Privacy Policy

Last updated: June 23, 2025

1. Introduction

Sciometa ("we", "our", or "us") operates the Shift Management application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service, in compliance with applicable data protection laws including the EU General Data Protection Regulation (GDPR) and the Japanese Act on the Protection of Personal Information (APPI).

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data is:

Sciometa
Email: hello@sciometa.com
Website: https://sciometa.com

3. Information We Collect

3.1 Personal Information

We collect the following personal information when you register and use our Service:

  • Identity Information: First name, last name, display name, employee code
  • Contact Information: Email address, phone number
  • Profile Information: Avatar/profile picture, employment type, hire date
  • Employment Information: Hourly rate, department, position, organization affiliation

3.2 Third-Party Authentication Data

If you sign in using a third-party provider (Google or Apple), we receive the following information from the provider:

  • Your name (as registered with the provider)
  • Your email address
  • A unique account identifier

We do not receive or store your third-party account password. Authentication is handled securely by the respective provider (Google LLC or Apple Inc.).

When using Sign in with Apple, you may choose to hide your real email address. In this case, Apple provides a unique private relay email address that forwards messages to your real email. We will use this relay address to communicate with you. Please note that some features requiring email verification or organization invitations may require your real email address.

3.3 Work and Schedule Data

We collect work-related data including:

  • Shift Information: Scheduled shifts, start/end times, break durations, assigned locations
  • Time Entries: Clock-in/clock-out times, break records, approval status
  • Time Off Requests: PTO requests, vacation dates, sick leave, approval history
  • Unavailability: Dates and times when you are not available for work
  • Tasks and Checklists: Assigned tasks, completion status, form submissions

3.4 Location Data

When you clock in or out, we may collect location data to verify your presence at designated work locations (geofencing). This includes:

  • GPS coordinates (latitude and longitude)
  • Location accuracy in meters
  • Whether you are inside a designated geofence area

Note:Location tracking is only active during clock-in/clock-out events and is not continuous. You may be allowed to clock in outside geofenced areas depending on your organization's settings.

3.5 Device and Technical Information

We automatically collect certain technical information:

  • IP address
  • Device information (device type, operating system)
  • Browser type and version

3.6 Push Notifications

When you use our mobile application, we collect a device push notification token (Firebase Cloud Messaging token) to send you relevant notifications. The types of notifications we may send include:

  • Shift schedule changes and reminders
  • Time clock reminders
  • Time-off request updates (approvals, rejections)
  • Shift swap requests and updates
  • Chat messages from team members
  • Task assignments
  • Weekly schedule summaries

Your push notification token is stored on our servers and linked to your user account. The token is automatically removed when you sign out of the application. You can control which types of notifications you receive through the notification settings within the app. You can also disable push notifications entirely through your device's system settings.

Push notifications are delivered through Firebase Cloud Messaging (FCM), a service provided by Google LLC, and Apple Push Notification service (APNs) for iOS devices. These services may process your device token and notification data according to their respective privacy policies.

3.7 Communication Data

If you use our chat features, we collect:

  • Chat messages and their content
  • File attachments shared in chats
  • Message read status and timestamps

3.8 Audit and Security Logs

For security and compliance purposes, we maintain audit logs that record actions taken within the Service, including who performed them and when.

4. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

  • Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, process shifts, time entries, and fulfill our obligations under the Terms of Service.
  • Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, such as improving the Service, ensuring security, maintaining audit logs, and preventing fraud, where such interests are not overridden by your rights.
  • Consent (Art. 6(1)(a)): Where you have provided explicit consent, such as for location data collection during clock-in/out, push notifications, and optional communications. You may withdraw consent at any time.
  • Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws and regulations, including labor law record-keeping requirements.

5. How We Use Your Information

We use the collected information for the following purposes:

  • Service Operation: To provide and maintain the shift management service
  • Scheduling: To create and manage work schedules
  • Time Tracking: To record and verify work hours
  • Location Verification: To verify presence at work locations when clocking in/out
  • Communication: To enable team communication and send notifications
  • Reporting: To generate timesheets and work reports for your organization
  • Security: To maintain audit trails and detect unauthorized access
  • Improvement: To analyze usage patterns and improve our Service
  • Legal Compliance: To comply with applicable labor laws and regulations

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share your information in the following limited circumstances:

  • Within Your Organization: Your employer/organization administrators can access your work data, schedules, time entries, and related information as necessary for workforce management.
  • With Team Members: Basic profile information and shift schedules may be visible to other team members for coordination purposes.
  • Service Providers: We use trusted third-party services (such as Supabase for database hosting and authentication, Google and Apple for sign-in services, and Firebase for push notifications) that may process your data on our behalf. These providers are contractually bound to process data only as instructed and to maintain adequate security measures.
  • Legal Requirements: We may disclose information when required by law, legal process, or government request, or to protect the rights, property, or safety of Sciometa, our users, or the public.
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.

7. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure adequate safeguards are in place, such as:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Transfers to countries with an adequacy decision by the European Commission.
  • Other legally recognized transfer mechanisms under applicable data protection law.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

  • Account Data: Retained for the duration of your account and for a reasonable period thereafter to comply with legal obligations.
  • Work Data (shifts, time entries, timesheets): Retained as required by applicable labor laws and for legitimate business record-keeping purposes. This may extend beyond account deletion.
  • Location Data: Retained only for the purpose of verifying clock-in/out events and generating compliance reports.
  • Communication Data: Retained until you or your organization administrator deletes the content, or upon account deletion.
  • Technical and Usage Data: Retained for up to 12 months for analytics and security purposes.

When data is no longer needed, it is securely deleted or anonymized.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption of data in transit (HTTPS/TLS)
  • Secure database hosting with row-level security
  • Authentication and access controls
  • Regular security audits and monitoring

While we implement reasonable measures to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

10. Your Rights

Under the GDPR and other applicable data protection laws, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): Request a copy of your personal data we hold.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17):Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
  • Right to Restriction (Art. 18): Request restriction of processing of your data.
  • Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent (e.g., location data, push notifications), withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: File a complaint with a supervisory authority. For EU users, you may contact your local data protection authority.

To exercise these rights, please contact your organization administrator or reach out to us directly at hello@sciometa.com. We will respond to your request within 30 days.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by GDPR Article 34.

12. Children's Privacy

Our Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at hello@sciometa.com.

13. Third-Party Links and Services

The Service may contain links to third-party websites or services that are not operated by us (e.g., Google, Apple, Firebase). We are not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third-party services you access.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by updating the "Last updated" date at the top of this page and, when practicable, by providing notice through the Service. Your continued use of the Service after the updated Privacy Policy becomes effective constitutes your acknowledgment of the changes.

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint about how we handle your personal data, please contact us at:

You also have the right to lodge a complaint with your local data protection supervisory authority.