Privacy Policy

1. Information we collect

We collect information needed to operate QuickShift and support your organisation. The categories below cover data provided by account owners, restaurant staff, and site visitors.

Information you provide to us

• Account details such as name, email address, mobile phone number, password (managed by Supabase Auth), and MFA preferences.
• Restaurant information including restaurant name, address, contact details, timezone, staffing limits, and billing preferences.
• Staff records such as invited staff names, email addresses, mobile numbers, role assignments, wage settings, visibility preferences, and invitation status.
• Scheduling and payroll data including rostered shifts, positions, start and end times, break allocations, notes, wage overrides, and adjustment requests.
• Support interactions when you contact oscar.lehuu@gmail.com or respond to feedback forms. These may include attachments or contextual details you choose to share.
• Billing selections such as the staff tier you subscribe to and the platform (web or mobile) used to commence checkout.

Information generated or collected automatically

• Authentication and security logs (e.g. request identifiers, timestamps, Supabase Auth events) used to troubleshoot errors and protect accounts.
• Password reset metadata comprising hashed reset tokens, expiry times, originating IP addresses, and user-agent strings to validate legitimate requests.
• Device and usage diagnostics from our applications and APIs capturing limited technical details (such as operating system, app version, and feature usage) required to maintain the service. We do not run third-party behavioural analytics at this time.
• Email delivery telemetry noting when notification emails are sent, deferred, or bounced so we can ensure staff receive time-sensitive updates.

Information we receive from third parties

• Supabase Auth supplies verified user identifiers, email addresses, and metadata after sign-in to enforce role-based access controls.
• Stripe shares subscription identifiers, customer references, invoice URLs, payment status updates, and billing tier metadata. We do not receive or store complete payment card numbers.
• Email and infrastructure providers (AWS SES, SendGrid, or SMTP relays) provide delivery diagnostics tied to recipient email addresses.

2. How we use your information

• Provisioning and authenticating user accounts, and enforcing role-based access for restaurants.
• Creating and managing staff rosters, wage records, invitations, and shift adjustment workflows.
• Tracking subscription tiers, generating checkout sessions, and providing billing statements.
• Sending invitations, roster notifications, and critical service updates by email.
• Providing technical support, investigating incidents, and resolving disputes between restaurant staff and owners.
• Monitoring for fraud or misuse, enforcing platform policies, and safeguarding data integrity.
• Complying with legal obligations, including responding to lawful requests from regulators and law enforcement.

3. Legal bases for processing

We handle personal information under the Australian Privacy Act 1988 (Cth) and equivalent privacy regimes. Depending on the context, we rely on one or more of:

• Performance of a contract (delivering roster management and payroll workflows you request).
• Legitimate interests (securing our services, improving reliability, preventing fraud).
• Consent (sending optional updates or processing staff data when invited by restaurant owners).
• Compliance with law (retaining records or responding to lawful disclosures).

4. When we share information

We never sell personal information. We share data only with trusted service providers or when required by law:

• Supabase (managed Postgres, Auth, storage) stores application data in Australian data centres where available. Supabase staff may access data to help us resolve incidents.
• Stripe processes subscription payments and stores customer billing information. Stripe handles all payment card data; we retain only subscription metadata sent by Stripe.
• Email delivery partners (AWS Simple Email Service, SendGrid, or equivalent SMTP providers) send invitations, shift notifications, and password reset emails.
• Operational partners and advisors such as auditors, legal counsel, or insurers, strictly under confidentiality obligations.
• Regulators or law enforcement when we in good faith believe disclosure is legally required or necessary to protect rights, property, or safety.

5. Data location and security

• Production databases run on Supabase infrastructure hosted in Australia (Sydney) where provisioned; backups may reside in other regions subject to Supabase safeguards.
• All network traffic to our APIs and web apps is encrypted with TLS. Supabase provides encryption at rest for stored data.
• Access to customer data is restricted to authorised team members who require it to support you. Role-based access control and row-level security prevent cross-restaurant data leakage.
• Passwords are managed by Supabase Auth and are never visible to QuickShift personnel. Password reset tokens are hashed and expire after short periods.

6. Data retention

• Account, restaurant, staff, and shift records remain active while your organisation uses QuickShift.
• Invitation statuses, historical shift logs, and adjustment records are retained to provide payroll history and audit trails unless you request deletion or applicable law requires longer storage.
• Password reset tokens are valid for up to 30 minutes and deleted upon use. Security logs are retained for approximately 90 days unless needed for investigations.
• If you cancel your subscription, we will mark your restaurant as archived and delete or anonymise associated personal data within 90 days, except where law or legitimate interests require retention.

7. Restaurants and staff responsibilities

Restaurant owners act as the primary data controllers for their staff. When you add staff to QuickShift, you confirm you have the authority to share their personal information and to send them employment-related communications. We process staff data as your service provider and rely on you to keep records accurate and lawful.

Staff members may contact their employer to update roster or payroll information. We will assist with corrections or deletion requests when authorised by the relevant restaurant or as required by law.

8. Your rights and choices

• Access and update your profile details via the QuickShift app or by contacting us.
• Request deletion of your account or staff membership by emailing oscar.lehuu@gmail.com. Staff should copy their restaurant administrator so we can verify the request.
• Opt out of non-essential communications by using in-email unsubscribe links or updating notification preferences in-app.
• Lodge a privacy complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have mishandled your information. We ask that you contact us first so we can resolve concerns quickly.

9. Cookies and tracking

The QuickShift marketing site uses essential cookies to deliver page content and maintain session security. We do not currently run advertising pixels or behavioural analytics. If this changes we will update this policy and provide appropriate consent controls.

10. Children

QuickShift is designed for workplace use and is not directed at children under 18. If we learn we have collected personal information about a child without appropriate consent we will delete it promptly.

11. Contact us

For privacy questions, access requests, or complaints, contact our team at oscar.lehuu@gmail.com. We aim to respond within five business days (Australia/Sydney).

If you require a postal address for formal correspondence, please email the privacy team so we can provide the appropriate details for your matter.