Shyft Privacy Policy
This Privacy Policy explains how Shyft Corp Ltd (“Shyft,” “we,” “our,” or “us”) collects,uses, discloses, and protects personal data when you use our website (shyft.org.uk),our mobile applications, and any related online portals or services (together, the “Services”). We respect your privacy and are committed to safeguarding your personal information in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Who we Are
Shyft is a digital platform built to transform how healthcare shifts are filled across the UK and beyond. We bring together doctors, nurses, NHS trusts, private hospitals, and agencies in one seamless platform that improves every part of the staffing process. With built-in automation and smart matching, Shyft helps make sure the right professional is in the right place at the right time.
What we Collect
We collect and process information that identifies you or makes you identifiable,
including:
• Identity Data: Name, title, date of birth, gender, and professional registration
(e.g., GMC, NMC).
• Contact Data: Email address, phone number, postal address.
• Employment and Compliance Data: CVs, qualifications, right-to-work
documents, training records, occupational health information, and references.
• Financial Data: Bank details and payment history.
• Technical and Device Data: Login credentials, IP address, device ID, browser
type, operating system, app usage, and log files.
• Communications Data: Messages, calls, and emails exchanged via the
platform.
• Marketing Preferences: Your choices about receiving updates and communications from us.
We collect data directly from you, from partner agencies, and from third-party sources such as public professional registers or references supplied by others.
How We Use Your Data
We use your personal data to:
Provide, manage, and improve the Shyft platform and associated Services.
Facilitate job matching between healthcare professionals, agencies, and
healthcare providers.Verify credentials and maintain compliance with healthcare and employment
regulations.Manage payments, invoices, and account records.
Communicate with you about shifts, updates, and support queries.
Maintain system security, prevent fraud, and troubleshoot issues.
Meet our legal and regulatory obligations.
Send service notifications or (if you opt in) marketing updates.
Legal Bases for Processing
We process data only where a lawful basis applies:
Purpose
To provide platform access and job matching
To verify identity and qualifications
To communicate and provide support
To process payments
To meet record-keeping and audit obligations
For marketing (where permitted)
Lawful Basis
Performance of a contract
Legal obligation / Legitimate interest
Legitimate interest
Performance of a contract
Legal obligation
Consent
Sharing Your Information
We share data strictly as necessary with:
• Healthcare providers (NHS Trusts, private hospitals, and care organisations).
• Partner agencies using the Shyft platform.
• Service providers acting on our behalf:
o Amazon Web Services (AWS) – secure cloud hosting.
o Twilio – SMS and communication.
o Bridge – software development and maintenance.
o Microsoft 365 – email and collaboration.
o DocuSign – digital signature tools.
o SendGrid – transactional email delivery.
All third-party processors operate under binding data-processing agreements and mayonly process data following our instructions.
We will disclose data if legally required (e.g., to law-enforcement or regulators) or to protect our rights, property, or users.
We never sell or rent your information.
International Transfers
Some service providers may process data outside the UK or EEA. Where this occurs, we ensure adequate safeguards—such as ICO-approved Standard Contractual Clauses—are in place to protect your rights.
Data Security
We maintain technical and organisational measures including encryption, access controls, secure hosting, MFA authentication, routine backups, and employee confidentiality training.
Despite these measures, no system is completely secure; if we become aware of a data breach, we will notify you and the ICO where required.
Data Retention
Personal data is retained only for as long as necessary:
Category
Active user account data
Compliance & employment records
Financial & payment data 6 years (HMRC requirement)
Communications logs
Marketing preferences
Typical Retention Period
While account remains active
Up to 6 years after last engagement
Up to 2 years
Until you withdraw consent
After expiry, data is securely deleted or anonymised.
Your Data Protection Rights
You have the right to:
• Access your data (subject access request).
• Rectify incorrect or incomplete information.
• Erase data (“right to be forgotten”) where applicable.
• Restrict processing.
• Object to processing based on legitimate interests.
• Port data to another provider.
• Withdraw consent for marketing.
To exercise these rights, email info@shyft.org.uk. We may verify your identity before acting. Requests are free of charge and processed within one month.
If you believe your rights have been violated, you may complain directly to the Information Commissioner’s Office (ICO): Wyclile House, Water Lane, Wilmslow, Cheshire SK9 5AF | www.ico.org.uk | 0303 123 1113.
Automated Decision-Making
Where automated matching is used to recommend suitable shifts or candidates, decisions are based solely on job criteria such as speciality, location, and availability.
These processes do not produce legal or similarly significant elects. You may request human review of any automated decision by contacting us.
Cookies and Tracking
Our website uses only cookies essential for authentication and functionality.
We do not use analytics, advertising, or behavioural tracking cookies. You can disable cookies in your browser, but certain features may not function properly.
Links to Other Sites
Our Services may contain links to external websites. We are not responsible for their content or privacy practices. Always review the privacy policy of any third-party site before providing personal data.
Data about Children
Our Services are intended for adult healthcare professionals. We do not knowingly collect information from individuals under 18. If you believe a child has provided data, contact us for immediate deletion.
Changes to This Policy
We may update this Privacy Policy periodically to reflect operational or legal changes. The latest version will always appear at shyft.org.uk/privacy-policy with the elective date above. Significant updates will be communicated through the website or app.
Contact us
For any questions or requests regarding this Privacy Policy:
Data Protection Officer
Shyft Corp Ltd
The Atrium, 1 Harefield Road, Uxbridge, Middlesex, UB8 1EX
Email: info@shyft.org.uk
