This Privacy Policy describes the privacy practices of shiftin, a SaaS (Software as a Service) software application (hereinafter “shiftin”) offered by High-Tech Systems & Software SRL, a limited liability company, operating under Romania Law, with its headquarters in Bucharest, District 1, Bucurestii Noi Boulevard, nr. 25A, registered with the Trade Registry under no J40/4847/2012, having Sole Registration Code 30126940 (hereinafter the “Company”).

The scope of this Privacy Policy is to describe what personal data the Company collects and processes, the scope and legal grounds of such processing.

Additionally, this Privacy Policy details the personal data collected and processed, the scope and legal grounds of such processing by Client with respect to the personal data of Client Representative and Users.

This Privacy Policy is applicable to all who use shiftin, respectively any individuals who provide information / personal data to shiftin or the Company, in relation to shiftin, respectively Client Representatives and Users (hereinafter the “Data subject”) as detailed below. By accessing and using the shiftin, Data subjects agree to the processing of their personal data under the terms of this Privacy Policy and the relevant Terms of Service.

Applicable legislation” – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), Law no 190/2018 for the implementation of GDPR, the relevant decisions / guides issued by EDPB for guidance on the interpretation of GDPR provisions and national legislation regarding the processing of personal data of Data subjects, if it does not come in conflict with any provisions of GDPR. And any other applicable legislation considering the place of main office of the Client and nationality of Client Representatives and Users.

“Client”: a legal entity who wishes to benefit from the features of shiftin and concludes an agreement with the Company for this purpose; 

“Client Representative”: representative of the Client with administrative rights in shiftin, who can add, edit and manage data regarding the organization, its divisions, locations, employees, working hours, create and add users etc.

“User(s)”: employee(s) of the Client for whom the Client Representative has created an account on shiftin. Users’ access to shiftin depends on the relationship between the Client and the User and the latter’s role in the organization (director, manager, employee etc.). 

Personal data” – means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Controller” – means the Company/Client, who alone or jointly with others, determines the purposes and means of the processing of Personal data.

Processor”- means a natural or legal person, public authority, agency or other body which processes Personal data on behalf of the Controller. The Company is Processor when processing personal data of Data subjects for the Client in order to provide support services as per the Client’s request.

This Privacy Policy and the Terms of Service complement each other. 

The terms written in capital letters, which are not defined in this Privacy Policy, will have the meaning given in the Terms of Service.

Any reference to the singular also includes the plural and vice versa.

A. GENERAL PRINCIPLES

  1. By accessing and using shiftin, Data subjects agree to the processing of their personal data under the terms of this Privacy Policy and the relevant Terms of Service.
  2. If the Data subjects do not agree with this Privacy Policy and the related Terms of Service, they will not be able to access and use shiftin. The Personal data processed is made available voluntarily by the Data subject or by third parties, who have the prior consent of the Data subject. In order to use shiftin, it may be necessary for the Data subject to fill in some Personal data deemed by shiftin as “mandatory“, but the Data subject may voluntarily provide additional Personal data, deemed as “optional“.

B. COLLECTION AND PROCESSING OF PERSONAL DATA BY THE COMPANY

  1. The security of the Personal data is particularly important to the Company and the Company ensures that the collected and processed Personal data is kept secure and is not used for any scope other than those specified in this Privacy Policy, the related Terms of Service and in the Cookie Policy.
  2. The Company processes the Personal Data of the Client’s Representatives, as Controller, for the purpose of entering and performance of the agreement between the Company and Client in order for the latter to benefit from shiftin Services, including maintenance, respectively the Company will process the Personal Data for maintaining the relationship with the Client (correspondence, notifications, service interventions etc.), creation of Client’s Representative account and personalisation. Also, the processing is necessary for the purposes of the legitimate interests (developing shiftin and research, advertising and marketing, statistics) pursued by the Company or by a third party or the Data subject has given consent to the processing of Personal data. The Company’s legitimate interests in processing the Personal data do not override the interests or fundamental rights and freedoms of the Data subject. The interests or fundamental rights and freedoms of the Data subject are not in any way affected by the processing done through shiftin. 
  3. Personal data collected and processed:
    • of Client Representative:
      • name, surname; 
      • date of birth;
      • e-mail address; 
      • password; 
      • quality within the Client;
      • log in and service data regarding the use of shiftin;
  4. Since shiftin can be accessed via browser and mobile devices, using internet connection, one, more or all of the following Personal data may be collected when accessing and using shiftin:
    • IP address;
    • location;
    • type of device used;
    • time and date of access;
    • time spent on shiftin;
    • access and use habits;
    • internet connection speed;
    • sole id number of the used device;
    • encrypted password;
  5. The Personal data mentioned above may be totally / partially disclosed / transferred to third parties in order to achieve the processing scopes. Thus, the Personal data may be shared with one, more or all of the following, on a need to know basis as per the scope:
    • service providers (companies and individuals that provide services on behalf of the Company or help the Company operate shiftin and its business, such as hosting, technical support, analytics, customer support, email and SMS delivery etc.;
    • advisers (this may include lawyers, auditors, bankers, and insurers, if necessary);
    • authorities and others (this may include law enforcement, central or local authorities, supervisory authorities when required by law or to help protect the rights and safety of Data subjects or others);
    • other companies or individuals, in case of assignment of shiftin, business transfer or change of control over the Company.
  6. THE COMPANY DOES NOT HAVE ACCES TO THE DATA UPLODED ON SHIFTIN OR OF THE USERS, ANY INTERVETION FOR SERVICE PURPOSES WILL BE MADE ONLY IF ALLOWED BY CLIENT. For this purpose, the Company will be a data processor and will follow the Client’s instructions, any access to the Personal data uploaded on shiftin will be made as processor, the Company not processing the Personal data for other purposes than providing its support services to Client.
  7. shiftin is hosted by a third-party offering cloud service, acting as a sub-processor for the Company. The T&C and Privacy Policy of the cloud service can be accessed here _______________.
  8. The storage of the Personal data collected and processed by the Company as Controller or as Processor is made on the Company’s servers or on the sub-processor’s servers.

C. COLLECTION AND PROCESSING OF PERSONAL DATA BY THE CLIENT

  1. The Client collects and processes, as Controller, the Personal data of Client Representative and Users for the purpose of complying with a legal obligation to which the Client is subject, for the performance of the agreement(s) concluded with the Data subjects, consent or legitimate interest, as stated in its internal policies.
  2. One, more or all of the following Personal data may be collected, recorded, organised, disclosed, altered, retrieved, consulted, stored and finally erased or destroyed:
    • name; 
    • date of birth;
    • e-mail address; 
    • password; 
    • job description / position within the organization;
    • data regarding working days / working hours / shifts / productivity / duration of agreement with organization;
    • data regarding special needs of Data subject, as a member of the organization; 
    • image, if a photo for the Profile is provided; 
    • log in and service data regarding the use of shiftin;
    • other details uploaded on shiftin.
  3. Since shiftin can be accessed via browser and mobile devices, using internet connection, one, more or all of the following Personal data may be collected when accessing and using the shiftin:
    • IP address;
    • location;
    • type of device used;
    • time and date of access;
    • time spent on the shiftin;
    • access and use habits;
    • internet connection speed;
    • sole id number of the used device;
    • encrypted password.
  4. The Personal data, together with any other information the Data subject may send to the Client, in relation to shiftin, will be stored on the sub-processors’ servers (_________________).
  5. The personal data is processed by the Client for one, more or all of the following scopes:
    • manage its business and shift planning of User schedule;
    • create and maintain accounts;
    • create and maintain Profiles;
    • add and manage Users and their Data;
    • notify Data subjects about other Data subjects who joined or are using the shiftin, about announcements, updates, security alerts, and support and administrative messages, if applicable;
    • reply to the Data subjects’ requests, questions, feedback.
  6. The Personal data may be shared with one, more or all of the following, on a need to know basis as per the scope: 
    • with the Client Representative and other Users of Client – what is visible on their public profile;
    • service providers (companies and individuals that provide services on behalf of the Company/Client or help the Company/Client operate shiftin and its business, such as hosting, technical support, analytics, customer support, email and SMS delivery etc.);
    • advisers (this may include lawyers, auditors, bankers, and insurers, if necessary);
    • authorities and others (this may include law enforcement, central or local authorities, supervisory authorities when required by law or to help protect the rights and safety of Data subjects or others).

D. DATA SUBJECTS’ RIGHTS AND OBLIGATIONS

  1. Data subjects are aware of the general rights they enjoy as data subjects under the Applicable legislation, respectively: the right to be informed; the right of access to the Personal data; the right to rectification; the right to erasure (“the right to be forgotten”); the right to restriction of processing; the right to data portability; the right to object the processing of Personal data; the right to bring an action before the competent court of law or before a supervisory authority, if available under the provisions of the Applicable legislation.
  2. Data subjects are aware that the aforementioned rights are not absolute rights and accept that there is a possibility that certain Personal data used to achieve the scopes may not be erased (for example, Personal data for which there is an obligation to report to the authorities or for which there is an obligation to store).
  3. Data subjects have the following obligations:
    • to provide true, accurate and complete Personal data, in accordance with shiftins’ forms. If the Personal data provided is not true, accurate and complete or has modified, Data subjects have the obligation to inform the Controller, via shiftin or by e-mail at _____________ on this matter and to provide the correct Personal data as soon as possible;
    • to update their Personal data, whenever necessary;
    • to refrain from posting obscene, defamatory, threatening or malicious information, reviews and evaluations towards the Controller, its employees / collaborators or towards another Data subject, or any materials or information prohibited by the legislation in force.
  4. In the event that a Data subject is in breach of his/her obligations, the Controller has the right to take all legal measures to ensure the return to the previous situation (erasure of information published by the Data subject, blocking access to shiftin etc.), and holding the Data subject responsible, under penalty of law.

E. TERM OF PROCESSING. ERASURE OF THE PERSONAL DATA

  1. The Personal data will be stored for the necessary period of time in order to achieve the scopes for which it was collected, respectively for the period necessary to provide shiftin, the existence of the account, as well as for a subsequent period of time, necessary for reporting to the competent authorities. The Personal data will be erased when the Client unsubscribes or the Data subject chooses to deregister and delete his/her account (applicable both for Client Representative account and User account). In the event that the national legislation requests that the Controller stores some Personal data, in particular with regard to employment, the Controller will comply to such provisions and the Personal data will be stored for the mentioned period. If the Client is subject to such obligations, the Controller will take reasonable measures to assist the Controller in this matter.
  2. Logging and access history and habits will be stored for a period of ___ days, after which it will be erased.

F. AMENDING THIS PRIVACY POLICY

  1. This Privacy Policy may be amended at any time by the Company a result of changes in legislation or adjustments to shiftin.
  2. The updated Privacy Policy will be published on the shiftin and will take effect from the moment of publication, being thus available to Data subjects.
  3. By continuing to use Shiftin, Data subjects agree to the new provisions of the Privacy Policy, indicating that they have read and acknowledged the new Privacy Policy.

If Data subjects do not agree with one or more of the current or future provisions of this Privacy Policy, they will not be able to access and use shiftin.

G. DISCLAIMER

Data subjects fully understand and agree that all the Personal data of Data subjects is provided voluntarily, either by the Client, the Client Representative and/or the User and that the Company takes no liability in the accuracy of the Personal data provided. In the event that the Personal data is provided by the Client or the Client Representative, the Data subject fully understands and agrees to the fact that the Client or the Client Representative has the right to disclose such Personal data to the Company and / or the sub-processors. The Company cannot be held liable for any loss or damage caused to the Data subject, as a result of the processing of Personal data provided by the Client, the Client Representative and/or the User.