Privacy Policy

Shyft SG Pte Ltd (“Shyft SG”, “we”, “our”, or “us”) operates a digital staffing marketplace connecting hospitality workers with boutique hotels, capsule hotels, and serviced apartments across Singapore. We are committed to protecting your personal data in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website, mobile application, and related services (collectively, the “Platform”).

We collect the following categories of personal data:

2.1 Worker Accounts

• Identity Data: Full name, date of birth, profile photograph
• Contact Data: Email address, phone number
• Work Authorization: Work pass type (Singapore Citizen/PR, LTVP/LTVP+ with LOC, Student Pass), expiry date, school name (for Student Pass holders)
• NRIC / FIN: Collected solely for work authorization verification and Ministry of Manpower (MOM) compliance. Stored encrypted; never displayed in full on the Platform.
• Employment Data: Shift history, hours worked, ratings, tier status, training progress
• Financial Data: Payment records are tracked on the Platform but processed via third-party providers. We do not store full bank account or card details.

2.2 Hotel Accounts

• Business Identity: Hotel name, Unique Entity Number (UEN), business address
• Contact Data: Email address of the authorized representative
• Operational Data: Job postings, shift details, applicant records, ratings

2.3 Automatically Collected Data

• Usage Data: Pages visited, features used, actions taken
• Device Data: Browser type, operating system, IP address
• Cookies: Session identifiers, authentication tokens, and analytics cookies (see Section 7)

We use your personal data for the following purposes:

• Account Management: Creating and maintaining your account, verifying identity and work authorization
• Platform Operations: Matching workers with available shifts, processing applications, managing rosters
• Location & Shifts: Shift locations are geocoded via OpenStreetMap to display on the in-app map. Precise device location is never collected; only the hotel's published address is used for mapping.
• Communication: Sending shift confirmations, application updates, and system notifications
• Compliance: Fulfilling MOM reporting requirements, enforcing work-hour restrictions for minors, maintaining audit trails
• Safety & Security: Preventing fraud, monitoring for abuse, enforcing our Terms of Service
• Platform Improvement: Analyzing usage patterns to improve our service and troubleshoot errors

We share personal data only in the following circumstances:

• Hotels ↔ Workers: When a worker applies for a shift, the hotel receives the worker's name, tier, rating, and verification status. Full NRIC/FIN is never shared with hotels.
• Government Authorities: When required by law or regulation, including MOM compliance checks
• Service Providers: Cloud hosting (Neon PostgreSQL), email delivery, and analytics providers who process data on our behalf under strict contractual protections
• Legal Obligations: In response to valid legal processes, court orders, or regulatory requests

We do not sell your personal data to third parties.

• Active Accounts: Data is retained for the duration of your account activity
• Deleted Accounts: Personal data is anonymized or deleted within 90 days of account deletion, except where retention is required by law
• Shift Records: Employment records are retained for 2 years in compliance with Singapore employment regulations
• NRIC Data: Deleted within 30 days after the purpose of collection has been fulfilled, unless legally required to retain

Shyft SG operates under a Zero-Breach Posture. Our security architecture includes multiple independent layers of protection, all active in production:

6.1 Rate Limiting

All public-facing endpoints are protected by in-memory rate limiting. Registration is capped at 10 requests per 15 minutes per IP; OTP verification is limited to 5 attempts per 5 minutes. This blocks credential-stuffing and brute-force attacks before they can impact real users.

6.2 Input Validation (Zod)

Every form submission and API payload is validated server-side against strict Zod schemas with enforced maximum field lengths and character-set constraints. Malformed, oversized, or malicious inputs are rejected before reaching the database — eliminating injection vectors at the boundary layer.

6.3 Transport & Storage

• All data in transit is encrypted with TLS 1.3
• Sensitive data at rest (NRIC/FIN) is encrypted with AES-256
• Passwords are hashed using bcrypt (12 salt rounds)
• HSTS headers are enforced — browsers never connect over HTTP

6.4 HTTP Security Headers

• Content-Security-Policy (CSP) — restricts script and resource origins
• X-Frame-Options: DENY — prevents clickjacking
• X-Content-Type-Options: nosniff — prevents MIME-type sniffing
• Referrer-Policy: strict-origin-when-cross-origin

6.5 Access Controls

• Role-based access control (Worker / Hotel / Admin) enforced at every route
• Zero hardcoded secrets — all credentials stored in server-side environment variables
• Infrastructure hosted on SOC 2 compliant providers

We use the following types of cookies:

• Essential Cookies: Required for authentication and session management. Cannot be disabled.
• Analytics Cookies: Help us understand how the Platform is used. Can be disabled in your browser settings.

We do not use advertising or tracking cookies.

You have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Withdrawal of Consent: Withdraw consent for data processing, subject to legal and contractual restrictions
• Data Portability: Request your data in a commonly used, machine-readable format

To exercise these rights, contact us at contact@shyftsg.com.

Your data is primarily stored on servers in the Asia-Pacific region (AWS ap-southeast-1, Singapore). In the event data is transferred to jurisdictions outside Singapore, we ensure adequate protections are in place as required by the PDPA.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Platform at least 14 days before they take effect. Continued use of the Platform after changes constitutes acceptance of the revised policy.

For general questions about this Privacy Policy or our data practices, contact:

For all PDPA data access, correction, or deletion requests, contact our designated Data Protection Officer (DPO):