Privacy policy

Updated: March 5, 2026

Data controller

The data controller is SD Consult, SAS, 9 Traverse de l'Harmonie, 13016 Marseille, France. DPO: Abdelhadey — contact@sanishift.com.

Data collected

SaniShift collects the following data: account data (name, professional email, role), scheduling data (shifts, on-call, availability, preferences), team data (members, competencies), connection data (IP address, logs), and anonymized usage data (pages visited, actions performed via PostHog, hosted in the EU).

Purposes and legal basis

Data is processed for: contract performance (schedule generation, account management, notifications), legitimate interest (service improvement, anonymized usage statistics, customer support), and consent (PostHog analytics cookies, marketing communications).

Subprocessors

SaniShift uses the following GDPR-compliant subprocessors: Railway (hosting, EU), Supabase/PostgreSQL (database, EU), Stripe (payment, PCI-DSS certified), PostHog (analytics, EU), Resend (transactional emails).

Data retention

Account and scheduling data is retained during the contract plus 30 days after termination. Billing data is retained for 10 years per accounting obligations. Analytics data is retained for a maximum of 13 months. Connection logs are retained for 12 months.

Your rights

Under the GDPR, you have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21). To exercise your rights: contact@sanishift.com or by mail to SD Consult — DPO, 9 Traverse de l'Harmonie, 13016 Marseille, France. You may also file a complaint with the CNIL (www.cnil.fr).

Mandatory nature of data

Providing account data (name, professional email) is required for contract performance. Without this data, access to the service is not possible. Scheduling data is required for the scheduling service to function. Usage data (PostHog) is optional and subject to your consent.

Automated decision-making

SaniShift uses an automated scheduling algorithm based on fairness criteria and constraints. This tool is a decision-support aid: the scheduling manager retains the ability to modify, approve, or reject the generated proposals. Under GDPR Article 22, you may request human intervention by contacting your administrator or our DPO at contact@sanishift.com.

Cookies

SaniShift uses strictly necessary cookies (authentication, language preference) that do not require consent, and analytics cookies (PostHog) subject to your consent. You can manage your preferences at any time via the cookie banner or your browser settings.

Transfers outside the EU

SaniShift is committed to hosting and processing your data within the European Union. If data is transferred to a third country (e.g., Stripe in the United States), it is governed by EU-approved standard contractual clauses or an adequacy decision.