This Privacy Policy applies to the ShiftLink mobile application and website (shiftlink.online), operated by ZumoGroup Ltd ("we", "us", "our"). It explains what personal data we collect, why we collect it, how we use it, and your rights under UK data protection law.
By using ShiftLink, you agree to the collection and use of information as described in this policy.
1. Who We Are
ZumoGroup Ltd is the data controller for personal data processed through ShiftLink.
- Company: ZumoGroup Ltd
- Website: shiftlink.online
- Contact: support@zumogroup.co.uk
2. Data We Collect
| Category | Data collected | Who it applies to |
|---|---|---|
| Identity | Full name, profile photo, date of birth (where required) | Staff & Businesses |
| Contact | Email address, phone number | Staff & Businesses |
| Professional | Job role, skills, experience, hourly rate, availability | Staff |
| Business | Business name, address, sector, company number (optional) | Businesses |
| Location | City/region for shift matching (not precise GPS) | Staff & Businesses |
| Payment | Billing details via Stripe (we never store raw card numbers) | Businesses |
| Bank account | UK bank details via Stripe Connect for payout processing | Staff |
| Documents | Identity documents, right to work documents (uploaded by staff) | Staff |
| Usage | Bookings made, shifts applied to, ratings given and received | Staff & Businesses |
| Device | Device type, OS version, push notification token | All users |
| Voice data | Voice input for AI-assisted registration (processed, not stored) | Staff (optional) |
3. How We Use Your Data
- To create and manage your ShiftLink account.
- To match staff with suitable shifts posted by businesses.
- To process payments from businesses and transfer earnings to staff via Stripe.
- To send push notifications about bookings, approvals, payments, and platform updates.
- To verify identity and right to work where required.
- To power AI-assisted features including candidate matching and voice registration (via Anthropic Claude API).
- To manage subscriptions and billing for business accounts.
- To display ratings and reviews between staff and businesses.
- To improve the platform, prevent fraud, and comply with legal obligations.
4. Legal Basis for Processing (UK GDPR)
| Purpose | Legal basis |
|---|---|
| Account creation and management | Contract performance |
| Matching staff to shifts | Contract performance |
| Payment processing and payouts | Contract performance |
| Push notifications | Legitimate interests / Consent |
| AI-assisted features | Consent |
| Fraud prevention and security | Legitimate interests |
| Legal compliance | Legal obligation |
5. Third-Party Services
We share data with the following trusted third parties only as necessary to operate the platform:
- Stripe, Inc. — Payment processing and staff payouts via Stripe Connect. Stripe is PCI-DSS compliant. Stripe Privacy Policy →
- Google Firebase (Google LLC) — Authentication, cloud database (Firestore), file storage, and push notifications (FCM). Firebase Privacy Policy →
- Anthropic, PBC — AI-assisted voice registration and candidate matching features. Voice input is processed transiently and not stored by Anthropic. Anthropic Privacy Policy →
We do not sell your personal data to any third party.
6. Data Retention
- Account data — retained while your account is active. Deleted within 30 days of account deletion request.
- Booking and payment records — retained for 7 years for accounting and legal compliance (UK tax law).
- Documents — retained for the duration of your account and deleted on request, subject to legal obligations.
- Device/usage data — retained for up to 12 months.
7. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure — request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
- Right to restriction — request that we limit processing of your data in certain circumstances.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests.
- Right to withdraw consent — withdraw consent at any time where processing is based on consent.
To exercise any of these rights, contact us at support@zumogroup.co.uk. We will respond within 30 days.
8. Account & Data Deletion
To delete your account and associated personal data, email support@zumogroup.co.uk with the subject line "Account Deletion Request" from your registered email address. We will process your request within 30 days. Note that booking and payment records required by law will be retained for 7 years.
9. Security
We implement industry-standard security measures including:
- Encrypted data transmission (TLS 1.2+)
- Firebase Security Rules restricting data access by authenticated user
- Stripe PCI-DSS Level 1 compliant payment infrastructure
- Firebase Secret Manager for server-side credentials
No method of internet transmission is 100% secure. We encourage you to use a strong password and keep your account credentials safe.
10. Children's Privacy
ShiftLink is not directed to anyone under 18. We do not knowingly collect personal data from minors. If you believe we have done so, contact us immediately at support@zumogroup.co.uk and we will delete the data promptly.
11. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
12. Changes to This Policy
We may update this Privacy Policy from time to time. Significant changes will be notified via the app or by email. Continued use of ShiftLink after changes constitutes acceptance of the updated policy. The date at the top of this page reflects the most recent update.
Contact Us
- Email: support@zumogroup.co.uk
- Website: shiftlink.online
- Company: ZumoGroup Ltd