Legal

Privacy Policy

Effective date: April 12, 2026  ·  Last updated: April 12, 2026

ShiftMedix, Inc.  ·  Raleigh, NC 27601, United States

The Short Version — What You Actually Need to Know
What we collect: Your name, work email, phone number, IP address, and device OS version when you use ShiftMedix.
Why we collect it: To operate your scheduling platform, provide support, improve the product, and keep the platform secure.
Where it lives: Securely on Amazon Web Services (AWS) servers in the United States.
Who sees it: Our team and essential service providers who help run the platform. We do not sell your data — ever.
Your rights: Depending on where you live, you can access, correct, export, or delete your data. See the "Your Rights" section for details.
Questions?: Email us any time at info@shiftmedix.com — we respond within 30 days.
Table of Contents
  1. 1. Who We Are
  2. 2. Data We Collect
  3. 3. How We Use Your Data
  4. 4. How We Share Your Data
  5. 5. Data Storage & Security
  6. 6. How Long We Keep Your Data
  7. 7. Your Rights (GDPR / CCPA / DPDP)
  8. 8. Cookies & Tracking Technologies
  9. 9. Children's Privacy
  10. 10. Changes to This Policy
  11. 11. Contact Us

1. Who We Are

ShiftMedix, Inc. ("ShiftMedix," "we," "us," or "our") is a software-as-a-service company headquartered in Raleigh, North Carolina. We build and operate an automated provider scheduling platform designed for healthcare organizations — including physician groups, hospital medicine programs, primary care practices, and surgery and anesthesiology groups.

ShiftMedix is the data controller for the personal data described in this policy. That means we determine why and how your data is processed.

Important note on healthcare data: ShiftMedix manages provider scheduling information — not patient records or clinical data. We are not a covered entity or business associate under HIPAA with respect to provider scheduling data. If your organization requires a separate data processing agreement for any regulated data, please contact us at info@shiftmedix.com.

2. Data We Collect

We collect only what we need to run the platform and support your team. Here is exactly what that is:

Data Type
What We Collect
Identity
First and last name, job title, provider type (MD, DO, NP, PA, etc.)
Contact
Work email address, phone number
Account
Username, encrypted password, role within your organization (admin or provider)
Scheduling
Shift assignments, swap requests, leave requests, qualification profiles, scheduling preferences
Device & Network
IP address, operating system version, browser type, device type
Usage
Pages visited, features used, session duration, in-app actions (for product improvement)
Communications
Emails, support tickets, or demo request submissions sent to us

We do not collect patient names, medical records, diagnoses, or any patient-identifiable information. We do not collect financial information such as credit card numbers (billing is handled by our payment processor directly).

3. How We Use Your Data

We use your data only for the following purposes:

To operate and deliver the platform

Generate schedules, process swap and leave requests, send schedule notifications, and enforce coverage rules. This is the core purpose of ShiftMedix.

Legal basis: Performance of contract
To provide customer support

Respond to your questions, troubleshoot issues, and communicate with your organization's administrators.

Legal basis: Legitimate interest / contract
To keep the platform secure

Monitor for unauthorized access, detect abuse, investigate security incidents, and enforce our Terms of Service.

Legal basis: Legitimate interest
To improve the product

Analyze anonymized or aggregated usage patterns to understand how features are used and where we should invest development effort.

Legal basis: Legitimate interest
To communicate with you about the service

Send product updates, maintenance notices, and important policy changes. We do not send marketing emails without your consent.

Legal basis: Legitimate interest / consent
To comply with legal obligations

Retain records as required by applicable law and respond to lawful requests from government authorities.

Legal basis: Legal obligation

4. How We Share Your Data

The short answer: We do not sell, rent, or trade your personal data to any third party. Ever.

We share data only in the following limited circumstances:

Within your organization

Administrators at your healthcare organization can see the scheduling data (names, shift assignments, swap requests) of providers on their team. Providers can see their own schedule and relevant swap partner information. This sharing is intentional — it is what makes the platform work.

Service providers (sub-processors)

We use a small number of trusted vendors to help operate the platform — cloud infrastructure (AWS), email delivery, analytics, and customer support tools. These vendors are contractually prohibited from using your data for their own purposes and must maintain appropriate security standards. A current list of sub-processors is available on request.

Legal and regulatory requirements

We may disclose your data if required by law, court order, or government authority. We will notify you where legally permitted before doing so.

Business transfers

If ShiftMedix is acquired, merged with another company, or its assets are transferred, your data may transfer as part of that transaction. We will notify you via email and this policy before such a transfer occurs, and your rights remain the same.

5. Data Storage & Security

All ShiftMedix data is stored on Amazon Web Services (AWS) infrastructure located in the United States. AWS maintains SOC 2 Type II, ISO 27001, and HIPAA-eligible certifications for its infrastructure.

Our security practices include:

  • Encryption in transit using TLS 1.2+ for all data moving between your browser/app and our servers
  • Encryption at rest for database storage
  • Access controls limiting data access to employees who need it to do their job
  • Regular security reviews and vulnerability assessments
  • Incident response procedures in case of a data breach

International transfers: If you are located outside the United States (e.g., in the EU or India), your data will be transferred to and processed in the US. We rely on appropriate safeguards — including Standard Contractual Clauses for EU/EEA users and comparable mechanisms for other jurisdictions — to protect that transfer.

6. How Long We Keep Your Data

We keep your data for as long as your organization's account is active and for a reasonable period afterward to support offboarding, audits, and legal compliance.

Account & scheduling data
Duration of the contract + 3 years
Support communications
3 years from last contact
Device & network logs (IP, OS)
90 days (rolling)
Anonymized usage analytics
Indefinitely (no personal identifier)
Legal and compliance records
As required by applicable law (typically 7 years)

When your data is no longer needed, we delete or anonymize it in a secure manner.

7. Your Rights

Depending on where you are located, you have specific legal rights over your personal data. We honor these rights regardless of your location — just contact us.

European Union / EEA — GDPR
  • Access a copy of your data
  • Correct inaccurate data
  • Request erasure ("right to be forgotten")
  • Restrict processing of your data
  • Data portability (receive your data in a machine-readable format)
  • Object to processing based on legitimate interest
  • Lodge a complaint with your local supervisory authority
California — CCPA / CPRA
  • Know what personal information we collect and why
  • Access the specific pieces of data we hold about you
  • Delete your personal information
  • Correct inaccurate information
  • Opt out of the sale of personal information (we don't sell — this is already guaranteed)
  • Non-discrimination for exercising these rights
India — DPDP Act 2023
  • Access a summary of your personal data
  • Correct or update your data
  • Erase your data (where applicable)
  • Know the identities of parties your data is shared with
  • Grievance redressal within a reasonable timeframe
  • Nominate another person to exercise rights on your behalf
How to exercise your rights

Email us at info@shiftmedix.com with the subject line "Privacy Rights Request." We will respond within 30 days (or sooner, as required by applicable law). We may need to verify your identity before processing the request.

If you are a provider whose data is managed by your employing healthcare organization (the "controller"), your organization may need to process certain requests on your behalf. We will direct you accordingly.

8. Cookies & Tracking Technologies

We use a small number of cookies and similar technologies to operate the platform:

Strictly necessary cookies

Keep you logged in, maintain your session security, and ensure the platform functions correctly. These cannot be disabled.

Analytics cookies

Understand how the platform is used in aggregate (page views, feature usage). Data is anonymized or pseudonymized. You can opt out via your account settings or by emailing us.

We do not use advertising cookies, third-party tracking pixels, or behavioral profiling technologies.

9. Children's Privacy

ShiftMedix is a platform designed for healthcare professionals and is intended exclusively for users who are 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a minor, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time as our practices evolve or as required by law. When we make material changes, we will:

  • Post the updated policy on this page with a new "Last updated" date
  • Send an email notification to account administrators at least 30 days before the change takes effect
  • Where required by law (e.g., GDPR), obtain your consent before the change applies to you

Continued use of the platform after the effective date of an updated policy constitutes acceptance of the changes.

11. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or your personal data, please reach out:

ShiftMedix, Inc.
Privacy inquiries:info@shiftmedix.com
General contact:info@shiftmedix.com
Mailing address:Raleigh, NC 27601, United States
Response time:Within 30 days of receiving your request

EU/EEA users may also lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.