Privacy Policy (POPIA Compliant)

1. Introduction

ShiftMate (Pty) Ltd ("ShiftMate", "we", "us", or "our") is committed to protecting your privacy and complies with the Protection of Personal Information Act 4 of 2013 (POPIA). This policy explains how we collect, use, store, and protect your personal information when you use our workforce management platform.

ShiftMate connects temporary workers ("Shifters") with employers for trial-to-hire placements, and works with referral partners ("Introducers") to expand our network. This policy applies to all users of our platform.

2. Information We Collect

2.1 Personal Information

• Identity documents (South African ID, passport)
• Contact information (phone number, email address, physical address)
• Employment history, skills, qualifications, and work preferences
• Bank account details for payment processing
• Profile photographs

2.2 Special Personal Information (POPIA Section 26)

With your explicit consent, we collect the following special personal information:

• Biometric data: Facial images for identity verification using facial recognition technology
• Criminal record checks: Where required for specific job placements

You may refuse to provide biometric data, but this may limit your ability to complete identity verification.

2.3 Location Data

With your consent, we collect GPS location data during active shifts for attendance verification and geofence validation. Location tracking is only active during shift hours and you will be notified when tracking begins and ends.

2.4 Device and Technical Data

• Device identifiers and browser information
• IP addresses and approximate location
• Usage patterns and interaction data
• Cookies and similar tracking technologies (see Section 11)

2.5 Employer Data

• Company registration details and tax numbers
• Business contact information
• Workplace addresses and job requirements
• Payment and billing information

3. Legal Basis for Processing (POPIA Conditions)

We process your personal information based on the following lawful grounds under POPIA:

• Consent: For biometric data, location tracking, and marketing communications
• Contract: To provide our services and facilitate employment matching
• Legal obligation: Tax reporting, employment law compliance, and regulatory requirements
• Legitimate interest: Platform security, fraud prevention, and service improvement

4. How We Use Your Information

• Create and manage your ShiftMate account
• Match Shifters with suitable job opportunities using AI-powered matching (see Section 5)
• Verify identity through document and facial recognition checks
• Process payments, including wages and platform fees
• Communicate shift details, updates, and important notifications via SMS, WhatsApp, and email
• Track shift attendance and validate work location
• Generate performance scores and reliability metrics
• Comply with South African employment and tax regulations
• Improve our platform through analytics and user feedback
• Prevent fraud and ensure platform security

5. AI and Automated Decision-Making

ShiftMate uses artificial intelligence (AI) to enhance our services. We believe in transparency about how these technologies affect you:

5.1 AI-Powered Job Matching

Our matching engine uses AI to analyse your skills, experience, location, and preferences to suggest suitable job opportunities. The AI considers factors including your work history, reliability score, skills assessments, and employer requirements.

5.2 Profile Analysis

AI assists in generating capability profiles and skill inferences from your submitted information. These profiles help employers understand your qualifications.

5.3 Your Rights Regarding Automated Decisions

• You have the right to know when AI is used in decisions that affect you
• You may request human review of any automated decision
• You can challenge decisions you believe are unfair or inaccurate
• Final employment decisions are made by employers, not our AI systems

To request human review, contact privacy@shiftmate.co.za.

6. How We Store and Protect Your Data

6.1 Storage Location

Your data is stored securely in South Africa to ensure POPIA compliance:

• Database: Neon PostgreSQL (hosted infrastructure)
• Files and documents: Amazon Web Services (AWS) S3 in Cape Town, South Africa (af-south-1 region)

6.2 Security Measures

• AES-256-GCM encryption for sensitive data at rest
• TLS encryption for all data in transit
• Role-based access controls limiting staff access to personal information
• Regular security audits and vulnerability assessments
• Time-limited signed URLs for document access

6.3 Data Retention

7. Who We Share Your Data With

We share your personal information only when necessary for our services or as required by law:

7.1 Employers

When you apply for or are matched to a shift, employers receive your name, profile photo, skills, work history summary, reliability score, and contact details. Employers do not receive your ID documents, bank details, or biometric data.

7.2 Introducers (Referral Partners)

If you were referred by an Introducer, they may have access to your basic profile information and placement status to track referral outcomes. Introducers are contractually bound to protect your information.

7.3 Referral Information

If an Introducer or existing user provides us with your contact information to invite you to ShiftMate, we will send you a single invitation message. We store this contact information only for the purpose of sending the invitation and tracking whether you registered. If you do not wish to receive such invitations, you may contact us at privacy@shiftmate.co.zato request removal from our invitation database.

7.4 Service Providers

We use the following third-party service providers:

• Amazon Web Services (AWS): Cloud storage and facial recognition (Rekognition) - Cape Town & global
• Anthropic: AI services for job matching and content generation - USA
• Paystack: Payment processing - South Africa
• Twilio: SMS and WhatsApp messaging - USA
• Resend: Email delivery - USA
• Google: Maps and geocoding services - USA
• Neon: Database hosting - USA

All service providers are contractually required to protect your data and only process it as instructed by us.

7.5 Legal and Regulatory

We may disclose information to SARS, the Department of Labour, the Information Regulator, or law enforcement when required by South African law.

8. International Data Transfers

Some of our service providers operate outside South Africa. When transferring your data internationally, we ensure protection through:

• Contractual clauses requiring POPIA-equivalent protection
• Selecting providers in countries with adequate data protection laws
• Your explicit consent where required

Core personal data (documents, files) is stored in South Africa (AWS Cape Town). Some processing for AI services occurs in the USA under strict contractual protections.

9. Your Rights Under POPIA

You have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Object: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent for processing based on consent (e.g., marketing)
• Data portability: Request your data in a machine-readable format
• Restrict processing: Request temporary restriction of processing
• Automated decisions: Request human review of automated decisions

To exercise any right, email privacy@shiftmate.co.za. We will respond within 30 days. We may request identity verification before processing your request.

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights, we will:

• Notify the Information Regulator as soon as reasonably possible
• Notify affected individuals within 72 hours of becoming aware of the breach
• Provide details of the breach, potential consequences, and steps we are taking
• Advise on measures you can take to protect yourself

11. Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience:

• Essential cookies: Required for platform functionality (login, security)
• Analytics cookies: Help us understand how users interact with our platform
• Preference cookies: Remember your settings and preferences

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

11.1 Google Analytics

We use Google Analytics to measure how visitors interact with our platform. This service records which pages you view, how you arrived at our site, and basic information about your device. The information helps us understand what features are most useful and how to improve our services. Google Analytics data is processed in accordance with Google's privacy policy. By using ShiftMate, you consent to the processing of this data by Google.

11.2 Marketing and Remarketing

We may use tracking pixels from advertising platforms (such as Meta/Facebook and Google Ads) to measure the effectiveness of our marketing campaigns and to show you relevant advertisements on other platforms. You can opt out of personalised advertising through your browser settings or the advertising platform's privacy controls.

12. Children's Privacy

ShiftMate is not intended for users under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have collected data from someone under 18, we will delete it promptly.

13. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or platform notification. The "Effective" date at the top indicates when this version became active.

14. Contact Us