WebShiftPlanner
Legal

Privacy Policy

Last updated: 29 May 2026

WebShiftPlanner Ltd. ("we", "us", "our"), registered in Cyprus, is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, where we store it, and what rights you have under the General Data Protection Regulation (GDPR).

1

Information We Collect

We collect the following categories of personal data:

Account and profile data. When a Manager registers, we collect their full name, email address, and a bcrypt-hashed password. Managers also provide a business name.

Employee data. When a Manager adds employees, we collect each employee's full name, email address, phone number (optional), and role/position. This data is entered directly by the Manager.

Schedule and shift data. We store all scheduling information you create: shift dates, start and end times, role assignments, shift notes, published/unpublished status, and shift swap requests and approvals.

Usage data. We record each user's last login timestamp and email notification preferences. We do not collect browser fingerprints, IP addresses, or behavioural analytics.

What we do not collect. We do not collect payment card details (billing is handled separately), and we do not track your activity across other websites. We do not use advertising networks or third-party analytics services (e.g. Google Analytics).

2

How We Use Your Information

We use personal data only for the following purposes:

  • Providing and operating the Service — authenticating users, displaying schedules, processing shift swaps
  • Sending email notifications when a schedule is published and shift reminders 24 hours before each shift
  • Sending welcome emails to newly added employees with their login credentials
  • Responding to customer support enquiries
  • Detecting and preventing unauthorised access or fraudulent use
  • Complying with applicable legal obligations

We do not sell, rent, share, or disclose your personal data to third parties for their own marketing or commercial purposes. We do not use your data to train artificial intelligence models.

3

Data Storage and Security

Storage location. All personal data is stored on infrastructure located within the European Union:

  • Database: Turso (libSQL), hosted in the Ireland region (eu-west-1) of their cloud infrastructure.
  • Web application: Vercel, with edge routing configured to prefer EU regions.

Security measures.

  • All data is encrypted in transit using TLS 1.2+ (HTTPS). Plain HTTP is not accepted.
  • Passwords are hashed using bcrypt with a cost factor of 12 and are never stored or logged in plain text.
  • Database access is restricted to authorised application services only via token-based authentication.
  • Session tokens are stored as signed JWTs and validated on every authenticated request.
  • Access logs are retained for 90 days.

Data retention. We retain your data for as long as your account is active. Following account cancellation, your data is retained for 30 days to allow you to export it, after which it is permanently and irreversibly deleted.

4

Your GDPR Rights

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR). To exercise any of these rights, contact privacy@webshiftplanner.com.

Right of Access

Request a copy of all personal data we hold about you, including your account data, employee records, and schedule history.

Right to Rectification

Request correction of any personal data we hold that is inaccurate, incomplete, or out of date.

Right to Erasure

Request deletion of your personal data ("right to be forgotten"). We will delete your data within 30 days unless retention is required by law.

Right to Data Portability

Request your personal data and schedule history in a structured, machine-readable format (JSON or CSV).

Right to Object

Object to the processing of your personal data for specific purposes. We will cease processing unless we have compelling legitimate grounds.

Right to Lodge a Complaint

Lodge a complaint with the Cyprus Commissioner for Personal Data Protection at dataprotection.gov.cy.

We will respond to all rights requests within 30 days. If we need additional time (up to a maximum of 90 days in complex cases), we will notify you within the initial 30-day period.

5

Cookies

We use only strictly necessary cookies required to operate the Service. We do not use advertising cookies, analytics cookies, tracking pixels, or any cross-site tracking technology.

Session authentication cookie

  • Name: next-auth.session-token (HTTP) / __Secure-next-auth.session-token (HTTPS)
  • Purpose: Maintains your authenticated session after login
  • Expires: Automatically when you log out or the session expires
  • Third-party: No — set by WebShiftPlanner only

No consent banner is shown because we do not use any non-essential cookies. If we introduce any non-essential cookies in the future we will update this policy and implement appropriate consent mechanisms.

6

Third-Party Services

We use the following carefully selected sub-processors to operate the Service. Each provider processes personal data only as necessary to deliver their service to us and is contractually bound to protect your data in accordance with GDPR.

Resendresend.com
Email delivery

Used to send schedule publication notifications, shift reminders, and employee welcome emails. Employee email addresses are shared with Resend solely for this delivery purpose. Resend is GDPR-compliant and processes data under standard contractual clauses.

View privacy policy →
Vercelvercel.com
Web application hosting & CDN

Hosts the WebShiftPlanner web application and serves it globally via a content delivery network. All HTTP requests pass through Vercel's infrastructure. Vercel is GDPR-compliant and certified under the EU-US Data Privacy Framework.

View privacy policy →
Turso (ChiselStrike)turso.tech
Database hosting

Hosts the application database in their Ireland (eu-west-1) region. All schedule data, user accounts, and employee records are stored here. Data remains within the EU at all times. Turso is GDPR-compliant.

View privacy policy →
7

Data Requests and Contact

For all privacy-related requests — including access, export, correction, or deletion of your personal data — please contact our privacy team:

Email: privacy@webshiftplanner.com

Subject line: Data Request – [Your Name / Business Name]

We respond to all data requests within 30 days.

For general support enquiries: support@webshiftplanner.com

8

Company Details and Policy Updates

WebShiftPlanner Ltd.

Country of incorporation: Cyprus

General contact: support@webshiftplanner.com

Privacy contact: privacy@webshiftplanner.com

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify registered Manager accounts by email at least 14 days before any material changes take effect. The "last updated" date at the top of this page reflects the most recent revision.

Continued use of the Service after the effective date of any update constitutes your acceptance of the revised Privacy Policy.