Privacy
Policy

1. Definitions and Interpretation

For purposes of this Privacy Policy:

• "Company," "We," "Us," or "Our" refers to XShift AI, the provider of the Services.
• "Services" means the XShift AI workforce management platform, including all software, applications, websites, APIs, and related services.
• "User," "You," or "Your" refers to any individual or entity accessing or using the Services.
• "Personal Information" or "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, modification, retrieval, disclosure, deletion, or destruction.
• "Controller" means the entity that determines the purposes and means of Processing Personal Data.
• "Processor" means an entity that Processes Personal Data on behalf of the Controller.
• "Employer Organization" or "Organization" refers to the business entity that subscribes to the Services to manage its workforce.
• "Employee User" refers to individuals whose employment data is managed through the Services by an Employer Organization.
• "Administrator" refers to users with elevated privileges within an Employer Organization.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "CCPA" means the California Consumer Privacy Act of 2018.
• "CPRA" means the California Privacy Rights Act of 2020.
• "Sensitive Personal Information" includes data revealing racial or ethnic origin, political opinions, religious beliefs, biometric data, health data, or data concerning sexual orientation.

2. Scope and Application

This Privacy Policy applies to all information collected through the XShift AI Services, including:

• The XShift AI website located at https://www.xshift.ai and all subdomains
• The XShift AI web application and dashboard
• Any mobile applications we may offer
• APIs and integrations with third-party services
• Email communications and transactional emails
• Customer support interactions
• Marketing and promotional communications

Dual Role Acknowledgment: Depending on the context, XShift AI may act as either a Data Controller or Data Processor:

• As Controller: For account registration data, billing information, marketing communications, and service analytics.
• As Processor: For Employee User data processed on behalf of Employer Organizations, including shift schedules, time tracking, and employment records.

When acting as a Processor, Employer Organizations are the Controllers and are responsible for their own compliance with applicable privacy laws. This Privacy Policy governs our Processing activities as both Controller and Processor.

3. Information We Collect

We collect extensive categories of Personal Information necessary to provide and improve our Services. This includes:

3.1 Account and Registration Information

• Full name (first name, last name, display name)
• Email address (used for authentication and communications)
• Password (stored as cryptographic hash using bcrypt with salt)
• Phone number (optional, for account recovery and notifications)
• Physical address (optional, for location-based features)
• Organization name and organizational role
• User role (Employee, Manager, Head Manager, Global Admin)
• Account creation date and last update timestamp
• Account status (active, inactive, suspended)

3.2 Employment and Workforce Data

• Employment status and employment start date
• Job title, role, and department information
• Shift schedules including date, start time, end time, and location
• Shift assignments and assignment status (assigned, dropped, completed, no-show)
• Work location data including location names and physical addresses
• Manager assignments and reporting relationships
• Employee preferences for shift types, hours, and availability
• Skill sets and certifications

3.3 Time Tracking and Attendance Data

• Clock-in and clock-out timestamps
• Break start and end times
• Total hours worked per shift, day, week, and pay period
• Overtime hours and overtime calculations
• Attendance records including late arrivals and early departures
• Absence records and attendance patterns
• Clock-in approval requests and approval status

3.4 Leave and Time-Off Data

• Time-off requests including type (vacation, sick, personal, other)
• Leave dates (start date, end date, total hours/days)
• Leave request status (pending, approved, denied)
• Leave reason (when provided)
• PTO balance and accrual information
• Leave approval history and approval timestamps
• Manager-created time-off records initiated by supervisors
• Modification audit trail including:
  • Identity of user who created or modified the record (manager name, email, user ID)
  • Timestamp of creation or modification (date and time)
  • Before and after values for all edits (dates, type, reason changes)
  • IP address and session information of the modifier

3.5 Shift Management Data

• Shift drop requests and call-off records
• Shift pickup requests and availability
• Shift trade requests between employees
• Shift swap approvals and denial records
• Open shift claims and assignments
• Recurring shift patterns and templates

3.6 Communication and Messaging Data

• Announcements created by managers
• Internal messages and communications between users
• Email communications sent through our system
• Notification preferences and settings
• Email delivery status (sent, delivered, bounced, opened)

3.7 Billing and Payment Information

• Billing plan (monthly, four-month, yearly)
• Subscription status (active, trial, canceled, past due)
• Payment method information (processed and stored by Stripe, Inc.)
• Billing address and tax information
• Transaction history and invoice records
• Stripe Customer ID and subscription identifiers
• Coupon codes and promotional discount usage
• Billing events (subscription created, updated, canceled, payment failed)
• Seat count and usage-based billing metrics

Important: We do NOT directly store credit card numbers, CVV codes, or full payment credentials. All payment processing is handled securely by Stripe, Inc., a PCI DSS Level 1 certified payment processor. We only store tokenized payment references provided by Stripe.

3.8 Analytics and Performance Data

• Employee performance metrics derived from attendance and shift completion
• Reliability scores and attendance patterns
• Scheduling analytics including coverage analysis
• Labor cost analytics and budget tracking
• Overtime analysis and compliance metrics
• Report generation history

3.9 Artificial Intelligence and ML Data

• Scheduling patterns used for AI-powered schedule optimization
• Employee shift preferences learned from historical data
• AI-generated insights and recommendations
• Chatbot interactions with our AI assistant
• Cost optimization suggestions
• Workforce analytics processed by OpenAI API

AI Processing Notice: When you use AI-powered features, workforce data including employee names may be sent to OpenAI for processing. We send aggregated statistics and employee names to generate personalized insights. See Section 17 for details.

3.10 Technical and Device Information

• IP address and geographic location (country, region, city)
• Browser type and version (User-Agent string)
• Operating system and device type
• Device identifiers and hardware specifications
• Screen resolution and viewport size
• Language preferences and timezone settings
• Referrer URL and landing pages
• Session duration and page views
• Click tracking and interaction events

3.11 Cookies and Tracking Data

• Session cookies for authentication and security
• Authentication tokens and CSRF tokens
• Preference cookies for UI settings and user preferences
• Analytics cookies (if consented) for usage analysis
• Cookie consent preferences

3.12 Security and Fraud Prevention Data

• Login history including timestamps and IP addresses
• Failed login attempts and security events
• Multi-factor authentication (MFA) settings and backup codes
• Password reset requests and verification codes
• Security audit logs
• Rate limiting events and abuse prevention data
• Time-off management audit logs:
  • Manager-created time-off events (PTO_CREATED)
  • Manager-edited time-off events (PTO_UPDATED)
  • User identity (manager ID, name, email), target employee, timestamp, IP address
  • Complete before/after values for all modifications

3.13 Support and Customer Service Data

• Support ticket content and correspondence
• Feature requests and feedback submissions
• Bug reports and error logs
• Demo requests and sales inquiries

3.14 Legal and Compliance Data

• Terms of Service acceptance and timestamps
• Privacy Policy acceptance records
• Cookie consent records
• Data processing agreements
• Legal hold requests and litigation-related data
• Regulatory compliance records

4. How We Collect Information

We collect Personal Information through multiple channels:

4.1 Information You Provide Directly

• Account registration and profile creation
• Form submissions and data entry
• Clock-in/clock-out actions
• Time-off requests and shift management
• Support requests and communications
• Preference and settings updates

4.2 Information Collected Automatically

• Cookies and similar tracking technologies
• Server logs and access logs
• Web beacons and pixels
• Session replay and analytics tools
• Error tracking and monitoring systems

4.2.1 Sentry Error Monitoring and Session Replay

We use Sentry.io to monitor application errors and performance. Sentry captures 10% of user sessions for debugging purposes. All text content is masked, but screen interactions and navigation patterns are recorded. Session recordings are retained for 90 days, then automatically deleted.

4.3 Information from Third Parties

• Stripe: Payment processing and billing information
• Email service providers: Email delivery status and engagement metrics
• Authentication providers: If you use SSO or third-party login (future feature)

4.4 Information from Employer Organizations

• Employee roster imports and bulk uploads
• Manager-created employee accounts
• Shift assignments and schedules
• Organizational policies and settings

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your Personal Data only when we have a valid legal basis:

5.1 Contractual Necessity

Processing necessary to fulfill our contract with you or your Employer Organization:

• Account creation and authentication
• Service delivery and platform access
• Shift scheduling and management
• Time tracking and attendance
• Billing and payment processing

5.2 Legitimate Interests

Processing necessary for our legitimate business interests (balanced against your rights):

• Service improvement and optimization
• Fraud prevention and security
• Analytics and performance monitoring
• Customer support and communications
• Legal compliance and dispute resolution

5.3 Legal Obligation

Processing required to comply with legal obligations:

• Tax and accounting requirements
• Employment law compliance (when acting as Processor)
• Legal discovery and court orders
• Regulatory reporting obligations

5.4 Consent

Processing based on your explicit consent:

• Marketing communications (opt-in required)
• Non-essential cookies and tracking
• AI-powered features (optional)
• Data sharing beyond service requirements

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

6. How We Use Your Information

We use collected information for the following purposes:

6.1 Service Provision and Operation

• Create and manage user accounts
• Authenticate users and maintain security
• Process and display shift schedules
• Track time and attendance records
• Manage time-off requests and approvals
• Enable managers to create and edit time-off records for supervised employees
• Maintain comprehensive audit trails of time-off modifications for compliance and dispute resolution
• Send automated email notifications to employees when managers create or modify their time-off
• Prevent deletion of employment records to comply with labor law retention requirements (FLSA, IRS)
• Detect and prevent schedule conflicts between time-off and shift assignments
• Detect and prevent time-off creation for dates with recorded work hours (clock-ins)
• Block unauthorized modifications to time-off records (shortening active leave, backdating)
• Facilitate shift trades and pickups
• Generate payroll reports and analytics
• Send transactional notifications (shift reminders, approvals, etc.)

6.2 Billing and Payment Processing

• Process subscription payments via Stripe
• Manage billing cycles and renewals
• Apply promotional codes and discounts
• Generate invoices and payment receipts
• Handle payment failures and retry logic
• Calculate usage-based billing (seat count)

6.3 Communications

• Send service-related emails (shift assignments, approvals, etc.)
• Deliver system notifications and alerts
• Respond to support inquiries
• Send administrative messages about account or policy changes
• Provide product updates and feature announcements (with consent)
• Send marketing communications (opt-in only, with easy unsubscribe)

6.4 Service Improvement and Analytics

• Analyze usage patterns and user behavior
• Monitor service performance and uptime
• Identify and fix bugs and errors
• Develop new features and improvements
• Conduct A/B testing and experiments
• Generate aggregated, anonymized analytics

6.5 AI-Powered Features

• Generate AI scheduling recommendations
• Provide workforce analytics and insights
• Identify cost optimization opportunities
• Detect staffing patterns and trends
• Power AI chatbot assistance

6.6 Security and Fraud Prevention

• Detect and prevent unauthorized access
• Monitor for suspicious activity and abuse
• Enforce rate limiting and anti-bot measures
• Verify identity and prevent account takeovers
• Maintain security audit logs
• Investigate security incidents

6.7 Legal Compliance and Protection

• Comply with applicable laws and regulations
• Respond to legal requests and court orders
• Enforce our Terms of Service
• Protect our rights, property, and safety
• Defend against legal claims
• Prevent illegal activities and violations

7. Data Sharing and Third Parties

We do NOT sell, rent, or trade your Personal Information to third parties for their marketing purposes.

We share Personal Information only in the following limited circumstances:

7.1 Service Providers and Processors

We share data with trusted third-party service providers who assist in operating our Services:

Data Processing Agreements: All service providers are bound by written agreements requiring them to protect your Personal Information and use it only for specified purposes.

7.2 Within Your Organization

• Employee Users can view their own shift schedules, time records, and PTO balances
• Managers and Head Managers can view and manage data for employees they supervise
• Managers can create time-off records for employees they supervise (auto-approved)
• Managers can edit certain aspects of time-off (end date, type, reason) with system restrictions
• System prevents managers from shortening active time-off or changing start dates after leave begins
• All manager modifications to employee time-off are logged in audit trails visible to administrators
• Employees receive automatic email notifications when managers create or edit their time-off
• No user (including administrators) can delete time-off records after creation due to legal compliance requirements
• System blocks time-off creation when schedule conflicts or work hour conflicts are detected
• Organization Administrators have broad access to organizational data
• Data visibility is controlled by role-based access controls (RBAC)

7.3 Legal Requirements and Protection

We may disclose Personal Information when required by law or to protect our rights:

• In response to valid legal process (subpoenas, court orders, warrants)
• To comply with applicable laws and regulations
• To investigate suspected fraud, illegal activity, or violations of our Terms
• To protect the safety and security of our users and the public
• To defend against legal claims or disputes
• To enforce our contractual rights

7.4 Business Transfers

If XShift AI is involved in a merger, acquisition, asset sale, bankruptcy, or similar corporate transaction, Personal Information may be transferred to the successor entity. We will provide notice before your Personal Information is transferred and becomes subject to a different privacy policy.

7.5 With Your Consent

We may share your information with third parties when you have given explicit consent for such sharing.

7.6 Aggregated and Anonymized Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you. This includes industry benchmarks, usage statistics, and trend analysis.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and collect usage data.

8.1 What Are Cookies?

Cookies are small text files stored on your device by your web browser. They allow websites to remember your preferences, authenticate your identity, and track your activity.

8.2 Types of Cookies We Use

8.3 Cookie Duration

• Session cookies: Deleted when you close your browser
• Persistent cookies: Stored for defined periods (up to 12 months) or until you delete them

8.4 Managing Cookie Preferences

You can control cookies through:

• Cookie Consent Banner: Appears on first visit, allows granular control
• Browser Settings: Most browsers allow you to block or delete cookies
• Privacy Settings: Access cookie preferences from your account settings

Note: Disabling necessary cookies may prevent you from using certain features of the Services.

8.5 Third-Party Cookies

Some third-party services may set their own cookies (e.g., Stripe for payment processing). We do not control these cookies. Please review the privacy policies of these third parties.

8.6 Do Not Track (DNT)

Our Services do not currently respond to "Do Not Track" signals from browsers, as there is no industry-wide standard for DNT implementation. You can control tracking through our cookie consent banner and browser settings.

9. Data Retention and Deletion

We retain Personal Information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

9.1 Retention Periods by Data Type

9.2 Deletion Upon Request

You may request deletion of your Personal Information at any time (subject to legal retention requirements). See Section 11 for details on exercising your rights.

9.3 Legal Hold and Preservation

Data subject to legal holds, litigation, investigations, or regulatory proceedings will be retained until the matter is resolved, regardless of standard retention periods.

9.4 Anonymization

Where possible, we anonymize Personal Information after the retention period expires, allowing us to retain aggregated insights while protecting your privacy.

9.5 Account Deletion

When you delete your account:

• Your account is immediately deactivated and you can no longer log in
• Your personal information (email, name, password) is immediately anonymized
• Time clock records are retained as required by federal labor law (FLSA) but are no longer linked to your personal information
• Billing and payment records are retained indefinitely for accounting and tax compliance
• Security and audit logs are retained indefinitely for legal compliance and fraud prevention

Important: While your personal information is immediately anonymized, some operational data is retained indefinitely to comply with legal obligations. See our Data Retention Policy for complete details.

10. Data Security Measures

We implement industry-standard security measures to protect your Personal Information from unauthorized access, disclosure, alteration, and destruction.

10.1 Technical Security Measures

• Encryption in Transit: All data transmitted over the internet uses TLS 1.2+ encryption (HTTPS)
• Encryption at Rest: Database encrypted at rest via Supabase PostgreSQL. OAuth integration tokens and multi-factor authentication secrets are encrypted using AES-256-GCM with PBKDF2 key derivation (100,000 iterations)
• Password Security: Passwords are hashed using bcrypt with per-user salt (never stored in plain text)
• Multi-Factor Authentication (MFA): Optional MFA using TOTP (Time-based One-Time Passwords)
• Session Management: Secure, httpOnly, sameSite cookies with automatic expiration
• CSRF Protection: Anti-CSRF tokens on all state-changing requests
• Rate Limiting: Prevents brute force attacks and API abuse
• Input Validation: All user inputs are validated and sanitized to prevent injection attacks
• SQL Injection Prevention: Parameterized queries using Prisma ORM
• XSS Prevention: Output encoding and Content Security Policy (CSP) headers

10.2 Organizational Security Measures

• Access Controls: Role-based access control (RBAC) limits data access to authorized personnel
• Principle of Least Privilege: Users only have access to data necessary for their role
• Employee Training: Regular security awareness training for all personnel
• Background Checks: All employees with data access undergo background verification
• Confidentiality Agreements: All personnel sign NDAs and data protection agreements
• Incident Response Plan: Documented procedures for security incident handling
• Regular Audits: Periodic security audits and vulnerability assessments
• Vendor Management: All third-party vendors undergo security due diligence

10.3 Infrastructure Security

• Secure Hosting: SOC 2 Type II certified cloud infrastructure
• Network Segmentation: Isolated production and development environments
• Firewall Protection: Web application firewalls (WAF) and network firewalls
• DDoS Protection: Distributed denial-of-service attack mitigation
• Intrusion Detection: Automated monitoring for suspicious activity
• Automated Backups: Daily encrypted backups with off-site storage
• Disaster Recovery: Business continuity and disaster recovery plans

10.4 Application Security

• Secure Development: Security-focused SDLC with code reviews
• Dependency Scanning: Automated scanning for vulnerable dependencies
• Penetration Testing: Regular third-party security testing
• Vulnerability Management: Rapid patching of identified vulnerabilities
• Error Handling: No sensitive information exposed in error messages
• Logging and Monitoring: Comprehensive audit logs for security events

10.5 Limitations and User Responsibility

IMPORTANT: While we implement robust security measures, no system is 100% secure. You are responsible for:

• Maintaining the confidentiality of your password and login credentials
• Enabling multi-factor authentication (highly recommended)
• Using a strong, unique password
• Not sharing your account with others
• Logging out when using shared or public computers
• Promptly reporting any suspected unauthorized access
• Keeping your contact information current for security notifications

If you believe your account has been compromised, immediately contact us at contact@xshift.ai

11. Your Privacy Rights

You have certain rights regarding your Personal Information. The specific rights available to you depend on your location and applicable privacy laws.

11.1 Universal Rights (All Users)

• Right to Access: Request a copy of your Personal Information we hold
• Right to Correction: Request correction of inaccurate or incomplete information
• Right to Deletion: Request deletion of your Personal Information (subject to legal retention requirements)
• Right to Data Portability: Receive your data in a machine-readable format (JSON)
• Right to Withdraw Consent: Withdraw consent for processing based on consent
• Right to Opt-Out: Opt out of marketing communications

11.2 How to Exercise Your Rights

You can exercise these rights through multiple channels:

11.3 Verification Requirements

To protect your privacy, we must verify your identity before fulfilling data requests. We may require:

• Verification of email address (email confirmation link)
• Account password authentication
• Two-factor authentication code (if MFA is enabled)
• Additional information to match against our records

11.4 Response Timeframes

• General Requests: Respond within 30 days of receipt
• GDPR Requests: Respond within 30 days (extendable to 60 days for complex requests)
• CCPA Requests: Respond within 45 days (extendable to 90 days)
• Urgent Security Matters: Respond within 24-48 hours

11.5 Limitations on Rights

We may decline requests when:

• We cannot verify your identity
• The request is manifestly unfounded or excessive
• Required by law to retain the information
• Necessary for legal claims or defense
• Would compromise the privacy of others
• Would reveal trade secrets or proprietary information

If we decline a request, we will explain the reason and inform you of your right to appeal or lodge a complaint with a supervisory authority.

11.6 No Discrimination

We will NOT discriminate against you for exercising your privacy rights. This means:

• No denial of goods or services
• No charging different prices or rates
• No providing different quality of service
• No suggesting you will receive different treatment

Note: We may offer financial incentives for data collection if permitted by law and with your prior opt-in consent.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide additional rights.

12.1 California-Specific Rights

• Right to Know: Request disclosure of categories and specific pieces of Personal Information collected, sources, purposes, and third-party sharing
• Right to Delete: Request deletion of Personal Information (with exceptions)
• Right to Correct: Request correction of inaccurate Personal Information
• Right to Opt-Out of Sale/Sharing: We do NOT sell or share Personal Information for cross-context behavioral advertising
• Right to Limit Sensitive Personal Information: Limit use of Sensitive Personal Information to purposes necessary for service delivery
• Right to Non-Discrimination: Exercise rights without discriminatory treatment
• Right to Authorize an Agent: Designate an authorized agent to make requests on your behalf

12.2 Categories of Personal Information Collected (Last 12 Months)

12.3 Sale and Sharing of Personal Information

We DO NOT sell your Personal Information and have not sold Personal Information in the preceding 12 months.

We DO NOT share your Personal Information for cross-context behavioral advertising.

12.4 Retention of Personal Information

We retain Personal Information for the periods specified in Section 9 (Data Retention).

12.5 California Minors

Users under 18 in California have the right to request removal of content they posted. Contact contact@xshift.ai to request removal.

12.6 "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of Personal Information to third parties for direct marketing. We do NOT share Personal Information with third parties for their direct marketing purposes.

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and UK GDPR provide comprehensive privacy rights.

13.1 GDPR-Specific Rights

• Right of Access (Article 15): Obtain confirmation of processing and access to your Personal Data
• Right to Rectification (Article 16): Correct inaccurate or incomplete Personal Data
• Right to Erasure (Article 17): Request deletion ("right to be forgotten") subject to legal exceptions
• Right to Restriction (Article 18): Restrict processing in certain circumstances
• Right to Data Portability (Article 20): Receive Personal Data in structured, machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests or direct marketing
• Rights Related to Automated Decision-Making (Article 22): Not be subject to solely automated decisions with legal/significant effects
• Right to Withdraw Consent (Article 7): Withdraw consent at any time (without affecting lawfulness of prior processing)
• Right to Lodge a Complaint (Article 77): File a complaint with a supervisory authority

13.2 Legal Bases for Processing

See Section 5 for detailed legal bases under GDPR.

13.3 Data Protection Officer (DPO)

For GDPR-related inquiries, contact our Data Protection Officer:

13.4 EU Representative

If required under GDPR Article 27, we will appoint an EU representative. Contact information will be provided here when applicable.

13.5 Supervisory Authority

You have the right to lodge a complaint with your local supervisory authority if you believe we have violated your GDPR rights. Find your supervisory authority at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

14. International Data Transfers

XShift AI is based in the United States. If you access our Services from outside the United States, your Personal Information will be transferred to, stored, and processed in the United States and potentially other countries.

14.1 Legal Framework for Transfers

We rely on the following mechanisms for international data transfers:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs for transfers to countries without adequacy decisions
• Data Processing Agreements (DPAs): Contractual commitments with service providers
• Adequacy Decisions: Transfers to countries recognized by the EU Commission as providing adequate protection
• Explicit Consent: Where required, we obtain your explicit consent for transfers

14.2 Safeguards for International Transfers

When transferring data internationally, we implement appropriate safeguards:

• Encryption in transit and at rest
• Contractual obligations on receiving parties
• Regular compliance assessments
• Technical and organizational security measures

14.3 Countries Where Data May Be Processed

• United States: Primary data storage and processing location
• European Union: Potential backup and disaster recovery locations
• Other Locations: As needed for service providers (subject to appropriate safeguards)

Google Analytics: If you consent to analytics cookies, data collected by Google Analytics may be transferred to and processed on Google's servers located in the United States and other countries worldwide. Google has implemented Standard Contractual Clauses (SCCs) for GDPR compliance. Learn more at Google's Privacy Policy.

14.4 US Government Access

As a US-based company, we may be subject to US government requests for data under US law (FISA, CLOUD Act, etc.). We will:

• Challenge overly broad requests where legally possible
• Notify affected users unless legally prohibited
• Publish transparency reports when permitted
• Implement technical measures to limit access (encryption, data minimization)

15. Children's Privacy

AGE RESTRICTION: Our Services are NOT intended for individuals under the age of 16. We do NOT knowingly collect Personal Information from children under 16.

15.1 COPPA Compliance (US)

Under the Children's Online Privacy Protection Act (COPPA), we do NOT:

• Knowingly collect information from children under 13
• Target our Services to children under 13
• Allow children under 13 to create accounts

15.2 GDPR Age Restrictions (EU)

Under GDPR, we do NOT offer information society services directly to children under 16 (or lower age set by member states, ranging from 13-16).

15.3 If We Discover Child Data

If we learn that we have collected Personal Information from a child under the applicable age limit without parental consent (where required), we will:

• Promptly delete the information
• Terminate the account
• Notify the parent or guardian (if contact information is available)

15.4 Parental Rights

If you are a parent or guardian and believe your child has provided us with Personal Information, contact us immediately at contact@xshift.ai with:

• Child's name and account information
• Your relationship to the child
• Proof of parental authority

15.5 Teen Employees (Ages 16-18)

For Employee Users ages 16-18 (where legal to employ):

• The Employer Organization is responsible for obtaining necessary parental consents
• We act as a Processor for this data
• Parents may exercise rights on behalf of their teen employee by contacting the Employer Organization

16. Employee and Workforce Data

When processing Employee User data on behalf of Employer Organizations, we act as a Data Processor. This section clarifies roles and responsibilities.

16.1 Controller vs. Processor Roles

16.2 Data Processing Agreement (DPA)

All Employer Organizations must enter into a Data Processing Agreement (DPA) that specifies:

• Subject matter and duration of processing
• Nature and purpose of processing
• Types of Personal Data and categories of Data Subjects
• Controller's instructions and obligations
• Processor's obligations and security measures
• Sub-processor authorization and requirements
• Data subject rights assistance procedures
• Data breach notification requirements
• Audit and inspection rights
• Data deletion or return upon termination

16.3 Employee Rights and Requests

Employee Users should direct privacy requests to their Employer Organization (the Controller).

If we receive a request directly from an Employee User, we will:

• Verify the requestor's identity and employment relationship
• Forward the request to the applicable Employer Organization
• Assist the Employer Organization in fulfilling the request
• Follow the Employer Organization's documented instructions

16.4 Employment Law Disclaimers

IMPORTANT DISCLAIMER: XShift AI is a software tool. We are NOT responsible for Employer Organizations' compliance with employment laws, including:

• Fair Labor Standards Act (FLSA)
• Family and Medical Leave Act (FMLA)
• Americans with Disabilities Act (ADA)
• State wage and hour laws
• Break and meal period requirements
• Overtime calculation accuracy
• Recordkeeping requirements
• Discrimination and harassment prevention

Employer Organizations are solely responsible for:

• Configuring the Services to comply with applicable laws
• Verifying accuracy of time records and payroll calculations
• Ensuring proper employee classification (exempt vs. non-exempt)
• Maintaining required employment records
• Providing legally mandated breaks and leave
• Consulting legal counsel for employment law compliance

17. Artificial Intelligence and Automated Processing

We use artificial intelligence and machine learning technologies to enhance our Services, including our AI Copilot feature. This section explains how AI processes your data.

17.1 AI Features and Purposes

Our AI Copilot is a conversational AI assistant that takes actions on your behalf. AI Copilot and our other AI features are used for:

• AI Copilot - Conversational Scheduling: Natural language commands to create schedules, assign shifts, manage PTO, and perform other scheduling tasks
• Schedule Optimization: AI suggests optimal shift schedules based on historical patterns
• Workforce Analytics: AI analyzes staffing patterns and generates insights
• Cost Optimization: AI identifies opportunities to reduce labor costs
• Performance Insights: AI analyzes employee reliability and attendance patterns
• Demand Forecasting: AI predicts staffing needs based on historical data

17.2 AI Service Provider: OpenAI

17.3 Data Minimization for AI

Before sending data to AI services, we:

• Include only employee first and last names (required for personalized insights)
• Do NOT include email addresses, phone numbers, addresses, or Social Security Numbers
• Include aggregated statistics (total hours, attendance rates, shift counts)
• Include performance metrics (reliability scores, on-time percentages)
• Limit data to what is necessary for generating workforce insights

Example: We send "John Smith worked 40 hours with 95% on-time rate" to generate personalized recommendations like "John is highly reliable and suitable for opening shifts."

17.4 Automated Decision-Making

We do NOT use AI for solely automated decisions that produce legal or similarly significant effects.

All AI-generated recommendations are:

• Advisory only: Suggestions, not automatic actions
• Human oversight: Managers review and approve all AI recommendations
• Overridable: Users can ignore or modify AI suggestions
• Transparent: AI recommendations are clearly labeled as AI-generated

17.5 AI Chatbot Data Processing

Our AI-powered chatbot (powered by Voiceflow and OpenAI) assists users by answering questions about XShift AI features, scheduling guidance, and platform usage. The chatbot may collect personal information to provide personalized assistance and follow-up.

How We Use Chatbot Data:

• Respond to your questions and provide customer support
• Contact you via email or phone to follow up on your inquiries (if you provided contact information)
• Send you product information, demos, or sales materials related to your chatbot inquiry
• Improve chatbot accuracy and train conversation flows
• Analyze common questions and improve our documentation
• Track conversion rates and chatbot effectiveness

Data Retention:

• Conversation Logs: Retained for 2 years for quality improvement and compliance purposes
• Contact Information: Retained until you request deletion OR until we determine you are no longer a prospective or active customer (typically 3 years of inactivity)
• OpenAI Processing: 30 days per OpenAI's API retention policy
• Voiceflow Processing: Retained per Voiceflow's standard data retention policies

17.6 AI Accuracy and Limitations

17.7 Prohibited Uses of AI Chatbot

You agree NOT to use the AI chatbot for:

• Attempting to extract, reverse engineer, or discover the underlying AI model, system prompts, or proprietary workflows
• Submitting prompts designed to generate harmful, illegal, discriminatory, harassing, or offensive content
• Automated or high-volume queries (bots, scrapers, scripts) that constitute abuse or denial-of-service attacks
• Obtaining advice on illegal activities, discrimination, harassment, or employment law violations
• Impersonating other users, providing false information, or misrepresenting your identity
• Commercial use outside of your authorized subscription scope
• Testing the chatbot's boundaries or attempting jailbreaks, prompt injection attacks, or adversarial inputs

17.8 Your Rights Regarding Chatbot Data

You have the following rights regarding your chatbot data:

• Access: Request a copy of your chatbot conversation history
• Deletion: Request deletion of your chatbot conversations and contact information by emailing contact@xshift.ai
• Correction: Update or correct your contact information provided through the chatbot
• Opt-Out: Request that we do not contact you for marketing purposes based on chatbot interactions
• Data Portability: Receive your chatbot data in a machine-readable format (where technically feasible)

17.9 Opting Out of AI Features

You can opt out of AI-powered features by:

• Not interacting with the chatbot widget (simply don't click it)
• Disabling AI features in your organization settings (for logged-in users)
• Not using AI-powered pages (insights, chatbot, AI scheduling suggestions)
• Contacting support at contact@xshift.ai to disable AI processing for your organization
• Using browser extensions or privacy tools to block the chatbot widget

Note: Opting out of AI features does not affect core scheduling and time tracking functionality. The chatbot is primarily a support and sales tool, not a required feature.

18. Data Breach Notification

While we implement robust security measures, no system is completely immune to breaches. This section outlines our data breach response procedures.

18.1 Breach Detection and Assessment

• 24/7 security monitoring and intrusion detection
• Automated alerts for suspicious activity
• Rapid incident assessment and triage
• Forensic investigation to determine scope and impact

18.2 Breach Containment

• Immediate isolation of affected systems
• Revocation of compromised credentials
• Patching of exploited vulnerabilities
• Preservation of evidence for investigation

18.3 Notification Timelines

18.4 Notification Content

Breach notifications will include:

• Description of the breach and affected data types
• Date or approximate date of the breach
• Number of affected individuals (if known)
• Likely consequences and potential risks
• Measures taken to mitigate harm
• Recommended actions for affected individuals
• Contact information for questions
• Where applicable, free credit monitoring or identity theft protection services

18.5 Notification Methods

• Direct email: To all affected users' registered email addresses
• In-app notification: Prominent banner upon next login
• Website notice: Public notice on our homepage (if widespread)
• Media notification: If required by law for large-scale breaches
• Regulatory notification: To applicable supervisory authorities

18.6 Post-Breach Actions

• Forced password resets for affected accounts
• Enhanced monitoring of affected accounts
• Security improvements to prevent recurrence
• Third-party security audit
• Transparency report publication

18.7 Controller Notification (for Employee Data)

If a breach affects Employee User data, we will:

• Notify the Employer Organization (Controller) within 24 hours
• Provide detailed breach report and forensic findings
• Assist the Controller in their regulatory notification obligations
• Coordinate on user notification and remediation

19. Data Portability and Export

We provide easy-to-use tools for exporting your Personal Information in machine-readable formats.

19.1 Self-Service Data Export

All users can export their data through the in-app privacy dashboard:

• Export Format: JSON (machine-readable, standardized)
• Included Data: Personal info, shifts, clock entries, time-off requests, PTO balances
• Delivery Method: Secure download link sent via email
• Link Expiration: 7 days (for security)
• Processing Time: Typically instant; up to 24 hours for large accounts
• Rate Limiting: Data export requests are limited to 3 per hour per user for security purposes

19.2 Organization-Level Exports

Employer Organizations can export all organizational data:

• Reports: Pre-built export reports (payroll, attendance, schedules)
• Bulk Export: Complete organizational data dump upon account closure
• API Access: Programmatic access to data via REST API (Enterprise plans)

19.3 Limitations on Data Portability

• Cannot export data that belongs to other users (privacy protection)
• Cannot export proprietary algorithms or business logic
• Cannot export data subject to legal holds or investigations
• May exclude system-generated metadata not considered "Personal Information"

19.4 Transmitting Data to Other Services

Upon request, we can facilitate direct transmission of your data to another service provider (where technically feasible). Contact contact@xshift.ai to arrange transmission.

20. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services. This Privacy Policy does NOT apply to those third parties.

20.1 No Responsibility for Third-Party Practices

DISCLAIMER: We are NOT responsible for the privacy practices, content, or security of third-party websites or services. Links do NOT imply endorsement.

20.2 Third-Party Integrations

If you enable third-party integrations (e.g., payroll systems, HR platforms):

• You authorize data sharing with the third party
• The third party's privacy policy governs their use of your data
• We are not responsible for the third party's data practices
• You can revoke integration access at any time

20.3 Social Media Plugins

We do NOT currently use social media plugins or tracking pixels from social networks. If we add these features, we will update this Privacy Policy.

20.4 User Recommendations

Before providing information to third parties:

• Review their privacy policy and terms of service
• Understand what data they collect and how they use it
• Verify the security of the connection (HTTPS)
• Only share necessary information

21. Compliance and Certifications

We are committed to maintaining compliance with applicable privacy and security regulations.

21.1 Regulatory Compliance

• GDPR (General Data Protection Regulation): EU/UK data protection compliance
• CCPA/CPRA (California Consumer Privacy Act): California privacy rights compliance
• PIPEDA (Canada): Canadian privacy law compliance (where applicable)
• State Privacy Laws: Compliance with Virginia CDPA, Colorado CPA, Utah UCPA, Connecticut CTDPA, and other state laws

21.2 Security Certifications and Standards

• SOC 2 Type II: Infrastructure providers maintain SOC 2 certification
• ISO 27001: Working toward ISO 27001 information security certification
• PCI DSS: Payment processing handled by PCI DSS Level 1 certified Stripe
• OWASP Top 10: Regular testing and mitigation of OWASP vulnerabilities

21.3 Industry Best Practices

• Privacy by Design and by Default
• Data minimization principles
• Purpose limitation
• Storage limitation
• Integrity and confidentiality
• Accountability and transparency

21.4 Regular Audits and Assessments

• Annual privacy impact assessments (PIAs)
• Quarterly security vulnerability scans
• Annual third-party penetration testing
• Continuous compliance monitoring

21.5 Transparency Reports

We are committed to transparency. We will publish annual transparency reports disclosing:

• Number of law enforcement requests received and fulfilled
• Number of data subject requests and resolution times
• Any data breaches or security incidents
• Changes to our data practices

22. Dispute Resolution

22.1 Informal Resolution

If you have concerns about our privacy practices, please contact us first at contact@xshift.ai. We will investigate and attempt to resolve complaints promptly.

22.2 Binding Arbitration

MANDATORY ARBITRATION: Disputes arising from this Privacy Policy are subject to the arbitration provisions in our Terms of Service, including:

• Individual arbitration (no class actions)
• AAA (American Arbitration Association) rules
• Governing law: Laws of the State of Delaware, United States
• Venue: Arbitration location TBD based on AAA rules

22.3 Exceptions to Arbitration

The following are NOT subject to arbitration:

• Claims that may be brought in small claims court
• Injunctive relief for intellectual property infringement
• Regulatory complaints to supervisory authorities (GDPR, CCPA, etc.)

22.4 Supervisory Authority Complaints (GDPR)

EEA/UK users have the right to lodge complaints with their local supervisory authority:

• Find your supervisory authority: EDPB Member List
• UK users: Information Commissioner's Office (ICO) - https://ico.org.uk

22.5 California Privacy Rights Appeals

California residents have the right to appeal our decisions on privacy requests. To appeal, email contact@xshift.ai with "CCPA Appeal" in the subject line.

23. Liability Limitations

IMPORTANT: TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE FOLLOWING LIMITATIONS APPLY:

23.1 No Warranty

THE SERVICES AND ALL PRIVACY PROTECTIONS ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO:

• Warranties of merchantability
• Fitness for a particular purpose
• Non-infringement
• Uninterrupted, secure, or error-free operation
• Complete accuracy or reliability of security measures

23.2 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE SHALL NOT BE LIABLE FOR:

• Indirect, incidental, special, consequential, or punitive damages
• Loss of profits, revenue, data, or goodwill
• Business interruption or loss of business opportunity
• Damages resulting from unauthorized access to your account
• Damages resulting from third-party actions or data breaches
• Damages exceeding the amount you paid us in the 12 months preceding the claim

23.3 User Responsibility

YOU ARE SOLELY RESPONSIBLE FOR:

• Maintaining the security of your account credentials
• All activity occurring under your account
• Compliance with applicable employment and privacy laws
• Accuracy of data you input into the Services
• Your use of AI-generated recommendations
• Backing up your data

23.4 Third-Party Actions

WE ARE NOT RESPONSIBLE FOR:

• Actions or omissions of third-party service providers
• Security breaches at third-party services (including Stripe, OpenAI, infrastructure providers)
• Accuracy or reliability of third-party data or services
• Content or practices of linked third-party websites

23.5 Force Majeure

We shall not be liable for any failure or delay in performance due to circumstances beyond our reasonable control, including:

• Acts of God, natural disasters
• War, terrorism, civil unrest
• Government actions or regulations
• Internet outages or infrastructure failures
• Cyberattacks or DDoS attacks
• Pandemics or public health emergencies

23.6 Exceptions to Limitations

These limitations do NOT apply to:

• Our gross negligence or willful misconduct
• Violations of applicable privacy laws where liability cannot be limited
• Jurisdictions that prohibit limitation of liability for certain damages
• Our obligations to indemnify you under applicable law

SOME JURISDICTIONS DO NOT ALLOW CERTAIN LIMITATIONS OF LIABILITY. IF THESE LAWS APPLY TO YOU, SOME OR ALL OF THE ABOVE LIMITATIONS MAY NOT APPLY.

24. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational considerations.

24.1 Notification of Changes

When we make material changes to this Privacy Policy, we will notify you by:

• Email notification: Sent to your registered email address at least 30 days before changes take effect
• In-app notification: Prominent banner when you next log in
• Website notice: Notice on our homepage
• "Last Updated" date: Updated at the top of this Privacy Policy

24.2 What Constitutes "Material" Changes

Material changes include:

• Collecting new categories of Personal Information
• Using data for new purposes not previously disclosed
• Sharing data with new categories of third parties
• Changes to data retention periods (lengthening significantly)
• Reducing your privacy rights or protections
• International data transfers to new countries

24.3 Non-Material Changes

Minor updates (clarifications, formatting, contact information, legal references) may be made without notice. We will update the "Last Updated" date.

24.4 Your Acceptance of Changes

By continuing to use the Services after changes take effect, you accept the updated Privacy Policy. If you do not agree to changes:

• You may request deletion of your account before changes take effect
• Existing data will be governed by the Privacy Policy in effect when collected (unless you consent to new terms)
• You may export your data before account closure

24.5 Historical Versions

We maintain an archive of previous Privacy Policy versions. To request historical versions, contact contact@xshift.ai.

25. Labor Cost Analytics and Break Tracking Data

This section provides important clarifications about compensation data collection, break tracking limitations, and access controls for workforce insights features.

25.1 Compensation and Labor Cost Data

To enable labor cost analytics, scheduling optimization, and budget tracking features, we collect and process employee compensation data provided by Employer Organizations:

• Hourly pay rates: For non-exempt employees paid by the hour
• Annual salaries: For salaried employees with fixed annual compensation
• Pay type classification: Whether an employee is paid hourly or on a salary basis
• Overtime exemption status: Whether an employee is exempt or non-exempt under the Fair Labor Standards Act (FLSA) for overtime calculations

How we use compensation data:

• Labor cost calculations: Multiplying hours worked by pay rates to calculate actual and projected labor costs
• Budget vs. actual comparisons: Comparing actual labor costs against configured budgets
• Cost-per-shift analytics: Calculating the total labor cost for individual shifts based on assigned employees' pay rates
• Overtime cost projections: Calculating overtime premiums (typically 1.5x hourly rate) for non-exempt employees who work over 40 hours per week
• Scheduling optimization: Suggesting shift assignments that minimize labor costs while meeting coverage requirements
• Workforce insights: Providing aggregate labor cost trends, cost-per-hour metrics, and departmental cost breakdowns

Data accuracy and liability:

• Employer Organizations are solely responsible for entering accurate pay rates and correctly classifying employees (exempt vs. non-exempt, hourly vs. salary)
• We calculate labor costs based on the data YOU provide. We do NOT verify pay rates against employment contracts, state minimum wage laws, or FLSA requirements
• Labor cost analytics are for internal planning and budgeting purposes only. They do NOT constitute official payroll records or satisfy legal recordkeeping requirements
• Overtime calculations assume standard FLSA rules (1.5x rate for hours over 40/week for non-exempt employees). We do NOT account for state-specific overtime rules, daily overtime, or alternative workweek schedules

25.2 Break Tracking and Configuration Data

IMPORTANT CLARIFICATION: The break tracking feature is a scheduling and configuration tool only. It does NOT monitor, enforce, or verify that employees actually take breaks during their shifts.

What we collect about breaks:

• Scheduled breaks: We collect break rules you configure (break name, duration, paid/unpaid status, minimum hours threshold) and which locations they're assigned to
• Break application data: When a shift is created, we store which break rules were automatically applied to that shift based on its duration and location

What we do NOT collect:

• We do NOT track when employees actually start or stop taking breaks
• While optional database fields exist for actual break start/end times (ClockEntry.breakStartAt, ClockEntry.breakEndAt), these fields are NEVER populated because employees have no interface to clock in/out of breaks
• We do NOT monitor whether employees actually take their scheduled breaks
• We do NOT detect missed breaks or send break compliance alerts
• We do NOT enforce break timing or automatically deduct breaks from payroll

How break data is used:

• Scheduling purposes: Creating break records in the schedule so managers know when breaks are planned
• Payroll calculations: Scheduled unpaid breaks can be referenced for manual payroll adjustments (but payroll calculations use actual clock in/out times, NOT scheduled breaks)
• NOT used for compliance monitoring: Break data is NOT used to monitor break compliance, detect missed breaks, or enforce break policies

25.3 Labor Cost Analytics Access Control

Labor cost analytics and workforce insights include highly sensitive compensation data (hourly rates, salaries, labor cost calculations). Access to this data is strictly controlled based on user role and explicit permissions.

Technical Access Controls:

• API-level enforcement: All workforce insights API endpoints check user role AND explicit permission grants before returning data
• Database-level isolation: Query filters enforce location restrictions for managers with limited access
• Permission verification: Each request validates that the user's current role and permissions match access requirements
• Audit trail: Access to workforce insights pages and API endpoints is logged for compliance purposes

Employer Organization Responsibilities:

• Head Managers must carefully consider which managers should receive workforce insights access
• Granting access to compensation data may trigger legal obligations under wage transparency laws or employment contracts
• Employer Organizations are responsible for compliance with applicable laws regarding manager access to employee compensation data
• Regular review of manager permissions is recommended, especially when managers change roles or locations

26. Availability and Scheduling Data

XShift's availability management feature allows organizations to collect, manage, and utilize employee scheduling preferences and constraints. This section describes how we handle this sensitive workforce data.

26.1 What We Collect

When employees provide availability information through our platform, we collect and store:

• Preferred Work Days: Days of the week employees prefer to work
• Unavailable Days: Days employees cannot work due to personal commitments, education, or other obligations
• Preferred Time Ranges: Start and end times for preferred work shifts
• Employee Notes: Free-text explanations provided by employees about their availability constraints
• Availability Requests: Formal requests submitted by employees to change their availability (when Manager-Controlled mode is enabled)
• Manager Notes: Private notes recorded by managers about availability decisions, approvals, or denials
• Manager Decisions: Records of which availability changes were approved or denied, including decision timestamps
• Audit Logs: System-generated logs of who viewed, edited, approved, or denied availability records and when

26.2 Who Can Access This Data

Availability data is accessible to different parties depending on their role:

• You (Employee): Can view and edit your own availability preferences (subject to your organization's control mode settings)
• Managers: Can view availability data for all employees they supervise to create work schedules
• Organization Administrators: Can view and modify availability data for all employees in their organization
• XShift System Administrators: May access availability data for technical support, debugging, or compliance purposes

26.3 How We Use This Data

We use availability data exclusively for workforce management purposes:

• Schedule Creation: Matching employee availability with business needs to generate work schedules
• Conflict Detection: Automatically identifying scheduling conflicts and recommending resolutions
• Compliance Monitoring: Helping organizations avoid scheduling employees during declared unavailable periods
• Audit and Dispute Resolution: Providing historical records when scheduling disputes arise
• AI-Powered Scheduling: Training our AI scheduling assistant to generate optimal schedules based on collective availability patterns (when AI Copilot is enabled)

We do not: Sell availability data, use it for marketing, or share it with third parties except as required by law or outlined in Section 7 (Third-Party Service Providers).

26.4 Data Retention

Availability data is retained indefinitely for as long as your account remains active with your Employer Organization. We do not automatically delete historical availability records.

• Active Records: Your current availability preferences remain in the system and are continuously accessible to managers
• Historical Changes: Previous availability requests, approvals, and denials are preserved for audit purposes
• Manager Notes: Notes written by managers are retained indefinitely and associated with your employee profile
• Manual Deletion Only: Availability records are only deleted when your entire user account is deleted, either by you, your employer, or upon account termination

26.5 Legal Disclosure and Third-Party Sharing

We may disclose your availability data in the following circumstances:

• Legal Compliance: When required by court order, subpoena, or regulatory investigation (e.g., labor law enforcement, wage-hour audits)
• Employment Disputes: Your availability records, including manager notes, may be provided to courts, arbitrators, or government agencies investigating employment disputes
• Wage and Hour Claims: Historical availability data may be used as evidence in disputes over scheduling practices, overtime, or break compliance
• Discrimination or Retaliation Claims: Availability patterns and manager notes may be relevant in discrimination or retaliation investigations

26.6 Your Rights Regarding Availability Data

You have the following rights concerning your availability data:

• Right to Access: You can view your current availability preferences and historical availability requests through your employee dashboard
• Right to Correction: You can update your availability preferences at any time (subject to your organization's approval requirements if Manager-Controlled mode is enabled)
• Right to Deletion: You may request deletion of your availability data by contacting your Employer Organization. Note that deletion may only be possible by deleting your entire account.
• Right to Data Portability: You can request an export of your availability data in a machine-readable format (JSON or CSV) by contacting us
• Right to Object: If you do not consent to your employer collecting availability data, you may decline to provide it. However, this may limit your employer's ability to accommodate your scheduling preferences.

To exercise these rights, contact your Employer Organization's administrator first. If your employer does not respond or you have concerns about how your data is being handled, contact us at contact@xshift.ai with "Availability Data Request" in the subject line.

27. Contact Information

For privacy-related questions, requests, or concerns, contact us through the following channels:

When contacting us, please include:

• Your name and registered email address
• Nature of your inquiry or request
• Specific data or records involved (if applicable)
• Preferred method of response
• Any supporting documentation

We take your privacy seriously. Our privacy team is committed to responding to all inquiries promptly and thoroughly. Your rights matter to us.