Privacy Policy
SafeShift is scheduling, break-compliance tracking, reminder, and recordkeeping software. This policy explains what data we collect, why, and how we protect it.
Effective date: April 29, 2026 · Last updated: April 29, 2026
1. Who We Are
SafeShift ("we," "us," "our") provides scheduling, break-compliance tracking, reminder, and recordkeeping software ("the Service") to businesses and their teams. We do not provide legal advice.
Questions about this policy: support@breakshield.com · Legal/privacy: legal@breakshield.com
2. Data We Collect
Business Account Data
- Business name, address, and identifying information
- Manager and owner names, email addresses
- Account credentials (passwords are hashed with bcrypt — never stored in plaintext)
- State and industry sector for break-rule configuration
Employee Data (entered by the employer or synced from a POS system)
- First and last name
- Email address (if provided)
- Phone number (if provided — used for SMS reminders with consent)
- Mailing address (if provided)
- Role or position
- POS system employee identifiers (Square/Toast team member IDs)
- Compliance exemption status
Work Record Data
- Shift schedules and assignments
- Clock-in and clock-out times
- Break logs (type, start time, end time, duration)
- Missed break and short break records
- Meal break waiver records (pending, signed, revoked) including typed signature and IP address
- Compliance violation records
Communication Data
- Direct messages between employees and managers via the SafeShift portal
- Broadcast announcements sent by managers to employee groups
- SMS notification logs (type, recipient phone number, delivery status, message body)
- Employee SMS opt-in consent status and timestamp
POS Integration Data (only if you connect Square or Toast)
- OAuth access and refresh tokens (encrypted at rest)
- POS-sourced employee roster data, shift records, and clock events
Billing Data
Payment processing is handled directly by Stripe, Inc. SafeShift does not store full card numbers or CVV codes. We store Stripe customer IDs, subscription status, billing plan, and subscription interval.
To determine your subscription tier, SafeShift tracks the count of compliance-tracked employees per location over each billing cycle. Specifically:
- Monthly plans: we record the peak (highest) compliance-tracked employee count reached during each billing cycle (high-water mark). This count — not individually identified employees — determines tier repricing at cycle end.
- Annual plans: we record the highest compliance-tracked employee count sustained for 3 or more consecutive days at any point during your annual cycle (annual peak tier). This determines the tier applied at your annual renewal.
- These headcount figures are associated with your business account and location, not stored as a personal data profile on any individual employee.
Technical and Usage Data
- IP addresses (recorded at waiver signing for electronic signature validation under the federal E-SIGN Act)
- Session activity for security monitoring
- API request logs for troubleshooting
3. Why We Collect Your Data
We collect and use data solely to provide and improve the Service:
- Scheduling and shift management
- Break reminder scheduling and delivery (SMS or in-app notifications)
- Compliance tracking and violation recordkeeping
- Compliance report and evidence export generation
- Meal break waiver creation, signing, and recordkeeping
- Manager–employee messaging and announcements
- Account management, authentication, and security
- Billing and subscription management
- Fraud prevention and security monitoring
- Compliance with applicable laws
4. Third-Party Services
We share data with third-party service providers only as necessary to operate the Service. We do not sell personal data. We do not share personal data with advertising networks or data brokers.
| Service | Purpose |
|---|---|
| Twilio, Inc. | SMS delivery for break reminders and notifications |
| Stripe, Inc. | Billing and payment processing |
| Square, Inc. | POS integration — labor and roster data (when employer connects Square) |
| Toast, Inc. | POS integration — labor and roster data (when employer connects Toast) |
| Cloudflare, Inc. (R2) | Encrypted cloud file storage |
| Render, Inc. | Cloud hosting and infrastructure |
| Anthropic, PBC (Claude Vision) | AI-powered screenshot import — only when the employer uses this optional feature |
5. Data Security
- All data is transmitted over HTTPS/TLS encryption
- Passwords are stored as bcrypt hashes — never in plaintext
- Manager and employee refresh tokens are rotated on each use and stored as SHA-256 hashes
- Each business's data is logically isolated at the database level (tenant isolation)
- Access controls restrict data to authorized accounts only
- Break logs, violation records, and SMS logs are immutable — designed for audit integrity
- File storage is provided by Cloudflare R2 with encryption at rest
No system is 100% secure. We take reasonable technical and organizational measures to protect your data, but we cannot guarantee absolute security.
6. Data Retention
We retain data for as long as your account is active or as needed to provide the Service. If you close your account or request deletion, we will delete or anonymize your data within 30 days, subject to legal retention requirements.
Compliance records, violation logs, and waiver records may be retained longer if required for legal, regulatory, or evidence-preservation purposes.
7. Your Rights
You may, at any time:
- Request access to the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data (subject to legal retention requirements)
- Opt out of SMS communications by replying STOP to any SMS message from SafeShift
Employers using SafeShift are responsible for handling employee rights requests related to data they entered. SafeShift will assist employers in honoring such requests as required by law.
To submit a request: support@breakshield.com
8. California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know what personal information we collect and how it is used
- Right to delete your personal information
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of personal information (we do not sell personal data)
- Right to non-discrimination for exercising your privacy rights
SafeShift does not sell or share personal information as defined by the CCPA/CPRA. To submit a California-specific request: legal@breakshield.com
9. SMS Consent
SafeShift sends SMS break reminders and notifications on behalf of employers to employees who have provided explicit opt-in consent. No SMS is sent to any employee without prior consent. Employees may opt out at any time by replying STOP to any message. Message and data rates may apply. For help, reply HELP.
Employers are responsible for ensuring that their employees have properly consented before enabling SMS for any employee in the Service.
10. Children's Privacy
SafeShift is intended for use by businesses and adults (18 years of age or older). We do not knowingly collect personal data from individuals under 16. If you believe a minor's data has been submitted, contact us at support@breakshield.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notice or email to account holders. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
12. Contact Us
- General inquiries: support@breakshield.com
- Legal and privacy: legal@breakshield.com
- Mailing address: [TODO — add registered business address]
13. Related Documents
For the full terms governing your use of SafeShift, and our legal disclaimers, see: