Legal

Privacy Policy

Your privacy is important to us. This policy explains how we collect, use, and protect your personal information.

Last updated: 18 June 2026/Controller: Poultron Ltd (trading as ShiftTracker)/UK GDPR
01 / INFORMATION WE COLLECT

Information we collect

Personal information

  • Name, email address, phone number, and postal address
  • Date of birth, gender, and nationality
  • SIA licence number and expiry, DBS check date, right-to-work status, and other compliance and screening statuses
  • Professional qualifications and training records
  • Employment history, references, and employment details (job title, department, contract, manager, and start date)
  • Emergency contact name and phone number
  • Identity verification documents (as required by law)
Most profile and compliance data is provided by your employer, who creates and manages your account. Other data — such as form responses, your location at a check call, and photos — is collected directly from you in the app, and basic device and diagnostic data is collected automatically.

Usage information

  • Platform usage data and interaction patterns
  • Shift preferences and availability information
  • Communication logs and support interactions
  • Device information and IP addresses

Mobile app & device data

  • Precise location (GPS) captured while the app is in use, for check-call geofence verification and optional photo/form geo-tagging
  • Photos, video, signatures, and barcode values you add to forms
  • Push notification token, used to deliver shift and check-call alerts
  • Device model, operating-system and app version, and a device/session identifier
02 / HOW WE USE YOUR INFORMATION

How we use your information

Service provision

To provide shift scheduling, officer matching, and platform functionality.

Compliance & verification

To verify SIA licences, conduct background checks, and ensure regulatory compliance.

Communication

To send service updates, shift notifications, and important announcements.

Platform improvement

To analyse usage patterns and improve our services.

On-site & check-call verification

To confirm, using your device location while the app is in use, that book-on, book-off, and check-call actions occur within a site's geofence.

03 / MOBILE APP & DEVICE PERMISSIONS

Mobile app & device permissions

The ShiftTracker mobile app for security officers requests the device permissions below. Each is used only for the feature described, never for advertising, and you can change or revoke any of them at any time in your device settings — revoking a permission disables the related feature.

Location (while in use)

We collect your device's precise location (GPS) only while the app is open, to verify you are within a site's geofence when you book on, book off, or submit a check call, and — where you enable it — to geo-tag photos and answers in forms. We do not access your location in the background or when the app is closed, and we never use location data for advertising or tracking.

Camera & photo library

With your permission, the app uses your camera and photo library so you can capture or attach photos and video, scan barcodes, and add signatures within forms. Captured media is uploaded to your employer's ShiftTracker account. The app does not access your camera or photos in the background.

Microphone

Recording a video inside a form may capture audio as part of that video. The app does not otherwise record audio.

Notifications

If you allow notifications, we register a push token (delivered through Apple Push Notification service and Google Firebase Cloud Messaging, via our provider Expo) to send shift and check-call alerts. You can turn notifications off at any time in your device settings.

Biometric unlock (Face ID / Touch ID / fingerprint)

If you enable biometric sign-in, the check is performed entirely by your device's operating system. We never receive, see, or store your biometric data.

Device information

We collect basic device and connection information (device model, operating-system and app version, IP address, and a device/session identifier) for sign-in, security, and troubleshooting.

No sale, no ad tracking

We do not sell your personal data and do not use it for cross-app advertising. The app does not use the device advertising identifier or App Tracking Transparency tracking.

04 / DATA PROTECTION & SECURITY

Data protection & security

Security measures

  • Passwords are hashed with bcrypt and never stored in plain text
  • Repeated failed sign-ins trigger temporary account lockout, and authentication is rate-limited
  • Signed, HTTP-only session cookies with a 7-day expiry
  • Role-based access controls scope data to authorised users within each organisation
  • Enforced HTTPS (HSTS), a nonce-based Content-Security-Policy, and hardened security headers
  • Encrypted in transit with TLS and encrypted at rest by our cloud infrastructure
  • Hosted on UK/EU cloud infrastructure whose provider is independently audited to SOC 2 Type II
  • Access to sensitive records is recorded in an audit trail
  • Card payments are handled by our payment provider; we do not store full card details

Data retention

  • Account and form data retained for the duration of your engagement with your employer, then for the periods required by UK employment, tax, health-and-safety, and private-security-industry law, after which it is securely deleted or anonymised
  • Disaster-recovery backups run automatically and are kept for 30 days only (separate from the retention period above)
  • Incident response includes containment, required notifications, and post-incident review
  • Right to data deletion upon request
05 / COOKIES & TRACKING

Cookies & tracking

We use cookies and similar technologies to improve your experience on ShiftTracker. Here's what we use:

Required
Essential cookies

Necessary for the platform to function — authentication, security, and session management. These cannot be disabled.

Optional
Analytics cookies

Help us understand how you use ShiftTracker so we can improve the service. We use anonymised data and do not track you across other websites.

Optional
Preference cookies

Remember your preferences and settings — language, timezone, and display preferences — for a personalised experience.

Cookie control: You can manage your cookie preferences in your account settings or browser settings. Note that disabling certain cookies may affect platform functionality.

The ShiftTracker mobile officer app does not use third-party advertising or cross-app analytics SDKs. The cookie categories above apply to the ShiftTracker web platform.

07 / DATA SHARING & THIRD PARTIES

Data sharing & third parties

We may share your data with the following categories of third parties:

  • Connected organisations: Organisations and agencies you're partnered with to facilitate shift assignments.
  • Service providers: Cloud infrastructure, email delivery, payment processing (for organisation billing only — officers are never charged), and operational tooling providers.
  • Mobile push delivery: Apple Push Notification service and Google Firebase Cloud Messaging (via our provider Expo) to deliver app notifications to your device.
  • Verification services: SIA licence verification and DBS check providers (where applicable).
  • Legal authorities: When required by law or to protect rights and safety.

We require all third parties and service providers with whom we share data to provide the same or an equivalent level of protection for your personal data as set out in this policy, and to use it only for the purposes we specify. We do not sell your personal data.

International transfers: ShiftTracker is hosted on UK/EU cloud infrastructure. Where data is processed by third-party providers, appropriate safeguards are applied.
08 / YOUR RIGHTS UNDER GDPR

Your rights under GDPR

01
Right to access
02
Right to rectification
03
Right to erasure
04
Right to portability
05
Right to object
06
Right to restriction
09 / ACCOUNT & DATA DELETION

Account & data deletion

You can request deletion of your ShiftTracker account and associated personal data at any time. Because officer accounts are created and managed by your employer, you can request deletion in either of these ways:

  • Ask your employer's ShiftTracker administrator to remove your account; or
  • Email [email protected] from your account email address with the subject "Delete my account".

On a verified request we will delete or irreversibly anonymise your personal data. Some records may be retained where we are legally required to keep them — for example under UK employment, tax, health-and-safety, or private-security-industry law — after which they are securely deleted. We will confirm once your request has been completed.

10 / CHILDREN'S PRIVACY

Children's privacy

ShiftTracker is a workforce app for employed, SIA-licensed security personnel. It is not directed to children, and we do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, contact [email protected] and we will delete it.

11 / DATA PROTECTION CONTACT

Data protection contact

ShiftTracker is operated by Poultron Ltd (trading as ShiftTracker), a company registered in England and Wales, which is the data controller for the personal data described in this policy. For privacy-related questions or to exercise your rights, contact:

Requests handled within applicable legal timelines.