Privacy Policy

Table of Contents

• Definitions
• Scope
• Information We Collect
• How We Collect Information
• Why We Collect Information
• Third-Party Services
• Security & Data Storage
• Data Retention
• User Rights
• Marketing & Communications
• Cookies and Tracking
• Changes to This Policy
• Compliance and Legal References
• Additional Legal Clarifications
• Complaints and Enquiries
• Jurisdiction

1. Definitions

Host: A registered business entity using Shiftly Australia to create, manage, and publish shifts. Typically restaurants, cafes, or other hospitality venues.

Shifter: An individual who registers on Shiftly Australia to apply for and complete shifts offered by Hosts.

2. Scope

This Privacy Policy applies to all users of Shiftly's mobile and web applications located in Australia. Users must be at least 16 years old to use Shiftly.

3. Information We Collect

We collect the following information:

Personal & Identification Data

• Full name
• Date of birth
• Phone number
• Email address
• Residential address
• Passport number and expiry date
• Tax File Number (TFN) (Privacy (TFN) Rule 2015)
• Tax declaration details
• Superannuation fund details
• Bank account details (APP 11.1)
• Employment history
• Certificates and qualifications

Platform Usage Data

• Messages and communication history
• Timesheets and payroll records (Fair Work Regulations 2009)
• Shift preferences and application timestamps
• Ratings and reviews
• Location data and activity logs (e.g. login times)

Payment & Integration Data

• Stripe payment method IDs (actual card/bank details stored by Stripe)
• Invoicing and billing history
• TFN and payroll info sent to Xero (not synced back)
• Profile pictures stored in AWS S3

Device & Tracking Info

• Session data stored in local storage
• Klaviyo analytics (user activity metrics)

4. How We Collect Information

We collect information through:

• User input via registration and profile forms
• Uploaded documents
• Shift and message interactions
• Stripe and Xero API integrations
• Klaviyo activity tracking
• Automatically via local storage (not cookies)

5. Why We Collect Information

We collect and use your information to:

• Facilitate shift matching based on preferences and ratings (APP 6.1)
• Enable secure login and account management
• Calculate and process payments, PAYG, and superannuation (ATO Record Keeping Guidelines)
• Create employee records in Xero
• Issue invoices and payment receipts
• Communicate updates and marketing (APP 7 – Direct Marketing)
• Improve platform performance and service delivery (APP 10 – Quality of personal information)
• Comply with legal and regulatory obligations (APP 6.2(b))

Shiftly Australia uses automated decision-making to sort shifts and applicants by rating and application date.

6. Third-Party Services

We share data only with essential third parties:

Provider

Stripe

Purpose: Payments & billing

Data Shared: Payment method IDs

Xero

Purpose: Payroll & employee creation

Data Shared: TFN, tax info, super, bank account

AWS S3

Purpose: Profile picture storage

Data Shared: Image files

MongoDB

Purpose: Application database

Data Shared: All application data

Klaviyo

Purpose: Email flows & analytics

Data Shared: Email, user behaviour

We do not sell or share data for marketing purposes. (APP 6, 7)

7. Security & Data Storage

• All data is stored in MongoDB (Sydney region), with encryption applied to sensitive fields.
• Profile pictures are stored in AWS S3.
• Session tokens are stored in local storage; no sensitive data is stored there.
• Admin access requires multi-factor authentication (MFA).
• All access is logged with audit trails (APP 11.1, 11.2)

Sensitive Fields Encrypted

• TFNs (required by TFN Rule 2015)
• Superannuation details
• Bank account details
• Passport/ID numbers

8. Data Retention

User data is retained until the user deletes their account.

Payroll and tax-related records are retained for 7 years in compliance with:

• Fair Work Act 2009 (Cth)
• Income Tax Assessment Act 1997
• ATO Payroll and record-keeping requirements

9. User Rights

Under APPs 12 & 13, users have the right to:

• Access and view their personal data
• Correct inaccurate or outdated data
• Request deletion of their account and associated data
• Unsubscribe from marketing communications

Data deletion is instant upon request, excluding legal retention obligations. Export of payment history is available; a full data export tool is not currently provided.

10. Marketing & Communications

• Users opt-in to receive marketing emails by signing up (APP 7.2)
• You may unsubscribe at any time via the email footer

11. Cookies and Tracking

• Shiftly Australia does not use cookies within the app.
• The marketing website may use cookies or pixels for advertising and performance monitoring (APP 1.4, 5.2)

12. Changes to This Policy

Users will be notified of changes to this policy via email (APP 1.5)

13. Compliance and Legal References

This policy is governed by the following laws and regulations:

• Privacy Act 1988 (Cth)
• Australian Privacy Principles (APPs)
• Privacy (TFN) Rule 2015
• Fair Work Act 2009 (Cth)
• Income Tax Assessment Act 1997
• General Data Protection Regulation (GDPR) – where applicable
• California Consumer Privacy Act (CCPA) – where applicable

14. Additional Legal Clarifications

• Sensitive fields must be encrypted at rest and in transit as part of “reasonable steps” under APP 11.1
• Payroll and financial records must be retained for 7 years under Australian law
• Full user data export is not mandatory under APPs, but access/correction must be available on request

15. Complaints and Enquiries

If you believe your privacy has been breached or wish to raise a complaint, you may contact us at privacy@shiftly.au. We will respond within a reasonable timeframe. If you are not satisfied with our response, you may escalate the complaint to the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au.

16. Jurisdiction

This Privacy Policy is governed by the laws of New South Wales, Australia.