Privacy Policy

1. Introduction

Shyft Sg Pte Ltd (“Shyft Sg”, “we”, “our”, or “us”) operates a digital staffing marketplace that connects hospitality workers with boutique hotels, capsule hotels, and serviced apartments across Singapore. We are committed to protecting your personal data in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website, mobile applications, and related services (collectively, the “Platform”).

2. Personal Data We Collect

We collect the following categories of personal data:

2.1 Worker Accounts

• Identity Data: Full name, date of birth, profile photograph
• Contact Data: Email address, phone number
• Work Authorization: Work pass type (e.g., Employment Pass, S Pass, Work Permit, Student Pass), work pass number, expiry date, school name (for Student Pass holders)
• NRIC / FIN: Collected solely for work authorization verification and Ministry of Manpower (MOM) compliance. Stored encrypted and never displayed in full on the Platform.
• Employment Data: Shift history, hours worked, ratings, tier status, training progress
• Financial Data: Payment records are tracked on the Platform but processed through third-party payment providers. We do not store full bank account or credit card details.

2.2 Hotel Accounts

• Business Identity: Hotel name, Unique Entity Number (UEN), business address
• Contact Data: Email address of the authorized representative
• Operational Data: Job postings, shift details, applicant records, ratings

2.3 Automatically Collected Data

• Usage Data: Pages visited, features used, actions taken
• Device Data: Browser type, operating system, IP address
• Cookies: Session identifiers, authentication tokens, and analytics cookies (see Section 7)

3. How We Use Your Data

We use your personal data for the following purposes:

• Account Management: Creating and maintaining your account, verifying your identity and work authorization
• Platform Operations: Matching workers with available shifts, processing applications, managing rosters
• Communication: Sending shift confirmations, application updates, and system notifications
• Compliance: Fulfilling MOM reporting requirements, enforcing work hour restrictions for minors, maintaining audit trails
• Safety & Security: Preventing fraud, monitoring for abuse, enforcing our Terms of Service
• Platform Improvement: Analyzing usage patterns to improve our service, troubleshooting errors

4. Data Sharing and Disclosure

We share personal data only in the following circumstances:

• Hotels ↔ Workers: When a worker applies for a shift, the hotel receives the worker's name, tier, rating, and verification status. Full NRIC/FIN is never shared with hotels.
• Government Authorities: When required by law or regulation, including MOM compliance checks
• Service Providers: Cloud hosting (Vercel, Neon), email services, and analytics providers who process data on our behalf under strict contractual protections
• Legal Obligations: In response to valid legal processes, court orders, or regulatory requests

We do not sell your personal data to third parties.

5. Data Retention

• Active Accounts: Data is retained for the duration of your account activity
• Deleted Accounts: Personal data is anonymized or deleted within 90 days of account deletion, except where retention is required by law
• Shift Records: Employment records are retained for 2 years in compliance with Singapore employment regulations
• NRIC Data: Deleted within 30 days after the purpose of collection has been fulfilled, unless legally required to retain

6. Data Security

We implement industry-standard security measures including:

• Encryption of all data in transit (TLS 1.3) and sensitive data at rest (AES-256)
• Password hashing using bcrypt with industry-standard salt rounds
• Role-based access controls for internal staff
• Regular security audits and vulnerability assessments
• Infrastructure hosted on SOC 2 compliant providers

7. Cookies

We use the following types of cookies:

• Essential Cookies: Required for authentication and session management. Cannot be disabled.
• Analytics Cookies: Help us understand how the Platform is used. Can be disabled in your browser settings.

We do not use advertising or tracking cookies.

8. Your Rights Under the PDPA

You have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Withdrawal of Consent: Withdraw consent for data processing, subject to legal and contractual restrictions
• Data Portability: Request your data in a commonly used, machine-readable format

To exercise these rights, contact our Data Protection Officer at dpo@shyft.sg.

9. International Transfers

Your data is primarily stored on servers in the Asia-Pacific region (AWS ap-southeast-1). In the event data is transferred to jurisdictions outside Singapore, we ensure adequate protections are in place as required by the PDPA.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Platform at least 14 days before they take effect. Continued use of the Platform after changes constitute acceptance of the revised policy.

11. Contact Us

For questions about this Privacy Policy or your personal data, contact: