DRAFT — pre-launch document pending legal review. This privacy policy is a first draft and is not yet in force.

Shiftstart Privacy Policy

Effective date: [set on legal sign-off] · Last updated: 2 June 2026 (draft; revised for the Privacy and Other Legislation Amendment Act 2024 reforms)

1. Who we are and what this policy covers

Shiftstart is a workforce-management platform for Australian registered clubs and hospitality businesses, operated by [Itinoco Pty Ltd, ABN TBC] (“Shiftstart”, “we”, “us”, “our”).

This policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It applies to personal information we collect through the Shiftstart web application, our websites, and related services (the “Platform”).

Shiftstart operates a multi-tenant platform. For most worker personal information we process, the worker’s employer (the “Client”) decides how that information is used; in those cases the Client is responsible for its own privacy obligations and Shiftstart acts as a service provider (data processor) under a Data Processing Agreement. This policy covers information for which Shiftstart decides the purpose and means — for example account administration, billing, and product analytics.

2. What personal information we collect

Depending on your role (business owner, administrator, manager, or employee), we may collect: identity and contact data (name, work email, phone, role, associated venues); account and authentication data (credentials stored only as salted hashes, session and device information); employment and rostering data (shifts, availability, leave, qualifications, clock-in/out events including the approximate geolocation captured at clock-in); payroll identifiers (only if your employer connects Xero); usage and technical data (pages viewed, features used, approximate location from IP, device type, diagnostics); and your communications with support and notification preferences.

We collect your approximate location only at the moment you clock in, solely to verify on-site attendance for that shift — we do not track your location at any other time.

We do not intentionally collect sensitive information beyond what is necessary to operate rostering and leave features. We do not collect tax file numbers or bank details — payroll identifiers are handled in your employer’s payroll system, not stored by Shiftstart.

3. How we use personal information

We use personal information to create and administer accounts and authenticate users; provide rostering, availability, leave, clock-in, reporting, and onboarding features; send transactional and notification emails and maintain your in-app inbox; detect and investigate clock-in anomalies and protect Platform security; analyse usage to operate, debug, and improve the Platform; bill Clients and manage our customer relationships; and comply with our legal obligations.

We rely on the practical operation of the Platform and our contracts with Clients as the basis for these uses, consistent with APP 3 (collection) and APP 6 (use and disclosure).

4. Disclosure to third parties (sub-processors)

We do not sell personal information. We disclose it to the service providers (“sub-processors”) that help us run the Platform, under contracts requiring them to protect it and use it only on our instructions. See the table below.

Optional integration — Xero: if your employer connects Xero, we disclose the employee identifiers and draft timesheet data needed to import employees and export draft timesheets to your employer’s Xero account. This integration is one-directional and is engaged only when a Client connects it.

Some sub-processors process or store information outside Australia — Resend and Vercel in the United States, and PostHog in the European Union (Germany). Where we disclose information overseas, we take reasonable steps to ensure the recipient handles it consistently with the APPs (APP 8), and we remain accountable under the Privacy Act for how that recipient handles it. Our primary data store (Supabase) is hosted in Sydney, Australia. We may also disclose information where required or authorised by law, to protect our legal rights, or in connection with a sale or restructure of our business subject to equivalent privacy protections.

Sub-processorPurposeLocation
SupabaseDatabase, authentication, file storageSydney, Australia (ap-southeast-2)
VercelApplication hosting and content deliveryUnited States (with global edge delivery)
ResendTransactional and notification emailUnited States
PostHogProduct analytics, error tracking, session replayEuropean Union (Frankfurt, Germany); masking configured to reduce captured identifiers

5. Data residency

Our primary database, authentication, and file storage are hosted in the Sydney (ap-southeast-2) region. Certain ancillary services (email delivery, analytics, edge content delivery) may process limited data overseas as described in section 4.

6. Your privacy rights (access and correction)

Consistent with APP 12 (access) and APP 13 (correction), you may request access to the personal information we hold about you, and ask us to correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading.

Much of your information can be viewed and updated directly in the Platform (your profile, availability, notification preferences). For anything you cannot self-serve, contact us using the details in section 10. Where the information is held on behalf of your employer, we may need to refer your request to that employer, who controls that information. We respond to access and correction requests within 30 days and will tell you if we cannot action a request and why.

Dealing with us anonymously (APP 2): where it is lawful and practicable, you may deal with us anonymously or using a pseudonym — for example when making a general privacy enquiry. In practice, most Platform features are tied to your employment and roster, so we usually need to identify you to provide them.

7. Data retention and deletion

We retain personal information only for as long as needed to provide the Platform, meet legal and record-keeping obligations, and resolve disputes. When a Client offboards, their tenant data is disposed of in line with our retention obligations. You may request deletion of information we are not required to retain; some records (such as audit logs and certain employment records) are retained for legally mandated periods and cannot be deleted on request.

8. How we protect personal information

We take reasonable steps to protect personal information, consistent with APP 11 and the technical and organisational measures expected under APP 11.3. Technical measures include multi-tenant isolation enforced at the database level (row-level security); encryption of data in transit (HTTPS/TLS) and at rest; least-privilege access controls and append-only, tamper-evident audit logging of administrative actions; and ongoing monitoring and security review.

Organisational measures include staff privacy and security training and confidentiality obligations, documented data-handling procedures and access governance, and a data breach response plan exercised periodically.

No system is perfectly secure. If a data breach occurs that is likely to result in serious harm, we will respond in line with our Data Breach Response Plan and our obligations under the Notifiable Data Breaches scheme.

9. Automated decision-making

We use limited automated processing to operate the Platform and protect its integrity — most notably server-side heuristics that assess clock-in events (using your clock-in location, the time, and your rostered shift details) and flag unusual ones (for example, a location or time that does not match the shift) for a manager to review. A flag is a prompt for human review, not a determination: a manager makes any operative decision and can disregard the flag at their discretion.

Where this kind of automated processing is used to make, or substantially assist in making, a decision that could reasonably be expected to significantly affect your rights or interests, we disclose the kinds of personal information used (your clock-in location, timestamps, and rostered shift details) and the kinds of decisions involved (attendance and timekeeping review). New transparency obligations for automated decision-making under APP 1 commence on 10 December 2026; we are treating that as a firm deadline and will confirm the scope of these disclosures with legal counsel before then.

10. Contact us / privacy inquiries and complaints

For privacy questions, access or correction requests, or complaints, contact the Privacy Officer, Shiftstart — email [privacy@shifsta.com.au], post [postal address].

We will acknowledge your complaint promptly and aim to respond within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

11. Changes to this policy

We may update this policy from time to time. We will post the updated version at shifsta.com.au/privacy and update the “Last updated” date below. Material changes will be communicated through the Platform or by email where appropriate.