Política de Privacidad

1.1 Identidad del responsable del tratamiento

Shift Express Microempresa registrada en el directorio SIRENE bajo el número 851 776 138 Domicilio social: Menton, Francia Email: hello@shift.express

1.2 Alojamiento de datos

Los datos de la plataforma web están alojados por: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA Los datos de la aplicación móvil están alojados en servidores ubicados en Europa (Francia y Alemania). Aunque Vercel tiene su sede en Estados Unidos, nuestros datos europeos se almacenan en la infraestructura europea de Vercel (región de Frankfurt, Alemania) de conformidad con los requisitos del RGPD.

1.3 Delegado de Protección de Datos (DPO)

Para cualquier pregunta sobre la protección de tus datos personales, puedes contactar a nuestro equipo en: hello@shift.express

2.1 Identification Data

• First and last name
• Professional or personal email address
• Phone number (optional)
• Establishment name (for employers)
• Job title/position

2.2 Connection and Usage Data

• IP address
• Connection logs (date, time, pages visited)
• Browser type and operating system
• Approximate geolocation data (city, country)
• Platform interactions (clicks, session duration)

2.3 Service-Related Data

• Shifts posted, accepted, declined, or completed
• Work schedules and associated establishments
• History of notifications sent and received
• Points, badges, and gamification statistics (for employees)
• Messages exchanged via the platform
• Analytics data and usage statistics

2.4 Payment Data

Payment information (credit card) is never stored on our servers. It is processed directly by our secure payment provider Stripe, which is PCI-DSS certified. We only retain the last 4 digits of the card and expiration date to facilitate subscription management.

2.5 Cookies and Similar Technologies

We use essential cookies for service functionality, as well as analytics cookies (with your consent) to improve user experience. For more details, please consult our Cookie Policy.

3.1 Contract Performance

• Creation and management of your user account
• Provision of Shift Express service (posting, notifying, accepting shifts)
• Subscription management and billing
• Service-related communications (confirmations, reminders)
• Customer support and technical assistance

3.2 Legal Obligations

• Retention of billing data (accounting and tax obligations)
• Response to legal requests
• Fraud and abuse prevention

3.3 Legitimate Interest

• Service improvement and optimization
• Statistical analysis and audience measurement
• Bug detection and technical issue prevention
• Platform security against cyber attacks
• Sending transactional emails and system notifications

3.4 Consent

• Marketing communications and newsletters (you can unsubscribe at any time)
• Analytics and audience measurement cookies
• Sharing testimonials or case studies (only with your explicit consent)

4.1 Shift Express Personnel

Our technical, customer support, and sales teams have access to your data only to the extent necessary for their functions, under confidentiality obligations.

4.2 Technical Service Providers

• Vercel (web hosting, European servers)
• Stripe (secure payment processing)
• Google Analytics or Plausible Analytics (traffic analysis, with consent)
• Push notification services (Firebase Cloud Messaging)
• Transactional email services

All our service providers are carefully selected and contractually bound to respect the confidentiality and security of your data in accordance with GDPR.

4.3 Public Authorities

We may be required to communicate your data to competent authorities (police, courts, tax administration) in case of legal requisition or to comply with the law.

4.4 Sharing with Other Users

As part of the service, certain information is shared between employers and employees of the same organization (name, shifts accepted/declined). Employees only see information necessary for proper service operation.

6.1 Active Account Data

As long as your account is active, we retain all your data to ensure proper service operation.

6.2 After Account Termination

• Read-only access: 30 days (to allow you to retrieve your data)
• Permanent deletion of user data: after 30 days
• Billing data retention: 10 years (legal accounting obligation)
• Security and connection logs: 1 year maximum

6.3 Marketing Data

If you subscribed to our newsletter, we retain your email until you unsubscribe or 3 years after your last interaction.

6.4 Cookies

Cookies have a maximum lifespan of 13 months, in accordance with data protection authority recommendations.

7.1 Right of Access

You can request a copy of all personal data we hold about you.

7.2 Right of Rectification

You can correct or update your inaccurate or incomplete data directly from your account settings, or by contacting us.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data, unless we have a legal obligation to retain it (e.g., billing data).

7.4 Right to Restriction of Processing

You can request temporary suspension of processing of your data in certain situations (accuracy dispute, unlawful processing, etc.).

7.5 Right to Data Portability

You can retrieve your data in a structured, commonly used, and machine-readable format (JSON, CSV) to transfer it to another service.

7.6 Right to Object

You can object at any time to processing of your data for marketing purposes. For other purposes, you can object for legitimate reasons.

7.7 Right to Withdraw Consent

When processing is based on your consent (newsletters, analytics cookies), you can withdraw it at any time without affecting the lawfulness of prior processing.

7.8 Post-Mortem Directives

You can define directives regarding the retention, deletion, and communication of your data after your death.

How to Exercise Your Rights?

To exercise your rights, contact us by email at hello@shift.express specifying: • Your first and last name • Your account email address • The right you wish to exercise • A proof of identity in case of doubt about your identity We commit to responding to your request within a maximum of 1 month (extendable by 2 months in case of complexity).

Right to File a Complaint with the Supervisory Authority

If you believe your rights are not being respected, you can file a complaint with your national data protection authority or the French CNIL: Website: www.cnil.fr Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07

8.1 Technical Measures

• SSL/TLS encryption for all communications (HTTPS)
• Encryption of sensitive data in database
• Secure authentication with password hashing (bcrypt)
• Protection against common attacks (XSS, CSRF, SQL injection)
• Firewall and intrusion detection systems
• Automatic daily encrypted backups
• Regular system updates and security patches

8.2 Organizational Measures

• Strict data access control (principle of least privilege)
• Two-factor authentication (2FA) for administrator accounts
• Regular security audits and penetration testing
• Staff training on security best practices
• Confidentiality clauses in employee and contractor agreements
• Security incident management procedures

8.3 In Case of Data Breach

In case of a data breach likely to pose a risk to your rights and freedoms, we commit to notifying you within 72 hours of discovering the incident, in accordance with GDPR. We will also notify the supervisory authority within legal deadlines.