SafeShift
Login Start now

Privacy Policy

Information on data processing according to Articles 13, 14 and 21 GDPR

Current version: February 2026

1. Controller

Responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR):

Tobias Halbei
Am Gänswasen 7
91448 Emskirchen
Germany
Contact: [email protected]

2. General Information regarding Data Processing

Hosting

We host our systems with a technical service provider (order processor). Connection data is processed for the purpose of providing and delivering the website. For the sole purpose of delivering the website content, data is transmitted to the server where the website files are hosted. This includes:

  • IP address of the requesting device
  • Date and time of access
  • URL of the retrieved file
  • Status codes (e.g. 200 OK)
  • Browser type and operating system information

Legal basis: Art. 6(1)(f) GDPR (Legitimate interest in technical stability and security).

External CDNs (Content Delivery Networks)

We use external services (CDNs) to load fonts and scripts quickly and reliably:

  • Tailwind CSS (cdn.tailwindcss.com): Stylesheet library.
  • HTMX (unpkg.com): JavaScript library for interactivity.
  • Google Fonts (fonts.googleapis.com / gstatic.com): Fonts for better readability.

When you access our page, your browser loads these files from the servers of the respective providers. In this context, technical access data (in particular your IP address and browser/device information) is transmitted to these providers. Depending on the provider, processing may also take place in third countries (e.g. the USA). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable operation, performance and a consistent presentation). In individual cases, the use of external services and the associated data transfer may require prior consent. Where consent is required, the legal basis is Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TTDSG.

Payment processing (PayPal)

If payment functions are enabled for your tenant, we use PayPal to process subscription payments. For this purpose, the PayPal JavaScript SDK (paypal.com) is loaded on the subscription/billing page. When you access this page and/or use the payment function, PayPal receives technical access data (e.g. IP address, device and browser information).

Legal basis: Art. 6(1)(b) GDPR (contract / initiation of contract) and, where applicable, Art. 6(1)(f) GDPR (legitimate interest in offering a payment option). The integration of PayPal may involve the use of identifiers / storage on your device by PayPal. If and insofar as prior consent is required for this, the legal basis is Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TTDSG. PayPal processes data under its own responsibility; please also refer to PayPal's privacy policy.

3. User Account & Platform Use

Registration and Login

If you create a user account or receive one from your employer ("Administrator"), we process the following data:

  • Master data: Name, email address, password (stored encrypted).
  • Employment data: Job title, target hours, role (Administrator/Employee).
  • Profile picture: If uploaded by you.

Legal basis:

  • For Administrators: Art. 6(1)(b) GDPR (Performance of contract).
  • For Employees: Art. 6(1)(b) GDPR or § 26 BDSG (Employment relationship), depending on the contractual constellation with your employer.

Shift Plan and Availability

Within the application, we process data related to planning:

  • Assigned shifts, working times, absences (sickness/vacation).
  • Swap requests and communications with other colleagues via the platform.

This data is visible to your employer (Admin) and partly to colleagues (e.g., in the team plan), insofar as this is necessary via the company settings for the organization of operations.

4. Cookies and Local Storage

This website uses cookies. These are small text files that are stored on your device.

Technically Necessary Cookies (Essential)

  • access_token: Login cookie (JWT) to authenticate you and secure protected areas (cookie usually deleted when the browser is closed; token expires after a short time).
  • csrf_token: Protection against cross-site request forgery (CSRF). This cookie may be readable by the browser to attach the token to form submissions/requests.
  • two_factor_token: Temporary cookie during the 2FA login step (expires after a few minutes).
  • ops_access_token: Authentication cookie for the operator/ops portal (path-restricted to /ops).
  • ops_two_factor_token: Temporary cookie during the ops 2FA login step (path-restricted to /ops).
  • lang: Saves your preferred language setting.
  • safeshift_consent: Stores your cookie preference (e.g. essential vs. all) so that the banner does not reappear on every visit.

Legal basis: Art. 6(1)(f) GDPR (Legitimate interest in the functionality of the service) and § 25(2) TTDSG.

5. Email Dispatch

The platform sends emails (e.g., for invitations, notifications about plan changes, or password resets) via an SMTP server properly configured by the platform operator. The content of the emails, the recipient address, and the sending time are processed. There is no tracking of opening rates by SafeShift itself.

6. Your Rights

You have the right to:

  • Information about your stored data (Art. 15 GDPR)
  • Correction of incorrect data (Art. 16 GDPR)
  • Deletion of your data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing (Art. 21 GDPR)

Please contact the responsible entity listed above.

© 2026 SafeShift. All rights reserved.
Imprint Privacy Policy