Privacy Policy
Last updated: 12 May 2026
Shiftlyx is a product of Beemal Innovation Ltd. When we say "we", "us", "our", or "Shiftlyx" in this policy, we mean Beemal Innovation Ltd. Registered address: 29 Arden Place, Luton, LU2 7YE. Company registration number: 17048693.
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Shiftlyx mobile application (the "App"). Shiftlyx is a personal planning and wellbeing tool designed for shift workers — it is not a medical device and does not process NHS patient data.
We take your privacy seriously. Shiftlyx was built with privacy by design and by default. We collect only what we need to make the App work, and we never sell your data.
1. Who We Are
Shiftlyx is operated by Beemal Innovation Ltd, a company registered in England and Wales.
- Company: Beemal Innovation Ltd
- Website: beemalinnovation.co.uk
- Registered address: 29 Arden Place, Luton, LU2 7YE
- Company registration number: 17048693
- Contact email: admin@beemalinnovation.co.uk
We are the data controller for your personal data collected through the App.
2. What Data We Collect
We collect only the data necessary to provide and improve the App. We do not collect NHS data, employer data, or any health information beyond what you choose to enter regarding your shift patterns and fatigue.
2.1 Data You Provide
- Account information: When you create an account, we collect a unique identifier (e.g., email address or anonymous auth token) to authenticate you.
- Profile information: Optional details such as your profession (e.g., Nurse, Paramedic), NHS band, contracted hours, and commute time.
- Shift data: Your shift patterns, including shift types (LD, MLD, TW, N), dates, and times. This data is stored locally on your device and optionally synced to our servers for cross-device use.
- Partner Sync: If you use Partner Sync, we store limited data about your linked partner to enable coordination features. You control what is shared.
- Communications: If you contact us, we keep records of those communications.
2.2 Data Collected Automatically
- Analytics data: We use PostHog (self-hosted or cloud) to collect anonymised usage data. This includes: app opens, feature interactions, crash reports, and device type. This data is anonymised and cannot be linked back to you personally.
- Technical data: Device model, operating system version, app version, and basic diagnostic logs for troubleshooting.
2.3 Data We Do NOT Collect
- NHS patient data (we never connect to hospital systems)
- Employer or trust information
- Government identifiers (NHS number, National Insurance number)
- Medical records or clinical data
- Location data (we do not track your location)
- Contacts list (we do not access your device contacts)
- Biometric data (fingerprint, face recognition data)
3. Why We Collect Your Data and Our Lawful Basis
Under the UK General Data Protection Regulation (UK GDPR), we rely on the following lawful bases for processing your personal data:
| Purpose | Data Used | Lawful Basis (Art. 6) |
|---|---|---|
| Account creation & authentication | Email / auth token | Performance of a contract (Art. 6(1)(b)) |
| Providing the App features | Shift data, profile info | Performance of a contract (Art. 6(1)(b)) |
| Analytics & improvement | Anonymised usage data | Legitimate interests (Art. 6(1)(f)) |
| Crash reporting & troubleshooting | Diagnostic logs | Legitimate interests (Art. 6(1)(f)) |
| Partner Sync | Selected shift data | Consent (Art. 6(1)(a)) |
| Marketing communications (if opted in) | Email address | Consent (Art. 6(1)(a)) |
| Legal obligations | Account data | Legal obligation (Art. 6(1)(c)) |
4. How We Store and Protect Your Data
We implement appropriate technical and organisational measures to protect your personal data:
- Encryption in transit: All data transmitted between the App and our servers is encrypted using TLS 1.3.
- Encryption at rest: Data stored on our servers is encrypted using industry-standard AES-256 encryption.
- Local-first architecture: Wherever possible, your data stays on your device. Cloud sync is optional.
- Access controls: Only authorised personnel with a legitimate need can access server data.
- UK-based hosting: Our primary data storage is in UK-based servers (via Supabase and Vercel).
5. Data Retention
We retain your personal data only for as long as necessary to provide the App services:
- Active accounts: We retain your data for the duration of your account. Backup retention cycles may add up to 30 days beyond account deletion.
- Deleted accounts: When you delete your account, we permanently erase your personal data within 30 days. We may retain anonymised analytics data indefinitely as this cannot be linked to you.
- Diagnostic logs: Retained for a maximum of 90 days.
6. Third-Party Processors
We use the following third-party service providers who process your data on our behalf. Each processor is contractually bound to comply with UK GDPR and may only process data for the purposes we specify:
| Processor | Purpose | Data Location | Safeguards |
|---|---|---|---|
| Supabase | Database & authentication | UK (London) | SOC 2 certified, DPA in place |
| Vercel | Website hosting & Edge Functions | UK / EU | SOC 2 certified, DPA in place |
| PostHog | Anonymised analytics | UK / EU (self-hosted option) | Data anonymised, no personal data shared |
| OpenAI | AI Voice Planner (Realtime API) | US (data not used for training) | OpenAI API data not used for model training; Standard DPA and SCCs in place |
| Apple / Google | In-app purchases & subscriptions | Varies by platform | Apple/Google manage payment data; we never see card details |
7. International Data Transfers
Where we transfer your data to processors outside the UK, we ensure appropriate safeguards are in place. Specifically:
- Transfers to the EU are covered by the UK's adequacy decision for EU countries.
- Transfers to the US are covered by Standard Contractual Clauses (SCCs) approved by the ICO, together with supplementary measures where required.
- We always choose UK or EU data centres where possible.
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data. You can exercise most of these directly through the App settings, or by contacting us:
| Right | What It Means |
|---|---|
| Right to be informed | This Privacy Policy provides that information. |
| Right of access | You can request a copy of the personal data we hold about you. |
| Right to rectification | You can correct inaccurate or incomplete data in the App settings. |
| Right to erasure | You can delete your account and associated data in the App settings. |
| Right to restrict processing | You can request we limit how we use your data. |
| Right to data portability | You can request your data in a machine-readable format. |
| Right to object | You can object to processing based on legitimate interests (e.g., analytics). |
| Rights relating to automated decision-making | You can request human review of automated decisions. Our fatigue score is deterministic and explainable. |
To exercise any of these rights, contact us at admin@beemalinnovation.co.uk. We will respond within one month.
9. Cookies and Similar Technologies
The App itself does not use cookies. The Shiftlyx website (shiftlyx.com) may use essential cookies for functionality (e.g., session management). We use PostHog for analytics on the website, which sets cookies with anonymised identifiers. You can opt out of analytics cookies through your browser settings or our cookie preferences.
10. Children's Privacy
Shiftlyx is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at admin@beemalinnovation.co.uk.
11. AI Voice Planner and OpenAI
The AI Voice Planner feature uses OpenAI's Realtime API via WebRTC for natural language shift planning. Voice conversations are processed in real-time and are notused to train OpenAI models (as per OpenAI's API data usage policy). We do not send your shift data, fatigue scores, or personal information to OpenAI as part of this feature beyond what you voluntarily say during a voice planning session.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes through the App or by email. We encourage you to review this policy periodically. The date of the latest revision is shown at the top of this page.
13. How to Make a Complaint
If you have concerns about how we handle your personal data, please contact us first — we will do our best to resolve the issue:
- Email: admin@beemalinnovation.co.uk
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator:
- Website: ico.org.uk
- Phone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
14. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact us:
- Email: admin@beemalinnovation.co.uk
- Company: Beemal Innovation Ltd
- Company registration number: 17048693
- Address: 29 Arden Place, Luton, LU2 7YE