Privacy Policy
2026.04.26 · Effective April 26, 2026 · Aligned with PIPEDA and PHIPA (New Brunswick)1. Who we are
ShiftLock Inc. ("ShiftLock", "we") operates a nurse-staffing platform connecting Canadian-licensed nurses, nurse practitioners, and personal support workers with healthcare facilities. This policy describes what personal information we collect, how we use it, and the choices you have.
2. Personal information we collect
- Account & profile data — name, contact info, role, work eligibility, employment status.
- Credential records — licence numbers (RN/LPN/NP/PSW), expiry dates, registry verification results.
- Shift & timesheet data — shifts worked, hours, premiums, pay events.
- Payment data — Stripe tokens only. Card numbers and full bank numbers are never stored on ShiftLock systems (PCI-DSS scope handled by Stripe).
- Privacy log — every consent grant/withdrawal, data export, deletion request, and access to credential records.
- Marketing & product analytics — non-PHI usage events.
What we do NOT collect
ShiftLock is not a clinical record system. Patient names, conditions, chart notes, or any other Protected Health Information (PHI) under PHIPA must not be uploaded to the platform. Uploads are validated and any detected PHI is rejected.
3. Why we collect it (purpose)
Per PIPEDA, we collect personal information for these documented purposes only: scheduling and dispatch of nursing shifts, payroll and tax remittance, credential verification with provincial registries (ANBLPN, NANB), platform safety and abuse prevention, and — only with consent — product improvement and marketing.
4. Where your data lives (data residency)
Our target backend stores all personal information in AWS Canadian regions (ca-central-1, Montreal). During the migration window (April–June 2026), Firebase Authentication metadata is hosted in the United States; this is being phased out. The current migration status is published live at /admin/data-residency.
5. How long we keep it (retention schedule)
| Category | Retention | Legal basis |
|---|---|---|
| Account & profile data | 7 years | CRA 6-year retention; +1 year buffer |
| Credential & licence records | 10 years | Professional regulatory recordkeeping (ANBLPN/NANB guidance) |
| Shift & timesheet records | 7 years | Employment Standards Act NB + CRA payroll |
| Payment records (tokens only — no PAN) | 7 years | CRA + PCI-DSS scope (handled by Stripe) |
| Privacy & consent log | 10 years | PIPEDA accountability principle |
| Marketing & analytics | 2 years | PIPEDA minimization |
| PHI uploads (DISALLOWED) | Not stored | Out of scope — enforced via Terms of Service + upload validation |
6. Your rights
- Right to access — request a JSON export of everything we hold about you at /account/privacy.
- Right to correction — update your profile or contact our privacy officer for fields you can't edit yourself.
- Right to deletion — request account deletion at /account/privacy. We confirm within 30 days and complete within 60 unless a legal hold applies (payroll, regulatory).
- Right to withdraw consent — at any time for optional uses (marketing, surveys). Required uses end when the account is closed.
- Right to complain — to the Office of the Privacy Commissioner of Canada and, for health information, to the New Brunswick Office of the Access to Information and Privacy Commissioner.
7. Security
- TLS 1.3 in transit, AES-256 at rest.
- Multi-factor authentication available for facility and admin accounts.
- Least-privilege access; every credential view is logged in the privacy log.
- Annual third-party security review — designed to support; first audit scheduled when paying customer threshold is reached.
8. Third parties
We use Stripe (payments — PCI-DSS Level 1), Supabase (database & auth — AWS ca-central-1), and Vercel/Cloudflare (hosting). Each receives only the data needed to perform its function.
9. Contact
Privacy Officer: privacy@shiftlock.ca. We respond within 5 business days.
10. Changes
Material changes will be posted on this page with an updated version number. Active users will be prompted to re-consent on the next sign-in following a material change. Prior versions are archived.