Privacy Policy
Last updated: 23 March 2025
Shiftly Australia is a trading name of Squiggle Creative Pty Ltd (ABN: 26 672 118 464, ACN: 672 118 464), registered at 4 Pacific St, Fishermans Bay, NSW, 2317, Australia. This Privacy Policy outlines how Shiftly Australia (“we”, “us”, or “our”) collects, uses, stores, and discloses personal information. If you have any questions, please contact us at privacy@shiftly.au.
Table of Contents
- Definitions
- Scope
- Information We Collect
- How We Collect Information
- Why We Collect Information
- Third-Party Services
- Security & Data Storage
- Data Retention
- User Rights
- Marketing & Communications
- Cookies and Tracking
- Changes to This Policy
- Compliance and Legal References
- Additional Legal Clarifications
- Complaints and Enquiries
- Jurisdiction
1. Definitions
Host: A registered business entity using Shiftly Australia to create, manage, and publish shifts. Typically restaurants, cafes, or other hospitality venues.
Shifter: An individual who registers on Shiftly Australia to apply for and complete shifts offered by Hosts.
2. Scope
This Privacy Policy applies to all users of Shiftly's mobile and web applications located in Australia. Users must be at least 16 years old to use Shiftly.
3. Information We Collect
We collect the following information:
Personal & Identification Data
- Full name
- Date of birth
- Phone number
- Email address
- Residential address
- Passport number and expiry date
- Tax File Number (TFN) (Privacy (TFN) Rule 2015)
- Tax declaration details
- Superannuation fund details
- Bank account details (APP 11.1)
- Employment history
- Certificates and qualifications
Platform Usage Data
- Messages and communication history
- Timesheets and payroll records (Fair Work Regulations 2009)
- Shift preferences and application timestamps
- Ratings and reviews
- Location data and activity logs (e.g. login times)
Payment & Integration Data
- Stripe payment method IDs (actual card/bank details stored by Stripe)
- Invoicing and billing history
- TFN and payroll info sent to Xero (not synced back)
- Profile pictures stored in AWS S3
Device & Tracking Info
- Session data stored in local storage
- Klaviyo analytics (user activity metrics)
4. How We Collect Information
We collect information through:
- User input via registration and profile forms
- Uploaded documents
- Shift and message interactions
- Stripe and Xero API integrations
- Klaviyo activity tracking
- Automatically via local storage (not cookies)
5. Why We Collect Information
We collect and use your information to:
- Facilitate shift matching based on preferences and ratings (APP 6.1)
- Enable secure login and account management
- Calculate and process payments, PAYG, and superannuation (ATO Record Keeping Guidelines)
- Create employee records in Xero
- Issue invoices and payment receipts
- Communicate updates and marketing (APP 7 – Direct Marketing)
- Improve platform performance and service delivery (APP 10 – Quality of personal information)
- Comply with legal and regulatory obligations (APP 6.2(b))
Shiftly Australia uses automated decision-making to sort shifts and applicants by rating and application date.
6. Third-Party Services
We share data only with essential third parties:
Provider
Stripe
Purpose: Payments & billing
Data Shared: Payment method IDs
Xero
Purpose: Payroll & employee creation
Data Shared: TFN, tax info, super, bank account
AWS S3
Purpose: Profile picture storage
Data Shared: Image files
MongoDB
Purpose: Application database
Data Shared: All application data
Klaviyo
Purpose: Email flows & analytics
Data Shared: Email, user behaviour
We do not sell or share data for marketing purposes. (APP 6, 7)
7. Security & Data Storage
- All data is stored in MongoDB (Sydney region), with encryption applied to sensitive fields.
- Profile pictures are stored in AWS S3.
- Session tokens are stored in local storage; no sensitive data is stored there.
- Admin access requires multi-factor authentication (MFA).
- All access is logged with audit trails (APP 11.1, 11.2)
Sensitive Fields Encrypted
- TFNs (required by TFN Rule 2015)
- Superannuation details
- Bank account details
- Passport/ID numbers
8. Data Retention
User data is retained until the user deletes their account.
Payroll and tax-related records are retained for 7 years in compliance with:
- Fair Work Act 2009 (Cth)
- Income Tax Assessment Act 1997
- ATO Payroll and record-keeping requirements
9. User Rights
Under APPs 12 & 13, users have the right to:
- Access and view their personal data
- Correct inaccurate or outdated data
- Request deletion of their account and associated data
- Unsubscribe from marketing communications
Data deletion is instant upon request, excluding legal retention obligations. Export of payment history is available; a full data export tool is not currently provided.
10. Marketing & Communications
- Users opt-in to receive marketing emails by signing up (APP 7.2)
- You may unsubscribe at any time via the email footer
11. Cookies and Tracking
- Shiftly Australia does not use cookies within the app.
- The marketing website may use cookies or pixels for advertising and performance monitoring (APP 1.4, 5.2)
12. Changes to This Policy
Users will be notified of changes to this policy via email (APP 1.5)
13. Compliance and Legal References
This policy is governed by the following laws and regulations:
- Privacy Act 1988 (Cth)
- Australian Privacy Principles (APPs)
- Privacy (TFN) Rule 2015
- Fair Work Act 2009 (Cth)
- Income Tax Assessment Act 1997
- General Data Protection Regulation (GDPR) – where applicable
- California Consumer Privacy Act (CCPA) – where applicable
14. Additional Legal Clarifications
- Sensitive fields must be encrypted at rest and in transit as part of “reasonable steps” under APP 11.1
- Payroll and financial records must be retained for 7 years under Australian law
- Full user data export is not mandatory under APPs, but access/correction must be available on request
15. Complaints and Enquiries
If you believe your privacy has been breached or wish to raise a complaint, you may contact us at privacy@shiftly.au. We will respond within a reasonable timeframe. If you are not satisfied with our response, you may escalate the complaint to the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au.
16. Jurisdiction
This Privacy Policy is governed by the laws of New South Wales, Australia.