Privacy Policy
Last updated: April 2026
1. Introduction
Sisu Shift ("we", "us", "our") is a healthcare workforce scheduling platform operated in Finland. We are committed to protecting your personal data and complying with the EU General Data Protection Regulation (GDPR) (Regulation 2016/679), the Finnish Data Protection Act (1050/2018), and the Act on the Protection of Privacy in Working Life (759/2004).
This app does not process patient data. Valvira/Kanta regulations do not apply.
2. Data Controller
Sisu Shift operates as the data controller for the personal data collected through this application. Contact: privacy@sisushift.net
We have assessed that appointment of a Data Protection Officer is not mandatory for our current scale of operations. Should this assessment change, we will update this policy and notify users accordingly.
3. Data We Collect
| Category | Examples | Legal Basis (Art. 6 GDPR) |
|---|---|---|
| Account information | Name, email address, date of birth | Contract performance (Art. 6(1)(b)) |
| Shift & schedule data | Work schedules, shift times, clock in/out times, break times, team memberships, personal notes, day-off requests | Contract performance (Art. 6(1)(b)) |
| Earnings data | Hourly rate, tax withholding rate, income limit, calculated earnings and premiums | Contract performance (Art. 6(1)(b)) |
| Schedule photos | Photos of paper schedules uploaded for AI-powered OCR scanning. Photos are sent to the processing service, parsed into shift data, and not stored after processing. | Consent (Art. 6(1)(a)) — you choose to use the scan feature |
| Device & usage data | Device type, OS version, app version, crash reports, anonymous feature usage analytics, push notification tokens | Legitimate interests (Art. 6(1)(f)) — service stability and improvement |
| Authentication data | Email/password (hashed), OAuth provider (Google or Apple) tokens. Biometric login preference (Face ID or fingerprint) — biometric data itself is processed exclusively by your device OS and is never transmitted to or stored on our servers. | Contract performance (Art. 6(1)(b)); Consent (Art. 6(1)(a)) for biometric preference |
| Consent records | Timestamp and version of Terms/Privacy Policy accepted at registration | Legal obligation (Art. 6(1)(c)) — GDPR Art. 7(1) requires demonstrable consent |
4. How We Use Your Data
- Providing and maintaining the scheduling service
- Calculating earnings based on Finnish labour law (Working Hours Act 872/2019)
- Enabling team collaboration and shift swap coordination
- Sending push notifications about schedule changes, swap requests, and clock reminders
- Scanning paper schedules using AI to extract shift information
- Improving app performance, stability, and reliability through crash reporting and analytics
- Complying with applicable legal obligations
5. Data Storage, Security, and Retention
Your data is stored on Supabase infrastructure within the European Union. All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Row Level Security ensures users can only access their own data. Personal notes are visible only to the author — not to team members, team leads, or administrators.
Locally on your device, sensitive data (earnings settings, cached shift data) is stored in encrypted storage (MMKV with device-backed encryption key). This data is cleared when you sign out.
Retention: We retain your personal data for as long as your account is active. Upon account deletion, your data is permanently erased within 30 days, except where retention is required by Finnish law (e.g. accounting records under the Finnish Accounting Act). Shift notes are hard-deleted immediately upon user deletion (not soft-deleted).
6. Your GDPR Rights
Under GDPR, you have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — receive your data in a structured, machine-readable format
- Restriction — request that we limit processing of your data
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent (e.g. biometric login, schedule scanning), you may withdraw at any time without affecting prior processing
To exercise any of these rights, contact us at privacy@sisushift.net. We will respond within 30 days.
You also have the right to lodge a complaint with the Finnish supervisory authority: Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
7. Sub-processors
We use the following third-party services to process your data on our behalf:
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase (EU) | Database, authentication, realtime, file storage | European Union |
| Sentry | Error monitoring and crash reporting | European Union |
| PostHog | Anonymous product analytics (feature usage, screen views) | European Union |
| Google Gemini API | AI-powered OCR schedule scanning (photos processed, not stored) | United States* |
| Expo (EAS) | Push notifications, app builds and updates | United States* |
| Google (OAuth) | Identity provider for "Sign in with Google" | United States* |
| Apple (Sign in with Apple) | Identity provider for "Sign in with Apple" | United States* |
*For US-based sub-processors, data transfers are governed by the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs).
8. Children's Privacy
This app is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@sisushift.net.
9. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes through the app or by email. Your continued use of the app after changes take effect constitutes acceptance of the updated policy.
10. Contact
Data Controller: Sisu Shift
Email: privacy@sisushift.net