1. Introduction & Data Controller
This Privacy Policy explains how Digital Elegance LLC d/b/a MyShiftX (“MyShiftX,” “we,” “us,” or “our”) collects, uses, and shares information about you when you use our shift coordination platform (“the Service”).
Digital Elegance LLC is the data controller responsible for your personal information. If you have questions or requests regarding your privacy, contact us at support@myshiftx.com.
By using the Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please do not use the Service.
2. Information We Collect
A. Information You Provide Directly
- Account information: Display name, email address, and hashed password when you register
- Profile information: Phone number (optional), notification preferences, time zone, date and time format preferences
- Shift and request data: Shift offers and requests you post, including dates, times, shift titles, and details
- Communications: Comments, direct messages you exchange with other board members (including any reactions and read status), and flags submitted through the platform
- Payment information: Billing details collected by Stripe when you subscribe to Pro (we do not store full card numbers — see Section 8)
- OAuth information: If you sign in via Google, Facebook, or LinkedIn, we receive your name and email address from that provider
- Support communications: Messages you send to our support team
B. Information Collected Automatically
When you use the Service, we and our service providers automatically collect:
- Log data: IP address, browser type and version, pages visited, timestamps, referring URLs, and error logs
- Device information: Device type, operating system, and browser settings
- Usage data: Features you use, actions you take, and time spent on the Service
- Cookies and similar technologies: Session identifiers and functional cookies needed to keep you logged in (see Section 7)
3. How We Use Your Information
We use your information for the following purposes:
- To create and manage your account and provide the Service
- To display your shift posts and profile information to other approved members of your boards
- To send transactional emails (email verification, password reset, shift match alerts, board approval notifications)
- To send SMS notifications if you have opted in as a Pro member
- To process subscription payments and manage your billing
- To moderate the platform, investigate reports, and enforce our Terms of Service
- To detect, prevent, and respond to fraud, abuse, and security incidents
- To improve and develop the Service based on aggregated, anonymized usage patterns
- To respond to your support requests and communications
- To comply with our legal obligations
We do not use your information for external advertising, sell it to data brokers, or share it for third-party marketing purposes.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:
- Contract: Processing necessary to provide the Service you have registered for (account management, shift coordination, billing)
- Legitimate interests: Fraud prevention, security, platform integrity, and improving the Service — where our interests do not override your rights
- Consent: SMS notifications and any optional marketing communications — you may withdraw consent at any time
- Legal obligation: Where we must process data to comply with applicable law or respond to valid legal process
5. Information Sharing & Disclosure
We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:
Within the Platform
- Your display name and shift posts are visible to all approved members of the boards you belong to
- Your direct messages are visible only to the other participant in that conversation. They are not visible to other board members or board moderators. Messages are stored on our servers so conversations sync across your devices, and may be reviewed by MyShiftX when investigating a flag, abuse report, or suspected violation of our Terms of Service
- Deleting a chat removes it from your view only — the other participant retains their copy of the conversation
- Your display name is associated with your comments, flags, and interest marks as visible to moderators and post owners
Service Providers
We share data with third-party service providers who assist us in operating the Service. These providers are contractually bound to use your data only as directed by us and to maintain appropriate security. See Section 6 for a full list.
Legal Requirements
We may disclose your information if required to do so by law, subpoena, court order, or other governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of MyShiftX, our users, or the public.
Business Transfers
In the event of a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email before your information is transferred and becomes subject to a different privacy policy.
6. Third-Party Service Providers
We use the following third-party services. Each processes your data in accordance with their own privacy policies:
- Supabase (supabase.com) — database hosting, authentication, and real-time data sync. Data stored on AWS infrastructure in the United States.
- Vercel (vercel.com) — application hosting and global content delivery.
- Stripe (stripe.com) — payment processing for Pro subscriptions. Stripe is PCI-DSS compliant. We never see or store your full card number.
- Resend / Amazon SES (resend.com) — transactional email delivery (verification, password reset, shift notifications).
- Twilio (twilio.com) — SMS delivery for Pro tier match notifications. Your phone number is shared with Twilio only if you opt in to SMS.
- Google (google.com) — optional OAuth sign-in. If used, Google shares your name and email with us.
- Facebook / Meta (meta.com) — optional OAuth sign-in. If used, Meta shares your name and email with us.
- LinkedIn (linkedin.com) — optional OAuth sign-in. If used, LinkedIn shares your name and email with us.
- Google AdSense (google.com/adsense) — advertising shown to Basic (free) tier users. AdSense may set cookies and collect usage data for ad personalization. Pro members do not see ads and are not subject to AdSense data collection.
7. Cookies & Tracking Technologies
We use the following types of cookies and similar technologies:
- Session cookies: Required to keep you logged in while you use the Service. These are deleted when you close your browser or log out.
- Preference cookies: Store your display preferences (dark mode, time format, timezone) locally on your device.
- Security cookies: Used to detect and prevent fraud and unauthorized access.
- Third-party cookies (Basic tier only): Google AdSense may set cookies for ad personalization. You can manage these through our cookie consent banner or your browser settings.
We do not use tracking pixels, cross-site tracking, or behavioral advertising cookies for our own marketing. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent; however, some features of the Service may not function properly without cookies.
8. Payment Information
All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. When you subscribe to Pro, your payment card details are entered directly into Stripe's secure environment. We do not receive, transmit, or store your full card number, CVV, or banking credentials.
We retain records of your subscription status, billing cycle, and transaction amounts for accounting and customer support purposes. These records are retained for 7 years to comply with tax and financial record-keeping requirements.
9. SMS & Email Communications
Transactional Emails
We send transactional emails as part of operating the Service, including email address verification, password reset, board approval notifications, shift match alerts (Pro tier), and billing receipts. These emails are necessary for the Service and cannot be opted out of while your account is active.
SMS Notifications (Pro Tier)
If you are a Pro member and opt in to SMS notifications, your phone number is shared with Twilio to deliver shift match alerts. You may opt out at any time by replying STOP to any message or by disabling SMS in your profile settings. Up to 30 messages per month may be sent. Message and data rates may apply.
10. Data Security
We implement industry-standard technical and organizational measures to protect your personal information, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Passwords stored using bcrypt hashing — never in plain text
- Row-level security (RLS) policies on our database ensuring users can only access data they are authorized to see
- Access controls limiting staff access to personal data on a need-to-know basis
No system is completely secure. We cannot guarantee absolute security of your information. If you believe your account has been compromised, contact us immediately at support@myshiftx.com.
Data Breach Notification: In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and applicable regulators within the timeframes required by applicable law (72 hours under GDPR; as soon as reasonably practicable under US state laws).
11. Data Retention
We retain your information for the following periods:
- Account and profile data: Retained while your account is active and for up to 30 days after you request deletion or deactivate your account
- Shift and request posts: Deleted immediately upon account deactivation; expired posts are archived for up to 90 days before permanent deletion
- Payment and transaction records: Retained for 7 years to comply with tax and financial record-keeping obligations
- Server log files: Retained for up to 90 days
- Support communications: Retained for up to 2 years after your last interaction
Upon verified deletion, all personal data is permanently removed within 30 days. Anonymized, aggregated statistics (such as total post counts) that cannot be linked back to you may be retained indefinitely.
12. Your Rights & Choices
All Users
Regardless of where you live, you have the right to:
- Access: Request a copy of the personal information we hold about you
- Correct: Update inaccurate information through your Profile page or by contacting us
- Delete: Request deletion of your account and personal data (see our Data Deletion page)
- Opt out of SMS: Reply STOP to any text message or disable in your profile settings
- Opt out of email notifications: Adjust notification preferences in your profile settings
California Residents (CCPA)
California residents have additional rights under the California Consumer Privacy Act:
- Right to Know: The categories and specific pieces of personal information we collect, use, disclose, and sell (we do not sell personal information)
- Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions
- Right to Opt-Out of Sale: We do not sell personal information, so no opt-out is required
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
- Shine the Light: California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information for third-party direct marketing.
EEA & UK Residents (GDPR / UK GDPR)
If you are located in the European Economic Area or United Kingdom, you also have the right to:
- Data portability: Receive your data in a structured, machine-readable format
- Restrict processing: Request that we limit how we use your data in certain circumstances
- Object: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing
- Lodge a complaint: File a complaint with your local data protection authority (DPA)
To exercise any of these rights, contact us at support@myshiftx.com. We will respond within 30 days (or 45 days for complex requests). We may need to verify your identity before processing your request.
13. Children's Privacy
The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we discover that a user under 18 has created an account, we will promptly delete their account and all associated data. If you believe a minor has provided us with personal information, please contact us at support@myshiftx.com.
14. International Data Transfers
MyShiftX is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.
Our key infrastructure providers (Supabase on AWS, Vercel) store data primarily in the United States. By using the Service, you consent to the transfer of your information to the United States. Where required by law (such as GDPR), we rely on appropriate transfer mechanisms including Standard Contractual Clauses (SCCs).
15. Do Not Track
Some browsers send “Do Not Track” (DNT) signals to websites. Because there is no industry-standard interpretation of DNT signals, we do not currently alter our data collection practices in response to DNT signals. However, we do not engage in cross-site behavioral tracking.
16. Third-Party Links
The Service may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party site you visit.
17. Changes to This Policy
We may update this Privacy Policy periodically. When we make material changes, we will notify you by email to the address associated with your account at least 14 days before the changes take effect, and we will update the “Last updated” date at the top of this page.
Your continued use of the Service after the effective date of any update constitutes your acceptance of the updated Policy. We encourage you to review this Policy periodically.
18. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We will respond to all privacy requests within 30 days.