Skip to content

Legal

Privacy Notice

This notice describes how the operator of Syftia ("Syftia", "we", "us") handles personal information when you use the Syftia workforce-management platform. It reflects how the platform currently works and will be updated as the service evolves.

Last updated:

Draft — pending independent legal review

This document reflects how the platform currently works. It has not yet been reviewed by a qualified solicitor and does not constitute legal advice. It will be updated before general availability.

1. Who operates Syftia

Syftia is currently operated by the individual or organisation running the platform (referred to here as "the operator of Syftia"). A registered legal entity will be published on this page once formed. If you need to confirm the current operator for legal correspondence, please use the contact form.

2. Information we collect

We only collect information that the platform actually processes today:

Account and identity

  • Email address, name, chosen role (worker or employer), and authentication credentials.
  • Identity information returned by OAuth providers (Google, Apple) when you choose to sign in with them: your provider user id, email, name and — if you consent at the provider — profile picture.

Worker profile

  • Profile details you add: display name, contact details, availability preferences, employment-type preference (PAYE, self-employed, umbrella, limited company), and — where you provide them — UTR and VAT registration status.
  • Documents and qualifications you upload (for example licences and certificates). Whether a document is verified is set by an authorised reviewer, not by you.
  • Aggregate performance signals derived from your platform activity, such as completed shifts, attendance and rating.

Employer and company

  • Company profile details, sites, integrations you enable, and settings you configure.
  • Company memberships and invitations that determine which workers can see or apply to your shifts.

Shifts, applications and rota

  • Shifts you publish or apply to, application status, acceptances and rejections.
  • Check-in and check-out timestamps, break minutes, expenses and mileage you record for a shift.
  • Timesheets generated from your check-in/out, and invoices generated from approved timesheets.

Communications

  • Messages you send inside Syftia (direct messages between authorised parties and shift conversations for accepted workers), and the metadata needed to deliver and organise them.
  • Notifications we send you in-app.

AI Assistant

  • Prompts you send to the in-app AI Assistant and the operational context we look up to answer them.

Product feedback and support

  • Roadmap votes, feature feedback, and messages you send through the contact form.

Technical and security

  • Standard request logs (IP address, user agent, timestamps) generated by our hosting providers, and authentication events.

We do not currently collect device location, background location, or payment card details. If we ever add such collection, we will update this notice first.

3. How we use information

  • Provide the platform: authenticate you, show your shifts, deliver messages, generate timesheets and invoices from your recorded activity.
  • Manage workforce access: enforce company memberships, invitations and shift visibility rules so people only see what they are authorised to see.
  • Support you when you contact us and investigate reported issues.
  • Keep the service secure: detect abuse, protect accounts, and preserve audit trails required for a workforce platform.
  • Improve the product using aggregate usage and feedback.

4. Lawful bases (UK GDPR)

Where UK GDPR applies, we generally rely on the following lawful bases: contract (to provide the platform you signed up for), legitimate interests (to secure the service, prevent abuse and improve the product in a proportionate way), consent (for optional features such as marketing communications if we introduce them), and legal obligation (for records we are required to keep). This list will be refined with independent legal review before general availability.

5. Controller and processor roles

For your own account and general use of the platform, Syftia acts as the data controller. For information about workers that an employer manages inside the platform (for example applications, timesheets, invoices and messages tied to a company workspace), the employer is the controller of that information for their own workforce purposes, and Syftia processes it on their behalf as part of the service. Employers are responsible for their own obligations to their workers.

6. Who we share information with

  • Employers with whom you have an active application, membership or accepted shift — limited to what they need to operate that workflow.
  • Accepted workers on a shift, for the shift conversation and rota context.
  • Service providers who host and operate the platform on our behalf and are contractually bound to protect your information.
  • Authorities where we are legally required to disclose information, or to protect the safety of users and the platform.

We do not sell personal information. A confirmed list of subprocessors will be published on this page as part of the pre-launch legal review.

7. International transfers

Some service providers process data outside the UK. Where they do, we rely on appropriate safeguards recognised under UK GDPR (such as the UK International Data Transfer Addendum). The confirmed list of providers and regions will be published alongside our subprocessor list.

8. How long we keep information

We keep account, workforce, shift, timesheet and invoice records for as long as your account is active and for a reasonable period afterwards to meet audit, dispute-resolution and legal-record requirements. Contact-form submissions are retained for support and abuse-prevention purposes. Specific retention periods will be published once confirmed. You can request deletion of your account at any time (see "Your rights").

9. How we protect information

Access to your data is protected by industry-standard authentication, encrypted transport (HTTPS), row-level access controls in our database, role-based authorisation for internal features, and separation between company workspaces so one company cannot read another's data. No system is perfectly secure, and we do not currently make certification claims (for example ISO 27001, SOC 2 or Cyber Essentials). If we obtain such certifications, we will state so here with the issuing body and date.

10. Your rights

Under UK GDPR you have the right to access, correct, delete, restrict or object to certain processing of your personal information, and the right to data portability. To exercise any right, use the contact form and select "Privacy or data request". We may need to verify your identity before acting on a request. Employers whose workforce data we process on their behalf will normally handle those requests directly with their workers.

11. Cookies and similar technologies

Syftia currently uses only strictly necessary storage on your device: an authentication session (stored in your browser's local storage by our authentication provider) and small pieces of state needed to make the app work. We do not currently run advertising trackers or analytics scripts that would require a consent banner. If we introduce optional analytics or marketing technologies, we will add a granular cookie-consent control at that point.

12. Children

Syftia is intended for adults using the platform in a work context. It is not directed to children. If we become aware that a child has created an account, we will delete it.

13. AI Assistant

When you use the in-app AI Assistant, your prompts and the operational context we retrieve to answer them are processed by our AI provider. We do not use your Syftia data to train third-party foundation models. The AI Assistant can make mistakes — please verify important decisions before acting on them.

14. Changes to this notice

We will update this notice as the platform evolves. The "Last updated" date at the top reflects the most recent change. For material changes we will surface a notice inside the app before the changes take effect.

15. Complaints and contact

If you have a concern, please contact us first via the contact form. If you are in the UK and remain unsatisfied, you have the right to complain to the Information Commissioner's Office (ico.org.uk). Once Syftia is registered with the ICO, our registration number will be published here.

Questions about this document?

You can contact us with any questions or requests.