AI & Data Usage Policy
ShiftCare AI supports your team. Humans always decide.
This document sets out how ShiftCare processes data through AI features, the infrastructure we use, the safeguards we apply, and the rights your organisation holds. It is intended for use by administrators, privacy officers, and compliance teams.
1. Overview
ShiftCare uses artificial intelligence to help care providers reduce administrative work, surface important information, and coordinate their teams more effectively.
This document explains in full how those AI features process data, what infrastructure they run on, what safeguards protect that data, and what rights your organisation holds. It is structured to support due diligence, privacy impact assessments, and compliance reviews. If you are a customer reviewing ShiftCare’s AI practices for the first time, start with Section 2 (Data Flow) and Section 6 (Your Rights).
This document is the technical and legal reference layer behind ShiftCare’s in-product AI Data Controls & Transparency page. Where that page gives you quick controls, this document gives you the full picture.
1.1 Scope
This policy covers all AI features currently available in ShiftCare, including:
Smart Match — AI-assisted shift and worker matching
AI Notes — Summarisation and flagging of support notes
Smart Notes AI Classifier — Content classification for note intelligence
Keyword Scanner — Rule-based note scanning (not AI; included for completeness)
It does not cover ShiftCare’s core platform data handling, which is addressed in the ShiftCare Privacy Policy available at shiftcare.com/privacy.
1.2 Principles
AI only processes data for features your organisation has enabled
AI does not make decisions; it surfaces information and suggestions for human review
All AI-generated content is labelled and attributable
Your data is never used to train AI models without your explicit opt-in
AI inference is processed locally within each customer’s regional AWS infrastructure — data does not cross borders for AI processing
All AI activity is logged and auditable
2. Data Flow Diagrams
The following diagrams illustrate how data moves through ShiftCare’s AI features. ShiftCare uses AWS Bedrock, which processes AI inference requests locally within each customer’s regional AWS infrastructure. Data does not cross borders for AI processing. The flows below apply in each region with the local AWS endpoint substituted accordingly.
2.1 Smart Match — Shift & Worker Matching
Smart Match analyses shift requirements and worker profiles to surface the best-fit candidates for each shift. No clinical or support note data is involved.
ShiftCare App
Org data in local AWS region
Shift + worker data
Smart Match Engine
AWS Bedrock — local region
API call
AI Model via Bedrock
Served in local AWS region
Ranked matches
ShiftCare App
Suggestions displayed
Data involved in Smart Match processing:
Worker profiles (skills, certifications, availability, compliance status)
Shift requirements (location, skills needed, time, client preferences)
Historical assignment data and engagement patterns
No clinical notes, no personal health information
2.2 AI Notes — Support Note Summarisation & Flagging
AI Notes processes support notes written by care workers to generate summaries and identify content that may require follow-up. Before any note is sent to the AI model, it passes through the anonymisation layer.
Support Note
Written in ShiftCare
Anonymiser
Names, emails, phones, addresses removed
Anonymised text
AI Model via Bedrock
Served in local AWS region
ShiftCare App
Labelled AI output shown to staff
Human reviews
Staff Member
Approves, edits, or dismisses
All Bedrock inference within local region — no cross-border transfer. Human decision required before any action.
Anonymisation: what it does and its limits
The anonymisation step automatically strips names, email addresses, phone numbers, and physical addresses from note text before it is sent to the AI model. This is a technical safeguard to reduce PII exposure during AI inference.
The anonymiser covers the most common PII patterns but is not exhaustive. Edge cases — such as non-standard name formats, informal references, or context-dependent identifiers — may not be detected. It is a strong safeguard, not a guarantee. If your organisation has heightened requirements, speak to your account manager about additional controls.
2.3 Smart Notes — AI Classifier vs Keyword Scanner
Smart Notes offers two independent scanning modes. Organisations can use both, or disable the AI classifier to run keyword-only.
| Mode | Flow | Description | Configuration |
|---|---|---|---|
| AI Classifier mode | Note → Anonymiser → AI model → Classification result | Uses Anthropic’s Claude model to understand note context and classify content with greater nuance. Catches complex patterns the keyword list may miss. | Settings → Smart Notes → Enable AI Classifier |
| Keyword-only mode | Note → Pattern matching → Keyword match result | Uses a curated list of terms and phrases. No AI model involved. No data sent externally. Always available regardless of AI settings. Cannot be disabled. | Always on — no configuration required |
3. Sub-processors
ShiftCare uses the following sub-processors to deliver AI features. No other third parties receive customer data in connection with AI processing. All sub-processors are contractually restricted from using customer data for any purpose beyond service delivery and are prohibited from using data to train their own models.
Important: AWS Bedrock vs the Anthropic direct API — Anthropic publishes a privacy page stating that by default, traffic may be routed to the US and data is stored in the US. This applies to customers using Anthropic’s direct API or Claude.ai products — not to AWS Bedrock.
ShiftCare accesses Claude exclusively via AWS Bedrock. Under the Bedrock model:
AWS — not Anthropic — is the data processor for AI inference
AWS processes data in Australia for AU customers and may process in Australia for UK/CA customers. US customers’ data is processed in compliant US infrastructure. Data does not reach Anthropic’s servers.
Anthropic provides the Claude model weights to AWS but has no visibility of, or access to, customer data
Anthropic’s privacy policy and data handling terms govern direct API usage only. ShiftCare’s AI processing is governed by AWS’s data processing terms and ShiftCare’s own DPA with each customer.
| Provider | Role | Processing location | Data transferred | Data retained by provider |
|---|---|---|---|---|
| Amazon Web Services (AWS) aws.amazon.com | Cloud infrastructure, database hosting, storage, compute, networking | Australia (AWS Sydney, ap-southeast-2) for AU customers. Data may be processed in Australia for UK and CA customers. US customers processed in compliant US infrastructure. | All ShiftCare customer data processed in AWS | Per ShiftCare retention schedule; AWS does not retain independently |
| Anthropic (model IP only) anthropic.com | AI model licensor (Claude). Model weights are served by AWS Bedrock — Anthropic does not receive or process customer inference data | Model weights hosted on AWS Bedrock in each customer’s local region. Customer data does not reach Anthropic’s servers. | Not transferred to Anthropic | Not retained by Anthropic. Bedrock does not pass inference data to Anthropic. |
ShiftCare will notify customers of any changes to the sub-processor list with reasonable advance notice. Customers who have executed a Data Processing Agreement (DPA) with ShiftCare have the right to object to new sub-processors.
3.1 Sub-processor Contractual Commitments
All sub-processors are bound by contractual terms that require them to:
Process data only on ShiftCare’s documented instructions
Implement appropriate technical and organisational security measures
Not sub-contract processing without ShiftCare’s authorisation
Assist ShiftCare in fulfilling data subject rights requests
Delete or return data upon termination of the agreement
Not use customer data to train their own AI models
4. Regional Data Handling
ShiftCare operates across Australia, the United Kingdom, the United States, and Canada. Processing locations and cross-border transfer arrangements vary by region as described below.
4.1 Australia
✓ No cross-border transfer. All AI processing is in-country.
Australia is ShiftCare’s primary region. All AI infrastructure is hosted in AWS Sydney (ap-southeast-2). Processing complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Data controller: The organisation using ShiftCare
Data processor: ShiftCare Pty Ltd
Applicable law: Privacy Act 1988, Australian Privacy Principles
Data residency: Australia at rest and in transit
NDIS registered providers: AI audit trail design supports practice standard requirements
4.2 United Kingdom
⚠ Transfer to Australia. Protected by IDTA / SCC Addendum.
Data may be processed in Australia. This constitutes an international data transfer under UK GDPR, protected by an International Data Transfer Agreement (IDTA) or UK Standard Contractual Clauses (SCC) Addendum. UK GDPR compliance:
International Data Transfer Agreement (IDTA) or UK Standard Contractual Clauses (SCC) Addendum is required
Transfer Risk Assessment has been completed in respect of Australian processing
Full sub-processor disclosure provided in Section 3 of this document
A UK GDPR Article 28 Data Processing Agreement (processor agreement) is in place with AWS as the infrastructure processor
Safeguards applied for UK customers
Encryption in transit: TLS 1.2 or higher on all data in motion
Encryption at rest: AES-256 for all stored data
Strict access controls: role-based access with audit logging
Data Processing Agreement (Article 28) available on request
4.3 Canada
→ Cross-border processing disclosed and protected. PIPEDA compliant.
ShiftCare’s approach for Canadian customers
Data may be processed in the United States or Australia
Cross-border processing disclosed and protected by contractual safeguards
Complies with PIPEDA and applicable provincial privacy legislation
Contractual data protection terms available in the DPA
Full sub-processor transparency provided in Section 3 of this document
Encryption in transit and at rest consistent with Canadian security expectations
4.4 United States
✓ In-country processing. No cross-border transfer.
Data is processed in compliant, secure infrastructure within the United States.
Encryption, access controls, and audit logging enforced
Contractual data protection terms available in the DPA
HIPAA: ShiftCare is not a HIPAA-covered entity. Customers with HIPAA-specific requirements should contact their account manager to discuss applicability and available controls
5. Encryption Standards
ShiftCare applies encryption at every point in the data lifecycle — in transit, at rest, and in any backups. The following standards apply to all AI-related data processing.
| Category | Standard | Scope | Notes |
|---|---|---|---|
| Data in transit | TLS 1.2 (minimum), TLS 1.3 preferred | All API calls, browser sessions, internal service communication | Downgrade to TLS 1.1 or below is rejected |
| Data at rest | AES-256 | All stored data in AWS S3, RDS, and EBS volumes | Managed via AWS Key Management Service (KMS) |
| Database encryption | AES-256 (AWS RDS encryption) | All relational database storage including AI-generated content | Encryption keys rotated on schedule |
| Backups | AES-256 | All automated backups and snapshots | Stored in same region (ap-southeast-2); encryption applied before backup |
| API authentication | OAuth 2.0 / API key with HTTPS | All external API calls including Anthropic AI model access | Keys scoped to minimum required permissions |
5.1 Key Management
Encryption keys are managed through AWS Key Management Service (KMS). ShiftCare uses customer-managed keys (CMK) for primary data encryption. Key rotation is performed on an annual schedule or immediately upon staff offboarding. Access to keys is restricted to authorised infrastructure personnel and logged via AWS CloudTrail.
5.2 AI Inference Security
ShiftCare accesses Claude AI models via trusted cloud infrastructure. All inference data is transmitted over TLS 1.2+. Inference data is not retained beyond the processing request.
6. Retention Policies
ShiftCare distinguishes between original source data and AI-generated content. These have separate retention rules. Original data is never modified by AI features.
| Data type | Retention period | Who can delete it | Notes |
|---|---|---|---|
| Original support notes and clinical data | Per your organisation’s data retention settings | Organisation administrator | AI features do not modify, move, or delete source data |
| AI-generated summaries and flags | 90 days from creation | Organisation administrator or privacy team request | Automatically deleted at 90 days; can be deleted earlier on request |
| AI processing logs (audit trail) | 12 months | Privacy team request only | Immutable; used for compliance, NDIS audits, and security review |
| Smart Match recommendation history | 90 days | Organisation administrator | Anonymised after 90 days; not linked to individual staff records beyond this |
| AI inference data (Bedrock) | Not retained beyond inference | N/A | Processed by AWS Bedrock in the local region. Anthropic does not receive inference data. Bedrock does not retain inference inputs/outputs. |
6.1 Requesting Deletion
Your organisation can request early deletion of any AI-generated content at any time. To make a deletion request:
Contact your account manager, or
Email privacy@shiftcare.com with your organisation name and a description of the content to be deleted
Requests will be actioned within 10 business days
A confirmation of deletion will be provided in writing
Deletion of AI-generated content does not affect original source data. Original notes and clinical records are governed by your organisation’s own retention obligations and are not modified by ShiftCare’s AI deletion process.
6.2 Data at Termination
On termination of your ShiftCare agreement, AI-generated content will be deleted within 30 days. You may request an export of AI-generated content prior to termination. Source data export is governed by your main ShiftCare agreement.
7. AI Content Labelling & Audit Trail
All AI-generated, AI-assisted, and AI-flagged content is clearly labelled in the ShiftCare interface. This is a design requirement, not optional. Labels persist through exports and are retained in audit logs.
| Label | Meaning | Audit trail entry includes |
|---|---|---|
| AI-generated | Content created by an AI model. Requires human review before any action is taken. | Timestamp, model version, feature name, reviewing staff member ID, action taken (approved / edited / dismissed) |
| AI-assisted | Content created or edited by a staff member with AI suggestions available. The final content reflects a human decision. | Timestamp, model version, staff member ID, final content version |
| AI-flagged | Item identified by AI for human review. No automated action taken. | Timestamp, model version, flag type, reviewing staff member ID, outcome |
7.1 NDIS Audit Trail Requirements
For NDIS registered providers, ShiftCare’s AI labelling and audit trail are designed to meet practice standard requirements, specifically the need to demonstrate that support decisions are made by qualified humans, not automated systems.
Every AI output is stored separately from the original source record
The original record is never modified by AI features
Reviewers’ decisions (approved, edited, dismissed) are logged against their user account
Audit logs are immutable and exportable on request
AI activity reports are available through your compliance reporting dashboard
Model version information is included in every audit entry, enabling reconstruction of what model produced a given output
8. Your Rights
Your organisation holds the following rights in relation to AI data processing. These rights apply regardless of subscription tier and can be exercised at any time.
| Right | What this means | How to exercise it |
|---|---|---|
| Disable all AI features | Turn off all AI features across your account instantly, without affecting core ShiftCare functionality | Settings → Organisation → AI Features → Master toggle |
| Opt out of model training | Your data will not contribute to AI model training. This is the default state — it is already off. | Settings → Organisation → AI Features → Model training |
| Feature-level control | Enable or disable individual AI features independently | Settings → Organisation → AI Features |
| Access AI processing logs | Request a full log of AI interactions involving your organisation’s data | Contact your account manager or privacy@shiftcare.com |
| Delete AI-generated content | Request deletion of AI summaries and flags. Original source data is not affected. | Contact your account manager or privacy@shiftcare.com |
| Data portability | Export AI-generated content and processing logs in a machine-readable format | Contact your account manager |
| Object to new sub-processors | Where a DPA is in place, you have the right to object to new sub-processors with reasonable notice | Contact privacy@shiftcare.com |
9. Legal Framework
9.1 Data Controller and Processor Roles
| Party | Role | Responsibilities |
|---|---|---|
| Your organisation | Data controller | Determines the purposes and means of processing. Responsible for lawful basis for processing personal data, data subject rights, and compliance with applicable privacy law in your jurisdiction. |
| ShiftCare Pty Ltd | Data processor | Processes data on the controller’s instructions. Responsible for security of processing, sub-processor management, breach notification, and assisting the controller in fulfilling data subject rights. |
| AWS (Bedrock) | Infrastructure sub-processor | Processes data on ShiftCare’s instructions within each customer’s local region. Bound by Article 28-compliant DPA. Anthropic provides model IP to Bedrock but does not process customer inference data directly. |
9.2 Lawful Basis for Processing
ShiftCare processes personal data through AI features on the following lawful bases, depending on jurisdiction:
| Jurisdiction | Primary lawful basis | Notes |
|---|---|---|
| Australia | Legitimate interests (APP 3) / Contractual necessity | Processing is necessary to deliver contracted services. Consistent with the Privacy Act 1988 and APP 3 (collection for a primary purpose). |
| United Kingdom | Legitimate interests (UK GDPR Art. 6(1)(f)) or Contractual necessity (Art. 6(1)(b)) | Data may be processed in Australia. International transfer protected by IDTA / SCC Addendum. UK GDPR Chapter V complied with via approved transfer mechanism. |
| Canada | Legitimate purposes (PIPEDA Principle 2) / Contractual necessity | Data may be processed in US or Australia. Cross-border processing disclosed and protected by contractual safeguards. PIPEDA compliant. |
| United States | Contractual necessity / Legitimate interests | Data processed in compliant, secure US infrastructure. Encryption, access controls, and audit logging enforced. |
9.3 International Transfer Mechanisms
United Kingdom — ShiftCare delivers AI features for UK customers with data that may be processed in Australia. This constitutes an international data transfer under UK GDPR. The transfer is governed by an International Data Transfer Agreement (IDTA) or UK Standard Contractual Clauses (SCC) Addendum, which forms part of ShiftCare’s Data Processing Agreement with UK customers. A Transfer Risk Assessment has been completed in respect of Australian processing.
Canada — ShiftCare delivers AI features for Canadian customers with data that may be processed in the United States or Australia. Cross-border processing is disclosed in this policy and protected by appropriate contractual safeguards in ShiftCare’s Data Processing Agreement. Processing complies with PIPEDA accountability requirements.
9.4 Data Processing Agreement
A Data Processing Agreement (DPA) is available for all ShiftCare customers. The DPA sets out:
The subject matter, nature, and purpose of processing
The type of personal data processed and categories of data subjects
ShiftCare’s obligations as data processor
Sub-processor authorisation and change notification process
Security measures (referencing Section 5 of this document)
Data subject rights assistance obligations
Breach notification timelines (72 hours for UK GDPR; as soon as practicable for AU/CA/US)
Return or deletion of data on termination
To request or execute a DPA, contact privacy@shiftcare.com or your account manager.
9.5 Breach Notification
In the event of a personal data breach involving AI-processed data, ShiftCare will:
Notify affected customers without undue delay, and in any event within the timeframes required by applicable law
Provide details of the nature of the breach, the data involved, likely consequences, and measures taken or proposed
For UK customers: notify within 72 hours of becoming aware of a breach, consistent with UK GDPR Article 33
For Australian customers: notify in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988
Cooperate with regulatory authorities as required by law
9.6 Governing Law & Contact
This policy is governed by the laws of New South Wales, Australia. For privacy and data processing enquiries:
ShiftCare Privacy Team
Email: privacy@shiftcare.com
Website: shiftcare.com/privacy
Response time: We aim to respond to all data access and DPA requests within 5 business days.