Shifo

Last updated: May 20, 2026

Privacy Policy

How Shifo collects, uses, and protects your data.

This Privacy Policy explains how Vortexcode ("we", "us"), operator of Shifo, processes personal data when you use the service. We are the data controller for the account data you provide to us. For data you create inside Shifo (tasks, shifts, time entries, leave requests, contract data, comments, section content), your organization is the data controller and we act as a data processor on its behalf.

1. What data we collect

Account data — name, email address, password (stored as a hashed value), locale preference, avatar (if uploaded), and device information used for push notifications.

Organization data — the organization name, members, roles, sections, tasks, shifts, schedules, time entries, leave requests, leave balances, staff contracts, plus/minus periods, surcharge and break rules, comments, attachments, and related content your team creates in Shifo.

Billing data — if your organization has a paid plan, we store a Stripe customer ID and the last four digits and brand of the payment method. Full card details are handled by Stripe and never reach our servers.

Sensitive HR data — when a staff contract is uploaded, fields such as BSN, IBAN, gross hourly wage, and monthly fixed cost are encrypted at the application level so they cannot be read directly from the database.

Technical data — IP address, browser type, and pages visited, collected via server logs for security and debugging.

Communication data — emails you send to support@shifo.nl and the replies we send back.

2. Why we process this data

  • To operate and secure the Shifo service.
  • To authenticate you and maintain your session.
  • To deliver real-time updates, notifications, and transactional emails (such as invitations and password resets).
  • To process billing and comply with tax obligations.
  • To respond to support requests.
  • To improve the product based on aggregate usage patterns.

We rely on the following legal bases under the GDPR:

  • Contract performance — for account, organization, and billing data.
  • Legitimate interest — for security logs and service improvement.
  • Consent — for optional analytics, where you have accepted cookies.
  • Legal obligation — for tax and accounting records.

3. How long we keep your data

  • Account and organization data — while your account is active, plus up to 30 days after deletion.
  • Billing records — seven years, as required by Dutch tax law.
  • Support emails — up to two years after the last interaction.
  • Server logs — up to 90 days.

4. Who processes your data

We use the following subprocessors to run Shifo. Each is bound by a data processing agreement:

  • Vercel Inc. — frontend hosting and CDN (United States / EU edge).
  • Resend — transactional email delivery (United States).
  • Laravel Forge — server provisioning, deployment, and management (United States; SSH access to our EU server).
  • EU VPS hosting provider — application server, database, and self-hosted Laravel Reverb websocket server (European Union). The specific provider is identified in our Data Processing Agreement and updated on this page when it changes.
  • Stripe — payment processing and subscription billing (United States / European Union).

Transfers to the United States rely on Standard Contractual Clauses and the EU–US Data Privacy Framework where applicable.

5. Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Export your data in a portable format.
  • Restrict or object to certain processing.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

To exercise any of these rights, email support@shifo.nl. We will respond within one month.

6. Security

We use industry-standard security measures: TLS encryption in transit, hashed passwords, scoped API tokens, and application-level encryption of sensitive HR fields (such as BSN, IBAN, and wage data) so they remain unreadable even with database access. Access to production data is limited to a small number of authorized personnel.

No system is perfectly secure. If we become aware of a data breach that poses a risk to you, we will notify you within 72 hours in accordance with GDPR requirements.

7. Children

Shifo is a business tool and is not directed to children under 16. We do not knowingly collect personal data from children.

8. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice at least 30 days before they take effect.

9. Contact

For privacy questions, contact us at support@shifo.nl.