Privacy Policy

1. Who we are

ShiftProof is an Australian mobile application for aged care and NDIS workers, participants, and families. ShiftProof is operated from New South Wales, Australia.

This Privacy Policy explains how ShiftProof ("we", "us", "our") collects, uses, stores, and protects your personal information when you use our mobile application and website at shiftproof.au.

We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Contact: support@shiftproof.au

2. What data we collect

Account information

• Full name
• Email address
• Password (stored encrypted — we never see your plain-text password)
• User role (participant, worker, or coordinator)
• Funding type (NDIS or Aged Care)
• NDIS number or client ID (optional — you choose whether to provide this)

Session data

• Session start and end times
• GPS coordinates at session start and end (only captured when you actively start or end a session)
• Participant or client name
• Support type or service category
• Provider or organisation name (optional)
• Session notes you write
• Photos you take during sessions
• Client or participant signatures captured on screen

Invoice data

• Invoice files you upload (PDF or image)
• Invoice numbers, amounts, and dates you enter
• Business name and ABN you enter for invoice generation

Device and usage data

• Device type and operating system version
• App version
• Crash reports and error logs (used to fix bugs)

What we do NOT collect

• We do not collect payment card details (payments are handled by Apple App Store and Google Play)
• We do not access your contacts, calendar, or other apps
• We do not track your location in the background — GPS is only accessed when you tap Start Session or End Session
• We do not collect biometric data

3. How we use your data

We use your data only for the following purposes:

• Providing the service: Storing your sessions, invoices, and evidence records so you can access them
• Authentication: Verifying your identity when you log in
• Shared access: Allowing people you invite to view your records with your explicit permission
• Evidence export: Generating PDF evidence packs from your session data
• Invoice generation: Creating tax invoices from your session and business details
• App improvement: Using crash reports and error logs to fix bugs and improve the app
• Customer support: Responding to your support requests

We do not use your data for advertising. We do not build advertising profiles. We do not sell your data.

4. Data storage and security

Location: All data is stored in Google Cloud infrastructure in the australia-southeast1 region (Sydney, Australia). Your data does not leave Australia.

Encryption: All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption.

Access control: Your data is only accessible to you and people you explicitly invite via the shared access feature. ShiftProof staff do not access your personal session data except where required to resolve a technical issue you have reported.

Authentication: We use Firebase Authentication. Passwords are hashed and salted — we never store or see your plain-text password.

File storage: Photos, signatures, and invoice files are stored in Firebase Storage with user-scoped security rules. Only authenticated users can access their own files.

5. Data sharing

We do not sell, rent, or share your personal data with third parties for commercial purposes.

We share data only in the following limited circumstances:

Service providers

We use the following third-party services to operate ShiftProof. Each is bound by their own privacy policies:

• Google Firebase (authentication, database, file storage) — data stored in Australia
• RevenueCat (subscription management) — receives anonymised subscription status only, not your session data
• Apple App Store / Google Play (payment processing) — handles subscription payments, we never receive your card details

Shared access you control

If you invite a support coordinator, family member, or provider via the Shared Access feature, they will be able to view your session records. You control who you invite and can revoke access at any time.

Legal requirements

We may disclose your information if required by Australian law, court order, or regulatory authority. We will notify you of any such disclosure where legally permitted to do so.

Business transfer

If ShiftProof is sold or merged with another entity, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6. Data retention

We retain your data for as long as your account is active or as needed to provide our services.

If you delete your account, we will permanently delete all your personal data within 30 days, except where we are required by law to retain it for a longer period.

Crash logs and error reports are retained for 90 days and then automatically deleted.

7. Your rights

Under the Australian Privacy Act 1988, you have the right to:

• Access: Request a copy of all personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your account and all associated data
• Portability: Request your session data in a machine-readable format (JSON or CSV)
• Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

To exercise any of these rights, email us at support@shiftproof.au. We will respond within 30 days.

8. Children's privacy

ShiftProof is designed for use by adults aged 18 and over. We do not knowingly collect personal information from children under 18.

If you believe a child under 18 has provided us with personal information, please contact us at support@shiftproof.au and we will delete that information promptly.

9. Third-party services

ShiftProof uses the following third-party services. We encourage you to review their privacy policies:

• Google Firebase: firebase.google.com/support/privacy
• RevenueCat: revenuecat.com/privacy
• Apple App Store: apple.com/legal/privacy
• Google Play: policies.google.com/privacy

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and by displaying a notice in the app.

The date at the top of this page shows when this policy was last updated. Continued use of ShiftProof after changes to this policy constitutes your acceptance of the updated policy.

11. Contact us

For any privacy questions, data requests, or complaints:

• Email: support@shiftproof.au
• Response time: We aim to respond within 2 business days

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner:

• Website: oaic.gov.au
• Phone: 1300 363 992