Note on the authoritative language version. This English translation is provided to aid understanding only. The German version of this privacy notice prevails. In the event of any discrepancy or question of interpretation, the German version shall be decisive.
Privacy Notice
Information on the processing of personal data pursuant to Art. 13 and 14 GDPR (DSGVO).
1. Controller
The controller (Verantwortlicher, Art. 4 no. 7 GDPR) for the data processing on shiftdesk.app and within the Shiftdesk service is:
Valerie Koch
Shiftdesk (sole proprietorship / Einzelunternehmen)
Herforder Str. 176
33609 Bielefeld
Deutschland
Email: support@shiftdesk.app
Note on the allocation of roles: For data that customers (employers) enter into Shiftdesk about their employees, the customer is the controller (Verantwortlicher); Shiftdesk acts as processor (Auftragsverarbeiter). For details, see Section 5.
2. Data Protection Coordination
Based on our current assessment, there is no obligation to appoint a data protection officer (Datenschutzbeauftragter) pursuant to § 38 BDSG or Art. 37 GDPR. We review this regularly, in particular with regard to the scope and nature of the employee data processed. Please direct questions about data protection directly to the controller at support@shiftdesk.app.
3. Your Rights as a Data Subject
You have the following rights vis-à-vis us with regard to the personal data concerning you:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR), unless statutory retention obligations conflict with it
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent given, with effect for the future (Art. 7(3) GDPR)
You also have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data by us (Art. 77 GDPR). The competent authority is the supervisory authority of the federal state (Bundesland) in which the controller is established — Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, https://www.ldi.nrw.de — or any other supervisory authority within the EU.
Important notice for the employees of our customers: Your personal data is processed in Shiftdesk on behalf of your employer. Your employer, as the controller (Verantwortlicher), is responsible for handling the exercise of your data subject rights. We support your employer in fulfilling these rights.
4. Data Processing on the Website (shiftdesk.app)
4.1 Server Log Files
When the website is accessed, information is automatically transmitted to the server of our hosting service provider and temporarily stored in so-called server log files:
- IP address (truncated, where technically possible)
- Date and time of access
- URL accessed
- Referrer URL (previously visited page)
- User agent (browser/operating system)
- HTTP status code
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring trouble-free operation and in defending against attacks (integrity and availability).
Retention period: 14 days; longer storage only where there are concrete indications of security-relevant events.
4.2 Cookies and Local Storage (technically necessary)
On shiftdesk.app we use technically necessary cookies and local storage entries that are required for the operation of the website and the login. These include in particular session cookies from Supabase Auth (sb-access-token, sb-refresh-token), CSRF tokens, your language setting (shiftdesk_locale), the storage location of your cookie decision itself (shiftdesk_consent_v1) and — only after your active click on a partner referral link — the referral cookie sd_ref (details in section 4.5.2).
Legal basis: § 25(2) no. 2 TDDDG (strictly technically necessary) in conjunction with Art. 6(1)(f) GDPR. No consent is required for this.
4.2a Reach Measurement with Vercel Web Analytics (consent-based)
On shiftdesk.app we use the service Vercel Web Analytics provided by Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA) to collect anonymized usage statistics. The purpose is reach measurement and performance monitoring of our pages, in order to improve content and technical stability.
According to the provider, no cross-site cookies are set in the process and no IP addresses are stored permanently. Anonymized page views, referrers, coarse geolocation (country), device type and browser class are recorded. According to Vercel's documentation, re-identification of individual persons is not intended.
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TDDDG. The collection takes place only if you have expressly activated the „Statistics“ category in the cookie banner. Without consent, the corresponding script is not loaded.
Retention period at the provider: according to Vercel, up to 30 days at the individual-event level, and aggregated only thereafter.
Withdrawal: You can withdraw your consent at any time — via the link „Cookie settings“ in the page footer or by deleting the entry shiftdesk_consent_v1 in your browser storage. After withdrawal, the analytics script is no longer loaded.
Third-country transfer: Vercel Inc. is certified under the EU-US Data Privacy Framework (see section 7).
Proof of consent (Art. 7(1) GDPR): We log your cookie decision server-side in an internal table (consent_log) with the fields consent ID (random value), banner version, version of this privacy notice, the category selection made, source (banner, settings or withdrawal) and timestamp. IP address and user agent are expressly not stored in the process. If you are logged into your Shiftdesk account when making the decision, we additionally store the account and organization reference so that we can implement your decision on an account-related basis — in particular for the server-side conversion events (see section 4.2b). Retention period: three years (limitation period for data-protection claims).
4.2b Reach Measurement with Google Analytics 4 (consent-based)
In addition to Vercel Web Analytics, on shiftdesk.app we use the service Google Analytics 4 provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) to collect aggregated reach and usage patterns (measurement ID G-DH96XEBTSL). The parent company is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics sets cookies (typically _ga and _ga_<Container-ID>) and transmits event data (page views, clicks, time on page, coarse geolocation at city/country level, device category) to Google servers. According to the provider, Google Analytics 4 does not store IP addresses; the IP address used during collection is used exclusively for coarse geolocation and is subsequently discarded. In addition, we have activated the following privacy-friendly settings: no sharing of advertising data (ads_data_redaction: true), no URL parameter passthrough (url_passthrough: false), Google Signals deactivated, as well as a retention period limited to 14 months.
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TDDDG. The gtag.js script is loaded only if you have expressly activated the „Statistics“ category in the cookie banner. Without consent, neither a script load nor a cookie being set takes place in your browser.
Server-side conversion events (Measurement Protocol): Certain payment-related events (purchase completion, trial start, trial conversion) do not technically arise in your browser but rather in the payment process on our servers. We transmit these events server-side via the Google Analytics Measurement Protocol to Google — exclusivelywhere the account holder of the organization has activated the „Statistics“ category in the cookie banner. Only a pseudonymous identifier of the organization (random UUID), the event type, the selected plan and the revenue value are transmitted in the process — no names, email addresses, IP addresses or payment data; use for personalized advertising is deactivated (non_personalized_ads). Since your terminal device is not accessed in the process, § 25 TDDDG does not apply. Legal basis: Art. 6(1)(a) GDPR (consent). The withdrawal via the „Cookie settings“ in the page footer also applies to this server-side transmission: after withdrawal, no further events are sent.
Retention period at the provider: Event-related user data is automatically deleted after a maximum of 14 months in accordance with our account settings; aggregated reports may be retained longer.
Withdrawal: You can withdraw your consent at any time — via the link „Cookie settings“ in the page footer or by deleting the entry shiftdesk_consent_v1 in your browser storage. After withdrawal, the Google Analytics script is no longer loaded. Cookies already set (_ga, _ga_*) can be deleted in your browser settings.
Third-country transfer: Google LLC (USA) is certified under the EU-US Data Privacy Framework ; Google Ireland Limited is the controller (Verantwortlicher) within the meaning of the EU GDPR (see section 7).
4.3 Contacting Us
If you contact us by email, we process the information you provide (at minimum: email address, message text; optionally: name, telephone, company) in order to handle your request.
Legal basis: Art. 6(1)(b) GDPR (initiation of a contract) or Art. 6(1)(f) GDPR (legitimate interest in answering general inquiries).
Retention period: until the matter is concluded; beyond that only insofar as commercial- or tax-law retention obligations (6–8 years under the German Commercial Code (HGB) / Fiscal Code (AO) in the version applicable since 2025) exist.
4.4 Newsletter Dispatch (Brevo / Sendinblue)
On our website — in particular on the lead-magnet page /vorlagen/dienstplan — we offer the option to subscribe to a free newsletter that delivers shift-schedule templates and accompanying tips by email. For the dispatch we use the service provider Brevo (Sendinblue SAS), 7 rue de Madrid, 75008 Paris, France.
Data processed: email address, optionally first name, time of subscription, source of the subscription (LEAD_SOURCE), status of the double opt-in.
Double opt-in procedure: We use a two-stage subscription procedure. After submitting the subscription form, you receive a confirmation email with a one-time confirmation link. Only when you click this link do we add you to the distribution list and start the welcome sequence. Without confirmation, the entry is not processed further.
Legal basis: Art. 6(1)(a) GDPR (consent), given by actively checking the consent checkbox in the subscription form and confirming via double opt-in.
Withdrawal: You can withdraw your consent at any time with effect for the future. Every newsletter email contains an unsubscribe link. After unsubscribing, your entry at Brevo is deleted. The lawfulness of the processing carried out up to the withdrawal remains unaffected.
Retention period: until the withdrawal of consent. For confirmed subscriptions, we log the time and IP address of the confirmation as proof of consent pursuant to Art. 7(1) GDPR.
Server location: Brevo processes the data exclusively within the European Union (Paris, France). A data processing agreement / DPA (Auftragsverarbeitungsvertrag / AVV, Art. 28 GDPR) exists with Brevo (included as an appendix to the Brevo Terms of Use).
Further information on data protection at Brevo can be found at brevo.com/de/legal/privacypolicy.
4.5 Partner Program (Affiliate)
Shiftdesk operates a partner program through which referral partners can recommend customers (Partner terms). In this context, the following processing operations take place.
4.5.1 Partner Application
For an application via shiftdesk.app/partnerprogramm we process: first and last name, optionally company/brand, email address, optionally website, partner category, optionally information on target audience, reach and planned promotion, as well as an optional message. In addition, we log the time of acceptance of the partner terms and of acknowledgment of these data protection notices.
Purpose: Review of the application and decision on admission to the partner program. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures). Retention period: In the event of rejection, the application data is deleted six (6) months after the decision; in the event of acceptance, it is transferred into the partner account and stored for the duration of the partner contract.
4.5.2 Referral Tracking (referral cookie)
If you click on a partner's referral link, we set a first-party cookie (sd_ref) that contains the referring partner and the time of the click (cryptographically signed, httpOnly, standard lifetime 60 days; the specific attribution window may vary by partner). The cookie serves exclusively to attribute the referral to the partner for their commission accounting upon a later registration. There is no profiling, no cross-site tracking and no disclosure to advertising networks.
Legal basis: § 25(2) no. 2 TDDDG (strictly necessary), since the cookie is set exclusively by your active click on a referral link and serves solely to account for the referral channel you have chosen; for the processing otherwise, Art. 6(1)(f) GDPR (legitimate interest in the contractually agreed remuneration of our partners). You can delete the cookie in your browser settings at any time.
Click statistics: When a referral link is clicked, we store — for the purposes of abuse detection and reach counting — a daily-rotating, non-reversible hash value (formed from IP address, browser identifier and the day's date), the page accessed and any campaign parameters. The IP address and browser identifier themselves are not stored; linkage across several days is precluded by the daily rotation. Click records are automatically deleted after 90 days.
Notice for referred customers: The referring partner receives a commission. Your identity is not disclosed to the partner — referred customers appear in the partner dashboard exclusively in pseudonymized form (e.g. „Customer #a1b2c3d4“) with status and commission information, without name, company or contact details.
4.5.3 Partner Contract, Tax and Payout Data
From activated partners we process, for the performance of the partner contract: legal name, address, legal form, VAT status, tax number or VAT identification number, bank details (IBAN, account holder) as well as the commission data (referrals concluded, credit notes, payouts).
Legal basis: Art. 6(1)(b) GDPR (performance of the contract) as well as Art. 6(1)(c) GDPR (tax and commercial law obligations, in particular § 14 UStG for commission credit notes). Retention period: for the duration of the partner contract; commission credit notes and associated accounting data, as accounting vouchers, for 8 years (§ 147(3) AO, § 257(4) HGB in the version applicable since 2025).
5. Data Processing within the Application (Shiftdesk Service)
5.1 Delineation Controller / Processor
For personal data that our customers (employers) enter into Shiftdesk about themselves, their employees or third parties, the customer is the controller (Verantwortlicher, Art. 4 no. 7 GDPR). We process this data exclusively on a bound-by-instructions basis within the framework of a data processing agreement / DPA (Auftragsverarbeitungsvertrag / AVV, Art. 28 GDPR).
The following section describes the processing operations for which we are either ourselves the controller (e.g. account registration of the customer) or which we carry out on behalf of our customers.
5.2 Registration and Login
A user account is required to use Shiftdesk. During registration we process:
- Email address
- Password (exclusively as a cryptographic hash)
- First and last name
- Organization name
- Time of registration, last login
- Where applicable, MFA factors (e.g. TOTP secret)
Purpose: Provision of the user account, authentication, protection against unauthorized access.
Proof of conclusion of contract: During registration, we log the active acceptance of the General Terms and Conditions (AGB) and of the data processing agreement, with the time, the respective document versions and the IP address at the time of acceptance (preservation of evidence for the conclusion of the contract).
Legal basis: Art. 6(1)(b) GDPR (performance of the contract) as well as Art. 6(1)(f) GDPR (IT security, in particular MFA; preservation of evidence of the conclusion of the contract).
Retention period: for the duration of the contractual relationship and subsequently for the duration of the statutory retention periods (invoices and accounting vouchers: 8 years pursuant to § 147(3) AO, § 257(4) HGB in the version applicable since 2025). Authentication logs: 90 days.
5.3 Personnel Master Data (on behalf of the customer)
On behalf of the customer, we process the following categories of personal data of the customer's employees as well as — insofar as the customer maintains them in the service — of applicants and freelancers:
- Master data: name, address, date of birth, contact details
- Employment data: contract type, working time, hourly wage, qualifications, roles
- Bank details (optional, custom field)
- Tax characteristics (optional, custom field)
- Special categories under Art. 9 GDPR, in particular health-related grounds for absence (see 5.5)
Purpose: Personnel administration, shift planning, time tracking, payroll preparation by the customer.
Legal basis (role of the customer as controller): § 26(1) BDSG (processing of employee data) in conjunction with Art. 6(1)(b), (c) and, where applicable, (f) GDPR; for special categories additionally Art. 9(2)(b) GDPR in conjunction with § 26(3) BDSG.
Our role: Processor (Auftragsverarbeiter) pursuant to Art. 28 GDPR.
5.4 Time Tracking (including optional GPS data)
To record working times, the times of the start of work, the end of work and of breaks, including the device IP at the time of the booking, are processed.
Location data is only processed if the customer has expressly activated this function for a place of work. In that case, Shiftdesk may process the GPS position of the terminal device at the precise time of the clock-in/clock-out when clocking in and out. Permanent location tracking, background location or the creation of movement profiles does not take place.
Purpose: Fulfilment of the working-time-law recording obligation (German Federal Labour Court (BAG), decision of 13.09.2022 — 1 ABR 22/21; implementation of the case law of the Court of Justice of the EU (CJEU) C-55/18), payroll preparation, compliance with the Working Hours Act (Arbeitszeitgesetz / ArbZG). The purpose of the location capture is exclusively to plausibility-check whether a clock-in/clock-out takes place at or near a place of work defined by the customer.
Responsibility for the location capture: The decision whether and at which establishments location data is processed is taken exclusively by the customer as employer and controller. In this respect, Shiftdesk processes location data exclusively as processor (Auftragsverarbeiter) on the instructions of the customer.
Geofence check and rejection: If the customer has activated the location check for a place of work, Shiftdesk calculates, at the time of the clock-in/clock-out, the distance between the current terminal-device location and the center point of the place of work stored by the customer. If the distance lies outside the radius configured by the customer (typically 50–2000 meters), the clock-in/clock-out is rejected. In this case, the position is used exclusively for the immediate plausibility check and is not persisted.
Address geocoding: So that the customer does not have to determine geographic coordinates manually when activating the location check, Shiftdesk may transmit the master address of a branch server-side to OpenStreetMap Nominatim (operator: OpenStreetMap Foundation, United Kingdom). Only the address of the place of work (street, postal code, city, country) is transmitted; personal data of employees is not transmitted. The United Kingdom has an adequacy decision (Angemessenheitsbeschluss, Art. 45 GDPR) of the EU Commission of 28.06.2021; a third-country transfer within the meaning of Art. 44 et seq. GDPR therefore does not take place. The geocoding request is made once when the location check is activated; the result (lat/lng) is stored in the customer's database and reused for subsequent clock-in/clock-out events, without further transmission to Nominatim. Alternatively, the customer can set the coordinates manually.
Legal basis: Art. 6(1)(c) GDPR in conjunction with § 16(2) ArbZG, § 26(1) BDSG. On the customer's side, the legal basis for the location capture depends on the specific deployment scenario, in particular § 26(1) BDSG in conjunction with Art. 6(1)(f) GDPR or Art. 6(1)(c) GDPR, insofar as the processing is necessary for proper working-time recording. Consent from employees is only exceptionally an option in the employment relationship, where it is given freely, on an informed basis, revocably and verifiably. Shiftdesk does not recommend that customers base the location capture solely on employee consent without examining this legally on a case-by-case basis.
Prior review by the customer: Before activation, the customer must independently examine whether the location capture is necessary and proportionate, whether less intrusive means suffice, and whether information obligations vis-à-vis employees and, where applicable, the co-determination right of the works council (Mitbestimmungsrecht des Betriebsrats) — in particular under § 87(1) no. 6 BetrVG — must be observed. On the product side, Shiftdesk requires a corresponding confirmation per location before the function is enabled.
Retention period: 2 years pursuant to § 16(2) ArbZG; longer retention for wage- or social-security-relevant data pursuant to § 41(1) EStG (6 years) or until the end of the calendar year following the audit (§ 28f SGB IV).
5.5 Absence Management (Art. 9 GDPR)
Shiftdesk enables the recording of types of absence such as vacation, illness, maternity protection and parental leave. The ground for absence „Sick“ as well as information related to maternity protection and parental leave constitute special categories of personal data (Art. 9 GDPR / Art. 9 DSGVO) pursuant to Art. 9(1) GDPR (health data / Gesundheitsdaten).
Shiftdesk is designed, for illness-related absences, to process in principle only the type of absence and the period. Diagnoses, specific clinical pictures, medical findings or other medical details should not be entered. Insofar as the customer uses free-text fields or document uploads, the customer, as controller, is obliged to examine the necessity, access restriction and retention period of this information.
The input form expressly advises users that no diagnoses or medical details should be entered insofar as they are not strictly necessary for the respective purpose. When uploading documents, an additional notice appears to upload only necessary documents and to redact — where possible — unnecessary medical information.
Legal basis:
- Art. 9(2)(b) GDPR in conjunction with § 26(3) BDSG (rights and obligations in employment law, e.g. continued remuneration (Entgeltfortzahlung / EFZG), maternity protection (MuSchG), parental leave (BEEG)) — primary basis.
- Art. 6(1)(c) GDPR for the underlying non-sensitive partial information.
Recipients: Within the customer's organization, the authorized group of persons (HR department, persons responsible for scheduling). No disclosure to third parties outside the purposes chosen by the customer (e.g. DATEV export, see 5.7).
Access restriction: Health-related absence data is access-restricted within Shiftdesk on a role-based basis. For technical and organizational measures (TOM), see the annex to the data processing agreement.
5.6 Working-Time-Law Checks (ArbZG validation)
Shiftdesk checks entered shift schedules and time bookings automatically for compliance with statutory requirements under the Working Hours Act (Arbeitszeitgesetz / ArbZG), the Maternity Protection Act (Mutterschutzgesetz / MuSchG) and the Youth Employment Protection Act (Jugendarbeitsschutzgesetz / JArbSchG), and displays corresponding warnings to the planner (e.g. on the maximum daily working time, rest period, breaks).
There is no automated decision-making within the meaning of Art. 22 GDPR. The check is for information purposes only; all decisions on shift schedules, working times or employment-law measures are taken by the employer through natural persons.
Legal basis: Art. 6(1)(b), (c) GDPR in conjunction with § 26 BDSG and the respectively named employment-law provisions.
5.7 Payroll Preparation and DATEV Export
Shiftdesk offers the export of payroll-preparation data (e.g. in the DATEV LODAS or Lohn-und-Gehalt format). The export is triggered by the customer; the file is either downloaded directly or — if configured by the customer — transmitted via a secured interface to the customer's payroll system.
Legal basis: Art. 6(1)(b), (c) GDPR (payroll obligations) as well as § 26(1) BDSG. The specific responsibility for transmission to a tax advisor or an external payroll office lies with the customer (employer).
5.8 Audit Logs and Tamper Resistance
To fulfil the requirements of integrity and traceability (in particular under § 16 ArbZG, § 147 AO, the principles of proper accounting and GDPR Art. 5(1)(f), Art. 32), we log security-relevant operations (e.g. logins, changes to time bookings, exports) in an audit log with a timestamp and user reference.
Legal basis: Art. 6(1)(c) and (f) GDPR.
Retention period: 6 years, based on § 257 HGB / § 147 AO.
5.9 Mobile Apps (iOS and Android)
The Shiftdesk functions are additionally available via native apps for iOS (App Store) and Android (Google Play). The following remarks describe the data processing that takes place additionally or differently from the web application. All other processing operations described in Section 5 (in particular time tracking 5.4, absence management 5.5 and audit logs 5.8) also apply to the mobile applications.
5.9.1 Device Identification and Platform Identifiers
When the mobile application is started, the operating system transmits to us technical characteristics for handling the communication: operating system and version, app version, device type (make and model) as well as a platform-assigned installation identifier (Android: Firebase Installation ID; iOS: vendor ID „identifierForVendor“). Apple advertising identifiers (IDFA) are not collected; the App Tracking Transparency framework is not triggered.
Purpose: Error analysis, assignment of push tokens, compatibility checks for app updates.
Legal basis: Art. 6(1)(b) GDPR (performance of the contract); for the technical storage of the installation identifier on the terminal device additionally § 25(2) no. 2 TDDDG (strictly necessary access to provide the telemedia service expressly requested).
5.9.2 Push Notifications
To deliver push notifications (e.g. new messages in the team chat, shift changes, approval requests), we register a platform-specific token on the terminal device. The token is passed to the operating system's push service (Apple Push Notification service „APNs“ for iOS; Firebase Cloud Messaging „FCM“ for Android). Dispatch to APNs / FCM takes place via the push relay service of Expo (Expo Push Service, Expo Application Services, Inc., 650 Castro Street, Mountain View, CA 94041, USA).
Purpose: Delivery of operational messages within the employment relationship.
Legal basis: Art. 6(1)(b) GDPR (performance of the contract within the framework of the service deployed by the employer); for the storage of the token on the terminal device additionally § 25(2) no. 2 TDDDG.
Withdrawal / objection: Push notifications can be deactivated at any time via the system settings of the terminal device. The token is then invalidated server-side at the next app start.
Content of the push texts: Push content does not contain particularly sensitive personal data. Server-generated notifications relating to illness, absence or personnel documents are formulated neutrally (for example „A new absence request is available“ instead of health details in the push text). Content from chat messages is reproduced in the push so that the recipient can recognize the message in the preview; sensitive content should therefore not be sent by employees via the app chat.
Third-country transfer: APNs and FCM are operated by Apple Inc. and Google LLC respectively (both USA). The transfer is based on the EU-US Data Privacy Framework (adequacy decision (Angemessenheitsbeschluss, Art. 45 GDPR) of the EU Commission of 10.07.2023). For the Expo Push Service, Standard Contractual Clauses / SCC (Standardvertragsklauseln, Art. 46(2)(c) GDPR) additionally exist.
5.9.3 Location Data in the Mobile App
The mobile app may, if activated by the employer for the respective place of work, capture the GPS position at the time of the clock-in or clock-out. For details on the legal basis, purpose and retention period, see Section 5.4.
The permission „location while using the app“ is requested by the operating system upon the first clock-in. The app requests no background location access. With the location check activated, clocking in or out outside the radius defined by the employer or without location release may be rejected. Background location or permanent location tracking does not take place.
5.9.4 Camera and Photo Library Access
For sending images within the team chat as well as uploading personnel documents (e.g. sick notes, where permitted by the employer), the app requests access to the camera and the photo library. Access takes place event-driven, in each case only after an active user action („take photo“, „select image“).
Purpose: Transmission of content selected by the user to the team chat or the personnel-documents module.
Legal basis: Art. 6(1)(a) GDPR (consent, expressed through the active selection of an image) as well as Art. 6(1)(b) GDPR (performance of the contract).
Note: Only the files specifically selected by the user are transmitted. A broad scan of the photo library does not take place.
5.9.5 Local Storage on the Terminal Device
To maintain the login status, the app stores an authentication token in an encrypted key store managed by the operating system (iOS Keychain via expo-secure-store; Android EncryptedSharedPreferences). In addition, the app maintains a local cache for shift schedules, messages and downloaded documents so that content remains available even without a network connection.
Legal basis: § 25(2) no. 2 TDDDG in conjunction with Art. 6(1)(b) GDPR.
Deletion: All locally stored data is automatically removed as soon as the user logs out or the app is uninstalled.
Shared or company-owned terminal devices: On shared or company-owned terminal devices, users should log out after use. The customer is responsible for setting suitable rules for the use of company-owned or private terminal devices.
5.9.6 Deep Links
The app registers the URL scheme shiftdesk:// as well as — if configured — universal links to the domainshiftdesk.app, in order to open links from emails and notifications directly in the corresponding app area. No additional personal data is collected in the process.
5.9.7 No Usage Analytics in the App
The mobile apps use no analytics or tracking SDK (no Google Analytics, no Firebase Analytics, no Crashlytics, no Sentry Mobile). No advertising measurements and no profiling for the purpose of reach measurement take place.
5.10 Kiosk / Terminal Mode (shared clock-in terminal)
If the employer activates kiosk mode, a permanently installed tablet becomes a shared clock-in terminal. At the terminal — depending on the employer's configuration — the first name and name initial, the employee number and, if the employer expressly activates this, the profile photo of the employees authorized to clock in are displayed, so that they can select themselves and clock in and out via a personal PIN.
Our role: Processor (Auftragsverarbeiter) pursuant to Art. 28 GDPR. The employer (customer) is the controller for the display of this employee data at the terminal, for its installation location and for informing the employees pursuant to Art. 13 GDPR.
Data minimization (Art. 5(1)(c), Art. 25 GDPR): The display of profile photos is deactivated by default (privacy by default) and is delivered server-side only if the employer deliberately activates it. For publicly accessible installation locations, an „employee number only“ mode is available that displays neither names nor photos. Profile images are provided via short-lived, signed retrieval links.
Notice for employers: When using a clock-in terminal, the co-determination right of the works council (Mitbestimmungsrecht des Betriebsrats) under § 87(1) no. 6 BetrVG may have to be observed. This is a notice, not legal advice.
6. Processors and External Services
To provide our services, we use the service providers listed below. Depending on the data category and processing purpose, these are processors (Auftragsverarbeiter) within the meaning of Art. 28 GDPR, separate controllers (Verantwortliche) within the meaning of Art. 4 no. 7 GDPR, or technical third-party providers with a narrowly limited processing function (e.g. platform push services with token routing or one-time address geocoding without a personal reference).
The entries concerning data of our customers (clients) can also be found — generated from the same technical source — in Annex 3 of our data processing agreement (/avv#anlage-3). Services that concern exclusively Shiftdesk's own processing operations (e.g. newsletter, subscription billing, website reach measurement) are listed only in the list below.
| Dienst | Anbieter | Rolle | Sitz / Region | Zweck und Datenkategorien | Übermittlungsgrundlage |
|---|---|---|---|---|---|
| Hosting (Frontend, Edge, Web Analytics) | Vercel Inc. | Auftragsverarbeiter (Art. 28 DSGVO) | USA (Unternehmenssitz); Hosting Frankfurt (Region fra1) | Bereitstellung der Website und Webanwendung; einwilligungsbasierte Reichweitenmessung via Vercel Web Analytics Daten: IP-Adresse, User-Agent, Request-Pfad, Performance-Metriken; bei Analytics zusätzlich Aggregate-Statistiken | EU-US Data Privacy Framework (Vercel Inc. ist DPF-zertifiziert) |
| Datenbank, Auth und Storage | Supabase Inc. | Auftragsverarbeiter (Art. 28 DSGVO) | USA (Unternehmenssitz); Hosting EU (Frankfurt) | Persistenz aller Anwendungsdaten, Authentifizierung, Storage für Personaldokumente und Chat-Anhänge Daten: Sämtliche im Dienst erfassten personenbezogenen Daten gemäß Abschnitt 5 | Standardvertragsklauseln gemäß Art. 46 Abs. 2 lit. c DSGVO (DPA mit SCC-Modulen inkl. UK-Addendum); Verarbeitung und Speicherung in der EU-Region (Frankfurt) |
| Transaktions-E-Mail | Resend, Inc. | Auftragsverarbeiter (Art. 28 DSGVO) | USA | Versand transaktionaler E-Mails (Account-Verifikation, Stripe-Belege, Schicht-Benachrichtigungen, Lösch-Bestätigungen) Daten: E-Mail-Adresse, Anrede, transaktionsspezifischer Inhalt | Standardvertragsklauseln gemäß Art. 46 Abs. 2 lit. c DSGVO |
| E-Mail-Marketing (Newsletter, Lead-Funnel) | Sendinblue SAS (Marke Brevo) | Auftragsverarbeiter (Art. 28 DSGVO) | Frankreich (EU) | Versand des Newsletters und der Lead-Magnet-Sequenz inkl. Double-Opt-in (siehe Ziffer 4.4 der Datenschutzerklärung) Daten: E-Mail-Adresse, Anrede, Listen-Zugehörigkeit | EU-Inland — keine Drittlandsübermittlung |
| CDN, WAF und DDoS-Schutz | Cloudflare, Inc. | Auftragsverarbeiter (Art. 28 DSGVO) | USA (Unternehmenssitz); Edge-Server weltweit | Performance-Beschleunigung, Web Application Firewall, DDoS-Schutz Daten: IP-Adresse, User-Agent, Request-Metadaten | EU-US Data Privacy Framework (Cloudflare, Inc. ist DPF-zertifiziert) |
| Push-Benachrichtigungs-Relay (Mobile) | Expo Application Services, Inc. | Auftragsverarbeiter (Art. 28 DSGVO) | USA | Routing der Push-Benachrichtigungen von der Shiftdesk-Anwendung zu den Plattform-Push-Diensten APNs (iOS) und FCM (Android) Daten: Geräte-Token, Push-Inhalt (operative Schicht-/Nachrichten-Hinweise, ohne Gesundheitsdaten) | Standardvertragsklauseln gemäß Art. 46 Abs. 2 lit. c DSGVO |
| Error-Tracking | Sentry GmbH (EU-Region) / Functional Software, Inc. | Auftragsverarbeiter (Art. 28 DSGVO) | EU (Frankfurt) bei aktivierter EU-Region | Fehlerdiagnose und Stacktrace-Sammlung zur Stabilisierung der Anwendung. Erfasst werden Fehler-Stacktraces, anonymisierte Browser-/Geräte-Daten und eine pseudonyme User-ID (keine Mail-Adresse, kein Name). IP-Adressen werden vor der Speicherung anonymisiert; Auth-Tokens und Mail-Adressen in Stacktraces werden serverseitig redactiert. Kein Session-Replay aktiv. Daten: Fehler-Stacktraces, anonymisierte technische Geräte-/Browser-Daten, pseudonyme User-ID, Tenant-ID, Rolle | EU-Region: Verarbeitung im EU-Wirtschaftsraum. Konzern-Transfers in die USA via EU-US Data Privacy Framework und Standardvertragsklauseln gemäß Art. 46 Abs. 2 lit. c DSGVO. Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO (berechtigtes Interesse an Anwendungs-Stabilität). |
| Zahlungsabwicklung | Stripe Payments Europe, Ltd. / Stripe, Inc. | Eigener Verantwortlicher (Art. 4 Nr. 7 DSGVO) | Irland (EU); USA (Konzernmutter) | Abonnement-Abrechnung der Shiftdesk-Tarife. Stripe ist für die Verarbeitung der Zahlungsdaten als eigener Verantwortlicher zuständig (PCI-DSS, Geldwäschegesetz, Steuerrecht). Daten: Rechnungsadresse, Zahlungsmittel-Metadaten (kein Klartext-Karteninhalt; Stripe-eigenes Tokenisierungs-Verfahren), Transaktionshistorie | Stripe Payments Europe Ltd. ist EU-Verantwortlicher; Konzern-Transfers in die USA via Standardvertragsklauseln und EU-US Data Privacy Framework |
| Reichweitenmessung Web (Google Analytics 4) | Google Ireland Limited (Konzernmutter: Google LLC) | Eigener Verantwortlicher (Art. 4 Nr. 7 DSGVO) | Irland (EU); USA (Konzernmutter und Verarbeitungs-Backend) | Einwilligungsbasierte Reichweitenmessung. Google handelt für Teile der Verarbeitung (z. B. Cross-Property-Aggregation, Sicherheits-Audits) als eigener Verantwortlicher. Daten: Aggregierte Nutzungsstatistiken, IP-Adresse (anonymisiert), Pseudonyme Client-ID Browser-Tracking und serverseitige Conversion-Ereignisse (Measurement Protocol) jeweils nur mit Statistik-Einwilligung (siehe Ziffer 4.2b der Datenschutzerklärung) | EU-US Data Privacy Framework (Google LLC ist DPF-zertifiziert) |
| Push-Notification-Service iOS | Apple Inc. | Technischer Drittanbieter | USA | Apple stellt die plattformseitige Push-Infrastruktur (Apple Push Notification service) bereit und verarbeitet hierfür insbesondere Geräte-Token und technische Zustellinformationen. Die Push-Inhalte werden durch Shiftdesk so gestaltet, dass keine Gesundheitsdaten oder sonstigen besonders sensiblen Inhalte enthalten sind. Daten: APNs-Device-Token, Push-Payload (operative Hinweise) Funktion: Push-Token-Routing | EU-US Data Privacy Framework (Apple Inc. ist DPF-zertifiziert) |
| Push-Notification-Service Android | Google LLC (Firebase Cloud Messaging) | Technischer Drittanbieter | USA | Google stellt die plattformseitige Push-Infrastruktur (Firebase Cloud Messaging) bereit und verarbeitet hierfür insbesondere Geräte-Token, eine Installations-ID und technische Zustellinformationen. Die Push-Inhalte werden durch Shiftdesk so gestaltet, dass keine Gesundheitsdaten oder sonstigen besonders sensiblen Inhalte enthalten sind. Daten: FCM-Token, Firebase Installation ID, Push-Payload (operative Hinweise) Funktion: Push-Token-Routing | EU-US Data Privacy Framework (Google LLC ist DPF-zertifiziert) |
| Adress-Geocoding (Standort-Aktivierung Compliance-Modal) | OpenStreetMap Foundation (Nominatim-Dienst) | Technischer Drittanbieter | Vereinigtes Königreich | Wenn der Kunde beim Aktivieren der Standortprüfung das automatische Geocoding nutzt, wird die Stamm-Adresse einer Filiale (Straße, Postleitzahl, Stadt, Land) einmalig an Nominatim übermittelt, um daraus geographische Koordinaten (Breiten- / Längengrad) zu ermitteln. Es werden keine Personendaten von Beschäftigten übermittelt; die Adresse selbst ist nicht personenbezogen. Das Ergebnis wird im Datenbestand des Kunden gespeichert und nicht erneut übertragen. Daten: Adresse einer Filiale (Straße, PLZ, Stadt, Land) Funktion: einmaliges Adress-Geocoding (kein Token-Routing) | Angemessenheitsbeschluss der EU-Kommission vom 28.06.2021 für das Vereinigte Königreich |
7. Third-Country Transfers
Some of the processors named under section 6 are established in the United States or transmit data to the USA. For the USA, an adequacy decision (Angemessenheitsbeschluss, Art. 45 GDPR) of the EU Commission has existed since 10.07.2023 on the basis of the EU-US Data Privacy Framework (DPF).
Insofar as our service providers are certified under the DPF, the transmission takes place on the basis of Art. 45 GDPR. Where this is not the case, we base the transmission on Standard Contractual Clauses / SCC (Standardvertragsklauseln, Art. 46(2)(c) GDPR) (Implementing Decision (EU) 2021/914), supplemented by technical and organizational measures in accordance with the recommendations of the EDPB.
We provide a copy of the Standard Contractual Clauses as well as information on the certification status of our service providers upon request at support@shiftdesk.app .
8. Retention Periods (overview)
| Data category | Duration | Basis |
|---|---|---|
| Server log files | 14 days | Art. 6(1)(f) GDPR |
| Account data | Contract duration + 8 years (where invoice-related) | § 147(3) AO, § 257(4) HGB (version since 2025) |
| Authentication logs | 90 days | Art. 32 GDPR |
| Working-time records | 2 years | § 16(2) ArbZG |
| Wage-relevant time data | 6 years | § 41(1) EStG |
| Audit logs | 6 years | Art. 6(1)(f) GDPR (interest in evidence and integrity); period measured based on § 257 HGB |
| Absences (Art. 9 GDPR) | until the end of employment plus statutory retention periods | § 26 BDSG |
| Support tickets | until resolution + 3 years | Limitation period § 195 BGB |
| Newsletter subscriptions | until withdrawal of consent | Art. 6(1)(a), Art. 7 GDPR |
| Push token (mobile app) | until logout, deactivation of the push permission in the operating system, token invalidation by APNs/FCM or the end of the user account | Art. 6(1)(b) GDPR, § 25(2) no. 2 TDDDG |
| Local app data (cache, auth token) | until logout or uninstallation; server-side data remains in accordance with the customer's configuration / DPA | § 25(2) no. 2 TDDDG |
| Document uploads (personnel file) | in accordance with the customer's configuration or until the purpose ceases; subject to statutory retention obligations | § 26 BDSG; where applicable § 257 HGB, § 147 AO |
| Chat messages | in accordance with the customer's configuration or contract duration, unless deleted beforehand | Art. 6(1)(b) GDPR |
| Deletion requests (deletion_requests) | 3 years after completion for verifiability | Art. 5(2) GDPR (accountability) |
| AGB / DPA acceptance (terms_acceptances) | Contract term plus limitation period (3 years) | Art. 6(1)(f) GDPR; § 195 BGB |
| Partner applications (rejected) | 6 months after the decision | Art. 6(1)(b), (f) GDPR |
| Referral-link clicks (pseudonymous hash) | 90 days | Art. 6(1)(f) GDPR |
| Partner contract and payout data | Contract term plus limitation period (3 years) | Art. 6(1)(b) GDPR; § 195 BGB |
| Commission credit notes (accounting vouchers) | 8 years | § 147(3) AO, § 257(4) HGB (version since 2025) |
8a. Account and Data Deletion in the App
Users can initiate a deletion or data-deletion request via the website /account-loeschung or by email to support@shiftdesk.app. An in-app deletion request will be added before the public app-store launch.
For employee accounts the deletion of personal employee data is in principle carried out via the employer as the controller. Shiftdesk forwards deletion requests from employees to the responsible employer and supports them in processing them.
For owner or administrator accounts the deletion of one's own account and the associated organization can be initiated via the application. Confirmation takes place via a confirmation link delivered by email (double opt-in). The actual deletion is carried out through a manual review procedure at Shiftdesk in order to ensure data integrity (e.g. ongoing Stripe billing, storage cleanup).
Irrespective of the route described above, data subjects can contact support@shiftdesk.app at any time. Statutory retention obligations remain unaffected.
9. Automated Decision-Making
Automated decision-making, including profiling, within the meaning of Art. 22 GDPR does not take place. The working-time-law validation (see 5.6) is purely informational.
10. Changes to this Privacy Notice
We adapt this privacy notice when the legal situation, our processing operations or the service providers we use change. The respective current version is available at shiftdesk.app/datenschutz.
Last updated: 13. Juni 2026