Shiftloop is operated by SJC Distributions Limited, a company registered in England & Wales (trading address: Winchester, UK). This policy explains what personal data we collect, why, and your rights under the UK GDPR and Data Protection Act 2018.
TL;DR: We only collect what's needed to run the service. We don't sell your data. We don't advertise. You can export or delete everything anytime.
1. Who we are
The data controller is SJC Distributions Limited. For privacy enquiries email privacy@shiftloop.co.uk.
2. What personal data we collect
When you sign up
Your full name
Your work email address
Your phone number (optional)
Your business name
A password (stored hashed — we never see it in plain text)
When you use the service
Tasks, comments, checklists and attachments you create
Names and contact details of staff you add to your workspace
Log data (IP address, browser type, timestamps) for security and debugging
What we do NOT collect
Payment card details — handled by Stripe, never touches our servers
Location data beyond what's in tasks you create
Any tracking cookies for advertising
3. Why we use your data (lawful basis)
Contract — to provide the service you signed up for
Legitimate interest — fraud prevention, improving the product, responding to support requests
Legal obligation — for tax records and responding to lawful requests from authorities
Consent — for any marketing communications (you can withdraw anytime)
4. Who we share data with
We use a small number of trusted processors to run the service. Each has appropriate contractual safeguards and data processing agreements:
Supabase (database & authentication) — EU region
Netlify (hosting & serverless functions)
Resend (transactional email delivery)
Stripe (payment processing — when you subscribe)
Anthropic (AI-powered features, when you use them)
We do not sell your personal data. We do not share it with advertisers. We will only disclose your data to authorities where legally required.
5. Where your data is stored
Your data is stored in EU datacentres operated by Supabase. Transactional emails pass through Resend's infrastructure. Backups are encrypted and stored off-site.
6. How long we keep your data
Active accounts — for as long as your subscription is active
After cancellation — 30 days grace period (in case you return), then permanently deleted
Backups — retained for up to 90 days for disaster recovery
Billing records — retained for 6 years (HMRC requirement)
7. Your rights under UK GDPR
You have the right to:
Access — get a copy of all data we hold about you (in-app export available)
Rectification — correct inaccurate data
Erasure — delete your account and all personal data (the "right to be forgotten")
Portability — receive your data in a machine-readable format (CSV)
Object — to processing where our basis is legitimate interest
Withdraw consent — for anything based on consent
To exercise any of these, email privacy@shiftloop.co.uk or use the export / delete buttons in your account settings. We'll respond within 30 days.
8. Security
All data encrypted in transit (HTTPS / TLS 1.2+) and at rest
Row-level security in the database — every workspace fully isolated
If we ever suffer a data breach affecting your personal data, we will notify you and the ICO within 72 hours as required by law.
9. Cookies
We use strictly necessary cookies only, to keep you signed in. No analytics cookies, no advertising cookies, no third-party trackers. Nothing requires a cookie banner under UK law.
10. Children
Shiftloop is a B2B product. We do not knowingly collect data from anyone under 16.
11. Changes to this policy
If we make material changes we'll email all account holders at least 14 days before they take effect. Minor changes (typos, clarifications) will be reflected here with an updated date.
12. Complaints
If you're unhappy with how we handle your data, email us first at privacy@shiftloop.co.uk. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.