1. Who We Are
ShiftMate ("we", "us", "our") operates the staff scheduling platform available at tflyx.com. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Service.
We act as a data controller in relation to the personal data of our account holders (business managers and owners). In relation to the personal data of your staff members, you act as the data controller and we act as the data processor.
For any privacy-related enquiries, contact us at support@tflyx.com.
2. What Data We Collect
2.1 Account holder data
When you create an account, we collect:
- Full name
- Email address
- Password (stored as a one-way cryptographic hash — never readable by us)
- Google account information if you sign in via Google OAuth (name and email only)
- Business name and business type
- Preferred language and currency
2.2 Staff member data (entered by you)
When you add staff to ShiftMate, we collect and store:
- Staff member name
- Role or job title (optional)
- Available working days and shift preferences
- Maximum shifts per week and minimum rest days
- Leave dates
- Avatar colour selected by you
We do not collect staff member email addresses, IC numbers, salary information, health data, or any other sensitive personal information. Staff members do not create accounts with ShiftMate.
2.3 Shift and roster data
- Weekly shift assignments (which staff member works which shift on which date)
- Shift preset configurations (name, times, staff required)
- Roster templates you save
- Schedule export and copy history
2.4 Payment data
Payment processing is handled entirely by Stripe (card payments) and Billplz (FPX payments). We do not store your card number, bank account details, or any full payment instrument data. We receive and store only:
- Subscription plan and billing cycle
- Payment status (paid, failed, cancelled)
- Subscription ID from Stripe or Billplz
- Next billing date
2.5 Usage and technical data
- IP address (for security monitoring only)
- Browser type and version
- Pages visited within the Service
- Error logs (through Sentry error monitoring)
- Session timestamps
We do not use advertising trackers, third-party analytics beyond error monitoring, or behavioural profiling tools.
3. How We Use Your Data
To provide the Service
- Creating and managing your account
- Storing and displaying your roster and staff data
- Generating auto-scheduled rosters using staff preferences and availability
- Generating Excel schedule exports and copyable schedule messages for you to share
- Processing your subscription and billing
To improve the Service
- Analysing aggregated, anonymised usage patterns to identify areas for improvement
- Fixing bugs and technical issues identified through error monitoring
- Developing new features based on how the Service is used
To communicate with you
- Sending account verification and password reset emails
- Billing confirmations and renewal reminders
- Product updates and new feature announcements (you may opt out)
- Responses to your support enquiries
For security and legal compliance
- Detecting and preventing fraudulent or unauthorised access
- Complying with applicable laws and regulations
- Responding to valid legal requests from authorities
4. Legal Basis for Processing
- Contract performance: processing necessary to deliver the Service you have subscribed to
- Legitimate interests: security monitoring, fraud prevention, and Service improvement
- Legal obligation: compliance with applicable laws including Malaysia's Personal Data Protection Act 2010 (PDPA)
- Consent: for optional communications such as product newsletters (you may withdraw consent at any time)
5. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data or your staff's personal data to any third party for commercial purposes.
Service providers
- Supabase (Ireland/USA) — database hosting, authentication, and file storage
- Stripe (USA) — card payment processing
- Billplz (Malaysia) — FPX payment processing
- Vercel (USA) — application hosting and content delivery
- Sentry (USA) — error monitoring (anonymised error logs only)
- Resend (USA) — transactional email delivery
All service providers are contractually required to process data only as instructed by us and to maintain appropriate security measures.
Legal requirements
We may disclose your data if required to do so by law, court order, or government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of ShiftMate, our users, or the public.
Business transfers
In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the acquiring entity. We will notify you via email before your data is transferred and becomes subject to a different privacy policy.
6. Data Storage and Security
7.1 Where data is stored
Your data is stored on Supabase infrastructure, which operates data centres primarily in the European Union and the United States. By using the Service, you consent to the transfer of your data to these jurisdictions, which may have different data protection laws than your own country.
7.2 Security measures
- All data in transit is encrypted using TLS 1.2 or higher
- All data at rest is encrypted using AES-256 encryption
- Database access is controlled by Row Level Security — each business can only access its own data
- Passwords are hashed using bcrypt and are never stored in readable form
- API keys and service credentials are stored in environment variables, never in application code
- Authentication uses short-lived JWT tokens with automatic refresh
- Webhook endpoints verify request signatures to prevent tampering
7.3 Security limitations
No security system is completely impenetrable. While we take reasonable steps to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your personal data, we will notify you and the relevant authorities as required by applicable law, without undue delay and within 72 hours where required.
7. Data Retention
- Account data: retained for as long as your account is active, plus 30 days after deletion
- Staff data: retained for as long as your account is active, plus 30 days after deletion
- Shift and roster data: retained for 12 months from creation, then automatically deleted
- Payment records: retained for 7 years as required by Malaysian financial regulations
- Error logs: retained for 30 days
- IP address logs: retained for 90 days for security purposes
You may export your data at any time from Settings > Account > Export my data. The export includes all staff profiles, shift history, and roster templates in JSON format.
8. Your Rights
Right to access
You may request a copy of the personal data we hold about you at any time. We will respond within 14 days. You can also export your own data directly from the app at any time.
Right to rectification
You may correct or update your account information at any time through Settings. You may also update staff data at any time through the Staff page.
Right to erasure
You may request deletion of your account and all associated data from Settings > Account > Delete account. Account deletion is processed within 30 days. Note that payment records required by law are retained for the legally required period even after account deletion.
Right to restrict processing
You may request that we restrict our processing of your data in certain circumstances, for example if you contest the accuracy of the data or object to processing based on legitimate interests.
Right to data portability
You may request your data in a machine-readable format. Use the Export function in Settings to download your data as JSON at any time, or contact us to request a structured export.
Right to object
You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at support@tflyx.com.
How to exercise your rights
To exercise any of these rights, email support@tflyx.com with your request. We will respond within 14 working days. We may ask you to verify your identity before processing your request.
9. Malaysia PDPA Compliance
- We process personal data only for the specific purpose of providing staff scheduling services
- We collect only the minimum personal data necessary for that purpose
- We do not process sensitive personal data (as defined by the PDPA) unless required by law
- We implement reasonable security measures to protect personal data from unauthorised access, disclosure, alteration, or destruction
- We retain personal data only for as long as necessary for the purpose of processing
- We allow data subjects to access and correct their personal data
If you believe we have not complied with Malaysia's PDPA, you may lodge a complaint with the Department of Personal Data Protection Malaysia (JPDP) at pdp.gov.my.
10. Children's Privacy
ShiftMate is a business tool intended for use by adults (18 years and older). We do not knowingly collect personal data from children under the age of 18. If we become aware that we have collected personal data from a child under 18, we will delete it promptly. If you believe we have collected data from a child, please contact us at support@tflyx.com.
11. Cookies and Local Storage
- Authentication session cookie: stores your login session (essential — cannot be disabled)
- Language preference: stored in localStorage as 'shiftmate_language' (functional)
- Currency preference: stored in localStorage as 'shiftmate_currency' (functional)
- Cookie consent: stored in localStorage as 'shiftmate_cookie_consent' (functional)
We do not use advertising cookies, third-party tracking cookies, or any cookies that profile your behaviour for commercial purposes. Essential and functional cookies are required for the Service to operate correctly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. We will notify you of material changes via email and an in-app notification at least 14 days before the changes take effect.
The date of the most recent update is shown at the top of this document. We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.
13. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We aim to respond to all privacy-related enquiries within 14 working days.
This Privacy Policy was last updated on 19 June 2026.