Privacy Policy

Last updated: 24 May 2026

1. Who we are

SuperShift is operated by Sidestream OÜ, a company registered in the Republic of Estonia.

  • Registry code: 17374822
  • Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551
  • Contact: support@supershift.app

In this policy, "we", "us", and "our" refer to Sidestream OÜ. "You" refers to anyone who uses the SuperShift platform ("Service").

2. What data we collect

We collect the following categories of personal data:

2.1 Account data

When you register, we collect your name, email address, and password (hashed). If you create or join an organization, we also store your role and organization membership.

2.2 Usage data

We automatically collect information about how you interact with the Service, including pages visited, features used, browser type, device type, IP address, and timestamps.

2.3 Scheduling & availability data

When you or your manager create schedules, shifts, or availability entries, that data is stored in your organization's workspace.

2.4 Payment data

Payments are processed by Stripe. We do not store your full credit card number. Stripe provides us with a token, the last four digits of your card, the card brand, and the expiration date. See Stripe's Privacy Policy.

2.5 Newsletter subscribers

Where a venue runs a newsletter via SuperShift, we store the email addresses of guests who signed up through the public newsletter widget (single opt-in, with a confirmation email). This data is used only to send that venue's newsletter and is never used for cross-venue marketing. Every newsletter email includes a one-click unsubscribe link compliant with RFC 8058.

2.6 Reservation guests

When a guest books via a venue's embedded booking widget, we store the guest's name, email, phone number, party size and booking notes. This data is used to deliver booking confirmations, reminders, cancellations and to allow staff to manage the reservation.

For this category of data, SuperShift acts as a Data Processor and the venue is the Data Controller under Article 28 GDPR. The terms of that processing are set out in our Data Processing Agreement.

2.7 Supplier contacts

Venues may store the contact email addresses of their suppliers in order to route product orders through SuperShift. Same Processor / Controller distinction as section 2.6 — the venue is the Controller, SuperShift is the Processor, and the DPA governs the processing.

2.8 Onboarding emails

When a manager signs up, SuperShift sends a 6-step welcome email series over roughly two weeks to help them set up their venue. Every onboarding email contains an unsubscribe link; managers can also opt out from their profile settings at any time.

2.9 Cookies and analytics

We use essential cookies for authentication and session management. We also currently load Google Analytics and Google Tag Manager site-wide to measure usage. A consent banner that will gate analytics on user opt-in is being rolled out; until that ships, this disclosure (together with the Cookie Policy) is the legal basis for that processing as a transparency notice. See the Cookie Policy for the full inventory.

3. Legal basis for processing (GDPR)

We process your data based on the following legal grounds under the EU General Data Protection Regulation:

  • Contract performance — processing necessary to provide the Service you signed up for (Art. 6(1)(b) GDPR).
  • Legitimate interest — analytics, fraud prevention, and improving the Service (Art. 6(1)(f) GDPR).
  • Legal obligation — complying with applicable laws, such as tax and accounting requirements (Art. 6(1)(c) GDPR).
  • Consent — where required, for example for marketing emails (Art. 6(1)(a) GDPR). You may withdraw consent at any time.

4. How we use your data

  • To provide, maintain, and improve the Service.
  • To send transactional emails (schedule notifications, invites, password resets).
  • To process payments and manage subscriptions.
  • To monitor usage patterns and prevent abuse.
  • To respond to support requests.
  • To comply with legal obligations.

5. Data sharing & third-party processors

We share personal data only with vetted subprocessors that are contractually bound to GDPR-equivalent obligations:

  • Vercel — hosting and edge delivery (USA, EU-US Data Privacy Framework).
  • Neon — managed Postgres database (EU, Frankfurt region).
  • Resend — transactional and marketing email delivery (USA, EU-US Data Privacy Framework).
  • Stripe — payment processing (Ireland, EU-located entity).
  • Google — Analytics, Tag Manager and OAuth sign-in (USA, EU-US Data Privacy Framework).
  • GitHub — source code hosting; no customer data (USA, EU-US Data Privacy Framework).

The full current list — with purpose, location and safeguards — is published on our Subprocessors page. We notify Customers at least 30 days in advance before adding a new subprocessor.

We do not sell, rent, or trade your personal data. We do not share data with advertisers.

6. International data transfers

Some of our service providers are located outside the European Economic Area (EEA). Where this is the case, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or the service provider's participation in an adequacy framework.

7. Data retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, tax, or accounting purposes (up to 7 years for financial records as required by Estonian law).

8. Your rights

Under the GDPR, you have the right to:

  • Access your personal data.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten").
  • Restrict processing of your data.
  • Port your data to another service.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email us at privacy@supershift.app (or support@supershift.app). We will respond within 30 days. Data export and deletion are currently handled manually on request — self-service is on the product roadmap. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee.

9. Breach notification

If we discover a personal-data breach, we will notify the relevant supervisory authority within 72 hours in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay.

For breaches affecting Customer Data (data the venue, as Controller, has put into the Service), we notify the Customer's primary contact without undue delay so they can discharge their own Article 34 obligations to their data subjects.

10. Security

We implement industry-standard security measures including encrypted data transmission (TLS), hashed passwords, role-based access controls, and regular security reviews. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

11. Children

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the revised policy.

13. Contact & data-protection enquiries

For questions about this Privacy Policy, to exercise your rights under the GDPR, or to report a suspected data-protection incident, contact our privacy team:

Sidestream OÜ

Ahtri tn 12, 15551 Tallinn, Estonia

Privacy contact: privacy@supershift.app

General support: support@supershift.app

Registry code: 17374822

Sidestream OÜ is below the GDPR thresholds that mandate the formal appointment of a Data Protection Officer. The privacy mailbox above is monitored by the team responsible for data-protection matters and acts as the practical equivalent.