Skip to content

Legal

Privacy policy

Last updated: 16 April 2026

Shift It is built by Great Work Everyone, the registered business name of W.D McDonald & C.M Randazzo, an Australian partnership based in Stuart Park, NT, Australia. This policy describes how the app and this website handle your personal information. We are committed to complying with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

Definitions

  • “We”, “us”, “our” — W.D McDonald & C.M Randazzo, trading as Great Work Everyone.
  • “The app” — the Shift It mobile application on iOS and Android.
  • “The website” — the pages at https://shiftit.greatworkeveryone.com and related domains.
  • “Personal data” / “personal information” — any information relating to an identified or identifiable person, as defined under the Australian Privacy Act, GDPR, and CCPA/CPRA.
  • “Processor” — a third party that handles personal data on our behalf under contract (e.g. Sentry, RevenueCat, a weather provider).
  • “On-device” — stored on your phone or tablet only, never transmitted to us or any third party.

Your data stays on your device

Your roster, shifts, pay data, notes, and app settings are stored locally on your device only. There is no user account. There is no central database of your working life. We never see your payslip, your roster, or your employer’s name.

Disclosed exceptions

By default, no personal data leaves your device. The following narrow exceptions apply:

  1. Weather forecasts. When you view the Coming Up screen’s weather panel, your approximate location (derived from device GPS or network) is sent to a third-party weather forecast provider solely to retrieve a forecast. Your location is used only for that request and is not stored, logged, or linked to any identity by us or the provider beyond what is necessary to return the forecast.
  2. Push notifications. If you opt in to push notifications, a device push token is stored on our server. This token is used only to deliver notifications you have requested (e.g. upcoming shift reminders). The token is not linked to your identity, your roster, or any other personal data. You can withdraw consent at any time by disabling notifications in your device settings.
  3. AI roster extraction. If your roster file cannot be parsed by the on-device deterministic importer, you will soon be able to choose to send the file image to an AI extraction service. The image is transmitted over a secure connection to an edge function, processed to extract shift data, returned to your device, and then deleted immediately. It is not stored, logged, or used for any other purpose.
  4. Error telemetry. When the app crashes or hits an unexpected error, a technical report is sent to Sentry (hosted in the European Union) so we can fix it. Reports include the error, a stack trace, the app version, and the device model and OS. We do not attach your IP address, user agent, or any identifier. If the error triggers a session replay, all text and images in the replay are masked before upload. Replays are never recorded passively — only around an error event.
  5. Ad-attribution (iOS). When you install Shift It after tapping a Meta (Facebook or Instagram) ad, Apple’s SKAdNetwork system sends Meta aggregated, privacy-preserving postbacks confirming the install and, where applicable, one or more milestone values (up to three postbacks over the 35 days following install — e.g. “completed setup”, “started trial”). These postbacks are generated by iOS itself, never contain your device identifier or personal data, and are subject to Apple’s privacy threshold. No postbacks are sent on Android.

Shift It does not use Meta’s Conversions API, the Facebook Ads SDK, Google AdMob, Firebase Analytics, or any other third-party advertising or analytics SDK. No user-level event data is forwarded to advertising networks. See Historical data practices below for disclosure of earlier app versions.

Historical data practices (versions prior to 3.0.0)

For transparency: Shift It versions prior to 3.0.0 (released in the v3.0 update) included two third-party SDKs that are no longer present in the current app:

  • Google AdMob — active in the free tier only, used to display banner and interstitial advertisements to non-Pro users. AdMob collected a mobile advertising identifier (where available) and standard ad-serving signals for Google.
  • Facebook Ads SDK — used for install attribution and ad measurement on Meta platforms. The SDK collected device and app event signals per Meta’s standard behaviour at the time.

Both SDKs were removed in version 3.0.0. The current app contains neither. We cannot retroactively delete data that Google or Meta collected while those SDKs were active in prior versions; requests about historical data held by those companies should be directed to them under their respective privacy policies.

In-app purchases

Subscriptions and one-off purchases are processed by Apple (App Store) or Google (Google Play). We never receive, process, or store your payment card details or billing information. We use RevenueCat to manage entitlements (i.e. to know whether your account has Pro access); RevenueCat receives the purchase receipt and a device identifier, nothing more. Refer to Apple’s, Google’s, or RevenueCat’s privacy policies for how they handle payment data.

Roster Buddies

The Roster Buddies feature lets you share shift data with others directly, using your device’s native file-sharing capabilities (e.g. AirDrop, Messages, email). Shared files are sent peer-to-peer — they are not routed through our servers. You control what you share and with whom.

Data retention

We retain the push token for as long as you have notifications enabled; disabling notifications or uninstalling the app removes it. Weather lookups and AI roster extractions are processed in transit and not retained. Roster, shift, pay, and note data lives on your device and is removed when you delete the app.

Security

All network requests (weather, push delivery, AI extraction) are sent over TLS. Because we hold almost no personal data centrally, our attack surface is small by design. No method of transmission over the internet or electronic storage is 100% secure, however, and we cannot guarantee absolute security. We apply commercially reasonable measures to protect the limited data we do hold.

In the unlikely event of a data breach that is likely to result in serious harm, we will notify affected users and, where required, the Office of the Australian Information Commissioner, within the timeframes set by the Notifiable Data Breaches scheme. For EU/UK users, we will notify our supervisory authority within 72 hours as required by GDPR/UK GDPR Article 33.

Disclosure for legal reasons

We may disclose personal information if we believe in good faith that it is necessary to (a) comply with a legal obligation, subpoena, warrant, or court order; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the app or website; (d) protect the personal safety of users or the public; or (e) protect against legal liability. Because we hold almost no personal data centrally, the scope of any such disclosure would be limited accordingly.

Business transfers

If Great Work Everyone is involved in a merger, acquisition, asset sale, or other transaction that transfers ownership of the app or website, any personal information we hold may be transferred to the acquiring entity. We will give affected users reasonable notice before personal information is transferred and becomes subject to a different privacy policy, and will not transfer data to an acquirer whose practices are materially less protective without giving users an opportunity to object or delete their data.

Links to other websites

The app and website contain links to third-party websites and services (for example, Apple’s App Store, Google Play, regulators like the OAIC or ICO, and our processors’ own policies). We do not control those sites and are not responsible for their content or privacy practices. We encourage you to read the privacy policy of each third-party site you visit.

For users in the EU and UK (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the EU General Data Protection Regulation and UK GDPR. Great Work Everyone acts as the data controller for the limited data described above.

Our lawful bases for processing are:

  • Consent (Art. 6(1)(a)) — for push notifications and optional AI roster extraction. You may withdraw consent at any time without affecting prior processing.
  • Legitimate interests (Art. 6(1)(f)) — for the one-off approximate-location lookup used to return a weather forecast you requested.
  • Contract (Art. 6(1)(b)) — where processing is necessary to provide a feature you’ve asked for.

You have the right to access, rectify, erase, restrict, object to, and port your personal data, and to withdraw consent. To exercise any of these, email shiftit@greatworkeveryone.com. You also have the right to lodge a complaint with your local supervisory authority (in the UK, the ICO at ico.org.uk).

Our processors include the weather forecast provider, our push notification service, the AI roster extraction endpoint, Sentry GmbH (error telemetry, hosted in Germany), and RevenueCat (subscription management). Data may be handled outside your country. Where required, transfers rely on appropriate safeguards such as the EU Standard Contractual Clauses. We do not currently meet the thresholds in Article 27 that would require us to appoint an EU or UK representative; if that changes, we will update this policy.

For California residents (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act as amended by the CPRA.

In the past twelve months, we have collected the following categories of personal information: identifiers (a device push token, if you opt in), geolocation data (approximate location, only when you request a weather forecast), and, only if you opt in, images of roster files you choose to send for AI extraction. We collect this information to provide the features you request.

We do not sell or share personal information. We do not disclose personal information to third parties for cross-context behavioral advertising, and we do not use or disclose sensitive personal information for purposes that would trigger the right to limit.

You have the right to know what we’ve collected, to request deletion or correction, and not to be discriminated against for exercising these rights. To make any of these requests, email shiftit@greatworkeveryone.com.

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or another US state with a comprehensive consumer privacy law, you may have similar rights of access, deletion, correction, and opt-out of targeted advertising or sale. To exercise any such right, email shiftit@greatworkeveryone.com and we will treat your request under the law of your state of residence.

Children

Shift It is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided personal information through the app, please contact us so we can address it.

Access, correction, and complaints

Because we hold almost no personal data, most data requests can be addressed by managing your device. For the push token and any other data we do hold, you have the right to request access, correction, or deletion. To make a request, email us at shiftit@greatworkeveryone.com. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Website cookies, hosting, and analytics

The website is hosted by Vercel (vercel.com). Vercel retains server access logs (IP address, request path, timestamp, user agent) for security and operational purposes in line with its own data retention policy.

We use Vercel Web Analytics, a privacy-preserving measurement tool built into our hosting platform. It collects aggregate page views, referrers, country (derived from IP and then discarded), device type, browser, and a short-lived rotating session hash. It does not set cookies, does not use cross-site tracking, does not fingerprint devices, and does not collect personal information. We do not run Google Analytics, a Meta Pixel, heatmaps, or any third-party advertising trackers on the website.

The website honours the Global Privacy Control (GPC) signal. Because we do not sell or share information collected through the website, there is effectively nothing for GPC or Do Not Track (DNT) signals to opt out of, but we will not override them either.

Automated decision-making

We do not use personal information for automated decision-making or profiling that produces legal or similarly significant effects on you. The app’s pay calculations run entirely on your device against your own configured award; they are not an automated decision about you made by us.

Changes to this policy

We may update this policy when the app’s data practices change. Material changes will be noted in the app release notes and on this page with an updated date. Continued use of the app after a change constitutes acceptance of the updated policy.

Contact

Privacy questions, access requests, or complaints can be sent to shiftit@greatworkeveryone.com.