Privacy Policy

We collect:

• your email address (at signup)
• your first name (at signup)
• your payment information (processed and stored by Stripe — we do not store card details)
• your subscription status and plan type
• your daily note generation count (a number only, no content)
• technical data such as IP address and browser type collected automatically

We do not collect or store:

• the content of your shift inputs
• generated case notes
• participant names or any information about the people you support

This data passes through our system during note generation but is not saved to our database.

We use your information to:

• provide and maintain your account
• process payments via Stripe
• send transactional emails (welcome, billing, cancellation) via Resend
• enforce the daily note limit
• monitor service health and errors via Sentry (no personal content is sent to Sentry)
• contact you about material changes to the service

We do not use your information for marketing, advertising, or profiling. We do not sell your information to anyone.

When you submit a note, your shift input is sent to Anthropic's API (a US-based AI provider) for processing. Anthropic generates the note and returns it to your screen. Under Anthropic's API data policy, inputs and outputs submitted via the API are not used to train their models and are not retained beyond the processing window.

GSD does not store the input or the output. Once you close or navigate away from the output screen, the note exists only wherever you copied it to.

GSD uses the following third party services:

• Supabase (database and authentication) — hosted in Sydney, Australia (ap-southeast-2). Your account data stays in Australia.
• Anthropic (AI note generation) — US-based. Your shift input is transmitted to Anthropic's US servers for processing. No content is retained by Anthropic after processing. This cross-border transfer is disclosed under APP 8.
• Stripe (payment processing) — US-based with global infrastructure. Stripe handles your payment card details directly. GSD does not receive or store card numbers.
• Resend (transactional emails) — email delivery infrastructure routed through Ireland. Email content (your name and account-related notifications only) passes through Resend's servers.
• Cloudflare (DNS and email forwarding) — US-based with global edge network. Manages domain routing and forwards emails sent to hello@getshiftdone.com.au.
• Vercel (hosting) — US-based. Hosts the application and serverless functions.
• Sentry (error monitoring) — US-based. Receives error data only. No shift content, participant names, or generated notes are sent to Sentry.

Account data (email, name, subscription status) is retained while your account is active. If you cancel your subscription, your account data is retained in case you resubscribe. If you want your data deleted entirely, contact hello@getshiftdone.com.au and we will delete your account and all associated data within 30 days.

Shift input and generated notes are not retained at any point.

We protect your data using:

• encryption in transit (HTTPS)
• Row Level Security on database tables (each user can only access their own data)
• server-side API keys that are never exposed to your browser
• reCAPTCHA to prevent automated abuse

No system is perfectly secure. If you become aware of a security issue, contact hello@getshiftdone.com.au immediately.

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). We will notify you as soon as practicable and within the timeframes required by law.

Under the Australian Privacy Principles you have the right to:

• access the personal information we hold about you
• request correction of inaccurate information
• request deletion of your data

To exercise any of these rights, contact hello@getshiftdone.com.au. We will respond within 30 days.

GSD is not intended for use by anyone under 18.

We may update this policy from time to time. If we make a material change we will notify you by email. The latest version is always available at getshiftdone.com.au/privacy.

If you have a question or complaint about how we handle your information, contact hello@getshiftdone.com.au. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.