercel + Supabase Cloud Frankfurt EU. Phase B (commercial-launch target): data moves to Infomaniak Geneva for Swiss data residency. Customers will be informed of the cutover at least 30 days in advance.

FDPIC posture

Biometric data (mobile app unlock via Face ID / Touch ID / fingerprint, plus future clock-in/out and validation sign-off): processed device-only inside the OS Secure Enclave (iOS) or Trusted Execution Environment (Android). The biometric template, metadata, or any biometric-derived key never crosses to our application; the OS returns only a pass/fail result. Biometric unlock is opt-in with a magic-link fallback always available.
Geofence data: opt-in only; raw GPS coordinates never stored — only an in/out boolean.
Sick-note data: dates only; never the diagnostic content.
Sensitive payroll PII (AVS / AHV number, IBAN): encrypted at rest with AES-256-GCM (audited via the @noble/ciphers library). Cleartext values never appear in logs, audit trails, or backups beyond what the encrypted ciphertext carries. Key is held outside the database; rotation to KMS-backed envelope lands at Phase B Infomaniak Geneva.
Mobile session tokens: AES-256-GCM-encrypted on-device with a per-install key held in the OS-managed keystore (iOS Keychain / Android Keystore). Ciphertext stored in app-private AsyncStorage; plaintext session JWT never persisted unencrypted at rest.
Device verification — attestation d'appareil (mobile clock-in trust signal): when you clock in or out from the MyShift mobile app, the operating system computes a cryptographic device-trust signal (Apple App Attest on iOS; Google Play Integrity on Android) that we verify against the OS vendor's authority server (Apple Inc., USA / Google LLC, USA). The signal payload contains an anonymous device-instance identifier + a digital signature + timestamp — no biometric data, no contact list, no location, no personally identifying metadata. The Apple/Google verification step is a transient sub-processor call (data discarded after verdict); we never transmit your name, email, phone, or any MyShift account identifier to Apple or Google during attestation. Cross-border transfer to USA-resident sub-processors is governed by Standard Contractual Clauses per revFADP Art 16 al. 2 let. d + Swiss-US Data Privacy Framework. Full lawful basis + transfer mechanism + retention schedule documented in our Data Protection Impact Assessment for mobile attestation. Opt-out: if attestation fails (e.g., jailbroken device, no internet), MyShift falls back to a manager-approved manual clock-in path — no service refusal based on attestation alone.
Soft-deleted establishments (archived restaurants/hotels): flagged as archived but retained in the database to preserve audit-log + payroll-bridge continuity. To exercise your right to erasure under revFADP Art 25 / GDPR Art 17, contact us via the methods below — we honour erasure requests within the legal retention exemptions (audit, accounting, payroll).
Shift-modification request narratives (free-text reason you may write when asking to swap or drop a shift, and the manager's decision rationale): tenant-scoped, manager-readable, retained for the audit + dispute window. Avoid including sensitive medical or family details in the free text — a structured kind (move_time / swap_with_peer / drop) is captured separately and is sufficient for most cases.

Complaints

You may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch or with the supervisory authority of your EU member state.

Sub-processors Home

This is a v1 stub. The Sprint 6 counsel-reviewed final version will replace it. Material data-subject rights remain as stated above.