Login
Contact Us
Book a demo
Try for free
Menu

ShiftCare Privacy Notice

Policy Owner: Data Protection Officer

Effective Date: Aug 19, 2025

Purpose

This Privacy Notice provides transparency to individuals about how SHIFTCARE PTY. LTD and its group entities (“ShiftCare”, “we”, “us”, “our”) collect, use, share, and protect personal information. This notice ensures compliance with the UK GDPR, Data Protection Act 2018, and applicable data protection laws across our jurisdictions.

Scope

This notice applies to all individuals whose personal data is processed by SHIFTCARE PTY. LTD, ShiftCare UK Ltd, ShiftCare Inc., and ShiftCare Canada, including customers, website visitors, prospects, and third parties who interact with our services.

Who we are

SHIFTCARE PTY. LTD and its group entities provide care management software and services globally. We are committed to protecting your privacy and being transparent about our data processing activities.

Controller Details:

  • SHIFTCARE PTY. LTD (Australia) – Primary controller for global operations
  • ShiftCare UK Ltd – Controller for UK Data Subjects
  • ShiftCare Inc. (USA) – Controller for US operations
  • ShiftCare Canada – Controller for Canadian operations

Contact Information:

  • Registered Address: Suite 2.04, 68 Waterloo Road, Macquarie Park, NSW 2113, Australia
  • Email: privacy@shiftcare.com
  • Phone: +61 2 8311 4101

Data Protection Officer:

  • Email: dpo@shiftcare.com
  • Address: Suite 2.04, 68 Waterloo Road, Macquarie Park, NSW 2113, Australia

Information we collect

For a full and current list of all categories of personal data processed, please refer to our Record of Processing Activities (RoPA), available on request from the Data Protection Officer. The RoPA details all data categories as required under UK GDPR Article 30.

How we collect information

We obtain personal data through:

  • Direct provision when you register, purchase services, or contact us
  • Automated collection through cookies, analytics, and system logs
  • Third parties including care organisations, payment processors, and business partners
  • Public sources where legally permitted

Legal basis for processing

We process personal data only where we have a lawful basis to do so under the UK GDPR. Depending on the context, this may include:
  • Consent – where you have given us explicit permission (for example, opting in to receive marketing communications).
  • Performance of a contract – where processing is necessary to provide you with access to the ShiftCare web and mobile applications under our subscription agreement.
  • Compliance with legal obligations – where we must process data to meet statutory or regulatory requirements (for example, record-keeping for tax and accounting).
  • Legitimate interests – where processing is necessary for our legitimate business purposes, provided that your rights and freedoms are not overridden (for example, improving our products and services, preventing fraud, or ensuring system security).
Details of all current processing purposes and the lawful bases we rely on are recorded in our Record of Processing Activities (RoPA). This document is available on request from our Data Protection Officer and is reviewed regularly for accuracy.

How we use your information

We use the personal data we collect to:
  • Provide and administer our services – including enabling you to access and use the ShiftCare web and mobile applications.
  • Manage subscriptions and billing – including processing payments and handling renewals.
  • Communicate with you – including responding to support requests, notifying you about important changes, and providing service updates.
  • Maintain security and integrity – including monitoring use of our services, detecting unauthorised access, and protecting against fraud or misuse.
  • Meet legal and regulatory requirements – including maintaining records and complying with applicable laws.
  • Improve and develop our services – including analysing usage trends, conducting research, and enhancing user experience.
Further details of these processing purposes are documented in our RoPA, which is reviewed regularly for accuracy and is available on request from our Data Protection Officer.

AI Features and Personal Data

ShiftCare offers AI-powered features as part of our Service ("AI Features"), including automated note classification, Smart Notes, and Smart Match. When these features are enabled, personal data within your account may be processed to deliver them.

Full details of how we handle personal data in connection with AI Features — including data flows, sub-processors, encryption standards, retention periods, and regional transfer arrangements — are set out in our AI & Data Usage Policy, which forms part of this Privacy Notice.

You can view and manage your organisation’s AI settings, including the ability to disable AI Features or opt out of model training, on our AI Data Controls & Transparency page.

Key principles that apply to all AI processing:

  • Your data is never used to train AI models without your explicit consent.

  • AI processing is limited to the features you have enabled.

  • All AI-generated content is clearly labelled and distinguishable from source records.

  • We engage only trusted sub-processors who are contractually restricted from using your data for any purpose beyond delivering our services.

  • AI-generated summaries and flags are retained for 90 days, then automatically deleted.

For UK customers, data processed by AI Features may be transferred to Australia and is protected by an International Data Transfer Agreement (IDTA) or UK Standard Contractual Clauses (SCC) Addendum. For Canadian customers, data may be processed in the United States or Australia, with cross-border processing disclosed and protected by appropriate contractual safeguards. Full details are in our AI & Data Usage Policy.

Information sharing

Comprehensive information about all categories of recipients of your personal data—including third parties, group entities, and service providers—is set out in our Record of Processing Activities (RoPA). The RoPA is available on request from our DPO.

Where we engage subprocessors (third-party service providers who process personal data on our behalf), we will provide at least 30 days’ prior notice before adding or replacing a subprocessor. This allows you to review and, if necessary, raise concerns regarding any changes to our subprocessor list.

International transfers

We take steps to ensure all transfers comply with UK GDPR international transfer rules and safeguards. For a comprehensive, current map of all personal data uses and data transfers including recipients and transfer mechanisms, please refer to our Record of Processing Activities (RoPA), which is available on request from the Data Protection Officer. The RoPA contains:
  • Details of data processing purposes
  • Up-to-date lists of categories of personal data and data subjects
  • All categories of recipients (including international and third country)
  • The transfer mechanisms and legal safeguards in place (e.g., adequacy, Standard Contractual Clauses, UK IDTA).

Data retention

We retain personal data for the following periods: Customer Data
  • Active accounts: Duration of service relationship
  • Closed accounts: 7 years for legal and regulatory compliance
  • Financial records: 7 years from last transaction
Technical and Usage Data
  • System logs: 12 months
  • Analytics data: 2 years in aggregated form
  • Security logs: 7 years for compliance purposes
Communications
  • Support communications: 3 years from resolution
  • Marketing communications: Until consent withdrawn plus 1 year

Your rights

See Data Subject Rights Request Procedures for user rights requests. For consent actions, see Consent Management Policy. Under UK GDPR and applicable data protection laws, you have the following rights: Access and Portability
  • Right of access: Request copies of your personal data
  • Data portability: Receive data in structured, machine-readable format
Correction and Deletion
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure: Request deletion of personal data (where applicable)
Processing Control
  • Right to restrict processing: Limit how we process your data
  • Right to object: Object to processing based on legitimate interests
  • Rights regarding automated decision-making: Human review of automated decisions
Marketing
  • Withdraw consent: Unsubscribe from marketing communications
  • Opt-out: Use unsubscribe links or contact us directly

Exercising Your Rights

To exercise your rights, contact us at:

We will respond within one month of receiving your request.

Cookies and online tracking

We use cookies and similar technologies for:

  • Essential website functionality
  • Performance monitoring and analytics
  • Personalisation and user preferences
  • Marketing and advertising (with consent)

Cookie Management

You can control cookies through:

  • Browser settings and preferences
  • Our cookie consent management system
  • Third-party opt-out tools

Data security

We implement comprehensive security measures including:

Technical Measures

  • Encryption of data in transit and at rest
  • Access controls and authentication systems
  • Network security and monitoring
  • Regular security assessments and updates

Organisational Measures

  • Staff training on data protection
  • Regular access reviews and audits
  • Incident response procedures
  • Vendor security assessments

Data breach notification

In the event of a data breach affecting your personal data:

  • We will notify the ICO within 72 hours where required
  • We will inform affected data subjects without undue delay if high risk exists
  • We will provide guidance on protective measures

Contact and complaints

Contact Information

Making a Complaint
If you are unhappy with our data processing:

  1. Contact us directly for resolution
  2. Contact the Information Commissioner’s Office (ICO):
  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Post: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Changes to this notice

We may update this notice to reflect changes in our practices or legal requirements. Significant changes will be communicated through:

  • Email notification
  • Website announcements
  • Service notifications

Where the change relates to our subprocessors, we will provide 30 days’ notice before the change takes effect.

Related policies

This notice should be read alongside:

  • Data Subject Rights Policy
  • Cookie Policy
  • Terms of Service
  • Data Processing Agreements

UK GDPR coverage

Articles 12, 13, 14; Article 15-22