Shyft Privacy Policy
This Privacy Policy explains how Shyft (“Shyft”, “we”, “us”, “our”) collects and uses personal data when you visit shyft.org.uk and any related pages or services we control (the “Site”).
Data Controller:
Shyft Corp Ltd
Company number: 15478029
Registered office: The Atrium, 1 Harefield Road, Uxbridge, Middlesex, UB8 1EX, United Kingdom
Contact email: info@shyft.org.uk
This Privacy Policy applies to our website and any pre-registration, holding, or informational pages. When the Shyft mobile or web application is live, additional in-app privacy information may apply.
Who we Are
Shyft is a digital workforce platform designed to transform how healthcare and care shifts are filled across the UK and beyond. We connect doctors, nurses, allied health professionals, healthcare assistants, NHS trusts, private hospitals, care homes, and staffing agencies through a single, unified platform that simplifies workforce management.
Using intelligent matching and built-in automation, Shyft helps organisations across health and social care ensure the right professional is in the right place at the right time—improving continuity of care, reducing reliance on manual processes, and supporting safer staffing at scale.
What we Collect
We collect and process information that identifies you or makes you identifiable,
including:
• Identity Data: Name, title, date of birth, gender, and professional registration
(e.g., GMC, NMC).
• Contact Data: Email address, phone number, postal address.
• Employment and Compliance Data: CVs, qualifications, right-to-work
documents, training records, occupational health information, and references.
• Financial Data: Bank details and payment history.
• Technical and Device Data: Login credentials, IP address, device ID, browser
type, operating system, app usage, and log files.
• Communications Data: Messages, calls, and emails exchanged via the
platform.
• Marketing Preferences: Your choices about receiving updates and communications from us.
We collect data directly from you, from partner agencies, and from third-party sources such as public professional registers or references supplied by others.
How We Use Your Data
We use your personal data to:
Provide, manage, and improve the Shyft platform and associated Services.
Facilitate job matching between healthcare professionals, agencies, and
healthcare providers.Verify credentials and maintain compliance with healthcare and employment
regulations.Manage payments, invoices, and account records.
Communicate with you about shifts, updates, and support queries.
Maintain system security, prevent fraud, and troubleshoot issues.
Meet our legal and regulatory obligations.
Send service notifications or (if you opt in) marketing updates.
Legal Bases for Processing
We process data only where a lawful basis applies:
Purpose
To provide platform access and job matching
To verify identity and qualifications
To communicate and provide support
To process payments
To meet record-keeping and audit obligations
For marketing (where permitted)
Lawful Basis
Performance of a contract
Legal obligation / Legitimate interest
Legitimate interest
Performance of a contract
Legal obligation
Consent
Sharing Your Information
We share data strictly as necessary with:
• Healthcare providers (NHS Trusts, private hospitals, and care organisations).
• Partner agencies using the Shyft platform.
• Service providers acting on our behalf:
o Amazon Web Services (AWS) – secure cloud hosting.
o Twilio – SMS and communication.
o Bridge – software development and maintenance.
o Microsoft 365 – email and collaboration.
o DocuSign – digital signature tools.
o SendGrid – transactional email delivery.
All third-party processors operate under binding data-processing agreements and mayonly process data following our instructions.
We will disclose data if legally required (e.g., to law-enforcement or regulators) or to protect our rights, property, or users.
We never sell or rent your information.
International Transfers
Some service providers may process data outside the UK or EEA. Where this occurs, we ensure adequate safeguards—such as ICO-approved Standard Contractual Clauses—are in place to protect your rights.
Data Security
We maintain technical and organisational measures including encryption, access controls, secure hosting, MFA authentication, routine backups, and employee confidentiality training.
Despite these measures, no system is completely secure; if we become aware of a data breach, we will notify you and the ICO where required.
Data Retention
Personal data is retained only for as long as necessary:
Category
Active user account data
Compliance & employment records
Financial & payment data 6 years (HMRC requirement)
Communications logs
Marketing preferences
Typical Retention Period
While account remains active
Up to 6 years after last engagement
Up to 2 years
Until you withdraw consent
After expiry, data is securely deleted or anonymised.
Your Data Protection Rights
You have the right to:
• Access your data (subject access request).
• Rectify incorrect or incomplete information.
• Erase data (“right to be forgotten”) where applicable.
• Restrict processing.
• Object to processing based on legitimate interests.
• Port data to another provider.
• Withdraw consent for marketing.
To exercise these rights, email info@shyft.org.uk. We may verify your identity before acting. Requests are free of charge and processed within one month.
If you believe your rights have been violated, you may complain directly to the Information Commissioner’s Office (ICO): Wyclile House, Water Lane, Wilmslow, Cheshire SK9 5AF | www.ico.org.uk | 0303 123 1113.
Automated Decision-Making
Where automated matching is used to recommend suitable shifts or candidates, decisions are based solely on job criteria such as speciality, location, and availability.
These processes do not produce legal or similarly significant elects. You may request human review of any automated decision by contacting us.
Cookies and Tracking
Our website uses only cookies essential for authentication and functionality.
We do not use analytics, advertising, or behavioural tracking cookies. You can disable cookies in your browser, but certain features may not function properly.
Links to Other Sites
Our Services may contain links to external websites. We are not responsible for their content or privacy practices. Always review the privacy policy of any third-party site before providing personal data.
Data about Children
Our Services are intended for adult healthcare professionals. We do not knowingly collect information from individuals under 18. If you believe a child has provided data, contact us for immediate deletion.
Changes to This Policy
We may update this Privacy Policy periodically to reflect operational or legal changes. The latest version will always appear at shyft.org.uk/privacy-policy with the elective date above. Significant updates will be communicated through the website or app.
Contact us
For any questions or requests regarding this Privacy Policy:
Data Protection Officer
Shyft Corp Ltd
The Atrium, 1 Harefield Road, Uxbridge, Middlesex, UB8 1EX
Email: info@shyft.org.uk
