Legal
Privacy Policy
Last updated: May 26, 2026
1. Introduction
ShiftPro Safety (“ShiftPro”, “we”, “us”) operates a workforce management platform designed for construction companies and similar field-based operations. We help businesses verify on-site attendance via GPS, document safety brief acknowledgments, manage scheduling, and produce payroll-ready records.
This policy explains what personal information we collect, why we collect it, how long we keep it, who we share it with, and what rights you have. It applies to both the public marketing site (shiftpro.org) and the ShiftPro web dashboard and mobile applications.
ShiftPro is designed to comply with the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta's Personal Information Protection Act (PIPA), and applicable US state privacy laws including, where relevant, the California Consumer Privacy Act (CCPA) and its amendments.
2. Information we collect
We collect only what is operationally necessary to deliver the service. We do not collect health information, social insurance numbers, financial account data, or biometric data.
Account information
- Full name
- Email address
- Role within the organization (admin, supervisor, employee)
- Hashed password (we never store plaintext passwords)
Workforce data
- Shift timestamps (clock-in and clock-out times)
- Break timestamps (when the worker taps Take a Break and End Break)
- Project and job-site assignments
- Safety brief acknowledgments (timestamped)
- Employee certificates and expiry dates, if uploaded by the employer
- Hourly wage rate, if entered by the employer for payroll exports
- Photos and notes attached to shift reports, if submitted by the worker
- Drive segments between job sites (only if drive-time tracking is enabled for the organization — see below)
Location data — GPS
GPS coordinates are captured only at the moment a worker taps Clock In, and optionally again at clock-out. The coordinates are compared to the project's geofence boundary (roughly a 500-meter radius around the job-site address). The result of that check is stored alongside the shift record.
We do not track continuous location.
We do not run background tracking, ping the device throughout the shift, or store location data between the two clock-in and clock-out moments. The mobile app explicitly requests location permission only when a worker is starting or ending a shift.
Drive-time tracking (opt-in per organization)
If your employer enables drive-time tracking, ShiftPro detects drives between job sites by looking at consecutive clock-outs and clock-ins at different projects. The two endpoint GPS coordinates already captured for those clock-in/out events are sent to the Google Routes API to calculate distance and driving duration between the two job sites. Only those two coordinates are sent — no continuous location, no live tracking during the drive itself, no data outside the clock-in/out moments.
Drive-time tracking is off by default. Your organization's admin can turn it on or off at any time in the dashboard's Settings page. When turned off, no further drive segments are detected and no further coordinates are sent to Google. Existing drive records remain in your organization's data until the account is closed.
Technical data
- IP address (used for security and rate limiting; stored in logs for up to 30 days)
- Device type, browser version, and operating system (basic diagnostic info)
- Analytics events on the marketing site (see our Cookie Policy for details)
3. How we use information
We use personal information to:
- Operate the ShiftPro web dashboard and mobile applications
- Verify on-site attendance at the moment of clock-in (and clock-out, if enabled)
- Record safety brief acknowledgments for OHS and WCB compliance documentation
- Generate payroll-ready reports for the employer
- Track certificate expiry and alert employers before tickets lapse
- Authenticate users and protect accounts from unauthorized access
- Send service-related emails (account confirmations, password resets, invoices)
- Investigate and respond to security incidents
- Improve product reliability and usability based on aggregated diagnostic data
We do not use personal information for advertising, retargeting, profile-building for marketing purposes, training AI models, or selling to third parties.
4. Consent
By creating an account or signing in, you consent to the collection and use of your information as described in this policy. Where Alberta PIPA or other applicable employment-privacy law requires explicit employee consent for GPS collection, employers are responsible for obtaining that consent at the employment-relationship level; ShiftPro's app surfaces a privacy explanation on first sign-in.
Employers using ShiftPro are the “controllers” of their employees' data within the meaning of applicable privacy laws. ShiftPro acts as the “processor” (or, under PIPEDA, a service provider) and processes the data on the employer's behalf.
5. Storage and security
Personal data is stored encrypted at rest on servers operated by our infrastructure provider (Supabase, hosting in AWS regions in North America). Data is transmitted only over HTTPS with TLS 1.2 or higher.
We use the following security controls:
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Role-based access controls within each organization (admin, supervisor, employee)
- Row-Level Security in the database to enforce per-organization isolation
- Password hashing using industry-standard algorithms (bcrypt)
- Rate limiting and bot protection (Cloudflare Turnstile) on authentication endpoints
- Regular system monitoring and logging
6. Data sharing
We do not sell personal information, and we have never received money or anything of value in exchange for personal information. We share data only as follows:
- With your employer — within their organization in ShiftPro (other workers in the same company do not see your data unless they are admins or supervisors)
- With service providers we use to operate the platform: Supabase (database and authentication), Resend (transactional email), Cloudflare (bot protection and DNS), Vercel (web hosting), Expo (push notifications to the mobile app, including certificate expiry alerts), and — only if drive-time tracking is enabled by your organization — Google (Routes API, for calculating distance and duration between two job-site GPS coordinates). Each provider is bound by contract to use the data only to provide the contracted service.
- If required by law — in response to valid legal process (subpoena, court order, or comparable instrument) where we have a good-faith belief that disclosure is required
- In a business transfer — if ShiftPro is involved in a merger, acquisition, or sale of assets, data may transfer as part of that transaction with notice to affected parties
7. Data retention
We retain personal data for the periods necessary to provide the service and meet legal obligations:
- Active accounts — data is retained for as long as your employer's ShiftPro account remains active
- After account cancellation — your data remains accessible in a read-only state for 30 days to allow export of final payroll reports and compliance archives, after which it is permanently deleted from production databases
- Encrypted backups — are purged on the normal rotation cycle (within 90 days of cancellation)
- Server logs and IP addresses — retained for up to 30 days for security and abuse-prevention purposes
- Aggregated and anonymized data (e.g., total monthly active sign-ins) may be retained indefinitely for product analytics
8. Your rights
Subject to applicable law, you have the right to:
- Access — request a copy of the personal information we hold about you
- Correction — request that we correct inaccurate or incomplete information
- Deletion — request deletion of your personal information (subject to legal retention obligations and the employer's legitimate operational needs)
- Portability — request your data in a machine-readable format
- Withdraw consent — withdraw consent for any processing that relies on consent, where the processing is not legally required
- Complain — file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca), the Alberta Office of the Information and Privacy Commissioner (oipc.ab.ca), or your applicable state privacy authority
To exercise these rights, contact us at support@shiftpro.org. We respond to verified requests within 30 days. If you are a worker employed by a ShiftPro customer, please direct access and deletion requests to your employer first; we will then act on their behalf as required.
9. Breach notification
If a security incident exposes personal information in a way that creates a real risk of significant harm, we will notify affected individuals and the relevant privacy authority (the OPC under PIPEDA, the OIPC under Alberta PIPA, or the applicable US state attorney general) without unreasonable delay and in accordance with the timelines required by law.
10. International transfers
ShiftPro's infrastructure is hosted on AWS data centers in North America (Canada and the United States). If you use ShiftPro from outside Canada or the US, your data will be transferred to and stored in these regions. We rely on the applicable contractual safeguards required by your jurisdiction's data-transfer law.
11. Children
ShiftPro is intended for use by businesses and their adult employees. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us information, contact us and we will delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to account administrators and posted on this page with an updated “last updated” date. Continued use of ShiftPro after a change indicates acceptance of the revised policy.
13. Contact us
For questions about this Privacy Policy or to exercise your rights under it: