Legal Document

Privacy Policy

Effective date: 19 June 2026

Last updated: 19 June 2026

ShiftMate is committed to protecting your privacy. We collect only what is necessary to provide the service and never sell your data. This policy explains what we collect, why, and how we protect it.

1. Who We Are

ShiftMate ("we", "us", "our") operates the staff scheduling platform available at tflyx.com. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Service.

We act as a data controller in relation to the personal data of our account holders (business managers and owners). In relation to the personal data of your staff members, you act as the data controller and we act as the data processor.

For any privacy-related enquiries, contact us at support@tflyx.com.

2. What Data We Collect

2.1 Account holder data

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored as a one-way cryptographic hash — never readable by us)
  • Google account information if you sign in via Google OAuth (name and email only)
  • Business name and business type
  • Preferred language and currency

2.2 Staff member data (entered by you)

When you add staff to ShiftMate, we collect and store:

  • Staff member name
  • Role or job title (optional)
  • Available working days and shift preferences
  • Maximum shifts per week and minimum rest days
  • Leave dates
  • Avatar colour selected by you

We do not collect staff member email addresses, IC numbers, salary information, health data, or any other sensitive personal information. Staff members do not create accounts with ShiftMate.

2.3 Shift and roster data

  • Weekly shift assignments (which staff member works which shift on which date)
  • Shift preset configurations (name, times, staff required)
  • Roster templates you save
  • Schedule export and copy history

2.4 Payment data

Payment processing is handled entirely by Stripe (card payments) and Billplz (FPX payments). We do not store your card number, bank account details, or any full payment instrument data. We receive and store only:

  • Subscription plan and billing cycle
  • Payment status (paid, failed, cancelled)
  • Subscription ID from Stripe or Billplz
  • Next billing date

2.5 Usage and technical data

  • IP address (for security monitoring only)
  • Browser type and version
  • Pages visited within the Service
  • Error logs (through Sentry error monitoring)
  • Session timestamps

We do not use advertising trackers, third-party analytics beyond error monitoring, or behavioural profiling tools.

3. How We Use Your Data

To provide the Service

  • Creating and managing your account
  • Storing and displaying your roster and staff data
  • Generating auto-scheduled rosters using staff preferences and availability
  • Generating Excel schedule exports and copyable schedule messages for you to share
  • Processing your subscription and billing

To improve the Service

  • Analysing aggregated, anonymised usage patterns to identify areas for improvement
  • Fixing bugs and technical issues identified through error monitoring
  • Developing new features based on how the Service is used

To communicate with you

  • Sending account verification and password reset emails
  • Billing confirmations and renewal reminders
  • Product updates and new feature announcements (you may opt out)
  • Responses to your support enquiries

For security and legal compliance

  • Detecting and preventing fraudulent or unauthorised access
  • Complying with applicable laws and regulations
  • Responding to valid legal requests from authorities

4. Legal Basis for Processing

  • Contract performance: processing necessary to deliver the Service you have subscribed to
  • Legitimate interests: security monitoring, fraud prevention, and Service improvement
  • Legal obligation: compliance with applicable laws including Malaysia's Personal Data Protection Act 2010 (PDPA)
  • Consent: for optional communications such as product newsletters (you may withdraw consent at any time)

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data or your staff's personal data to any third party for commercial purposes.

Service providers

  • Supabase (Ireland/USA) — database hosting, authentication, and file storage
  • Stripe (USA) — card payment processing
  • Billplz (Malaysia) — FPX payment processing
  • Vercel (USA) — application hosting and content delivery
  • Sentry (USA) — error monitoring (anonymised error logs only)
  • Resend (USA) — transactional email delivery

All service providers are contractually required to process data only as instructed by us and to maintain appropriate security measures.

Legal requirements

We may disclose your data if required to do so by law, court order, or government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of ShiftMate, our users, or the public.

Business transfers

In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the acquiring entity. We will notify you via email before your data is transferred and becomes subject to a different privacy policy.

6. Data Storage and Security

7.1 Where data is stored

Your data is stored on Supabase infrastructure, which operates data centres primarily in the European Union and the United States. By using the Service, you consent to the transfer of your data to these jurisdictions, which may have different data protection laws than your own country.

7.2 Security measures

  • All data in transit is encrypted using TLS 1.2 or higher
  • All data at rest is encrypted using AES-256 encryption
  • Database access is controlled by Row Level Security — each business can only access its own data
  • Passwords are hashed using bcrypt and are never stored in readable form
  • API keys and service credentials are stored in environment variables, never in application code
  • Authentication uses short-lived JWT tokens with automatic refresh
  • Webhook endpoints verify request signatures to prevent tampering

7.3 Security limitations

No security system is completely impenetrable. While we take reasonable steps to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your personal data, we will notify you and the relevant authorities as required by applicable law, without undue delay and within 72 hours where required.

7. Data Retention

  • Account data: retained for as long as your account is active, plus 30 days after deletion
  • Staff data: retained for as long as your account is active, plus 30 days after deletion
  • Shift and roster data: retained for 12 months from creation, then automatically deleted
  • Payment records: retained for 7 years as required by Malaysian financial regulations
  • Error logs: retained for 30 days
  • IP address logs: retained for 90 days for security purposes

You may export your data at any time from Settings > Account > Export my data. The export includes all staff profiles, shift history, and roster templates in JSON format.

8. Your Rights

Right to access

You may request a copy of the personal data we hold about you at any time. We will respond within 14 days. You can also export your own data directly from the app at any time.

Right to rectification

You may correct or update your account information at any time through Settings. You may also update staff data at any time through the Staff page.

Right to erasure

You may request deletion of your account and all associated data from Settings > Account > Delete account. Account deletion is processed within 30 days. Note that payment records required by law are retained for the legally required period even after account deletion.

Right to restrict processing

You may request that we restrict our processing of your data in certain circumstances, for example if you contest the accuracy of the data or object to processing based on legitimate interests.

Right to data portability

You may request your data in a machine-readable format. Use the Export function in Settings to download your data as JSON at any time, or contact us to request a structured export.

Right to object

You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at support@tflyx.com.

How to exercise your rights

To exercise any of these rights, email support@tflyx.com with your request. We will respond within 14 working days. We may ask you to verify your identity before processing your request.

9. Malaysia PDPA Compliance

  • We process personal data only for the specific purpose of providing staff scheduling services
  • We collect only the minimum personal data necessary for that purpose
  • We do not process sensitive personal data (as defined by the PDPA) unless required by law
  • We implement reasonable security measures to protect personal data from unauthorised access, disclosure, alteration, or destruction
  • We retain personal data only for as long as necessary for the purpose of processing
  • We allow data subjects to access and correct their personal data

If you believe we have not complied with Malaysia's PDPA, you may lodge a complaint with the Department of Personal Data Protection Malaysia (JPDP) at pdp.gov.my.

10. Children's Privacy

ShiftMate is a business tool intended for use by adults (18 years and older). We do not knowingly collect personal data from children under the age of 18. If we become aware that we have collected personal data from a child under 18, we will delete it promptly. If you believe we have collected data from a child, please contact us at support@tflyx.com.

11. Cookies and Local Storage

  • Authentication session cookie: stores your login session (essential — cannot be disabled)
  • Language preference: stored in localStorage as 'shiftmate_language' (functional)
  • Currency preference: stored in localStorage as 'shiftmate_currency' (functional)
  • Cookie consent: stored in localStorage as 'shiftmate_cookie_consent' (functional)

We do not use advertising cookies, third-party tracking cookies, or any cookies that profile your behaviour for commercial purposes. Essential and functional cookies are required for the Service to operate correctly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. We will notify you of material changes via email and an in-app notification at least 14 days before the changes take effect.

The date of the most recent update is shown at the top of this document. We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

13. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

ShiftMate Privacy Team

Email: support@tflyx.com

Support: support@tflyx.com

Website: tflyx.com/privacy

We aim to respond to all privacy-related enquiries within 14 working days.

This Privacy Policy was last updated on 19 June 2026.