Privacy Policy

Last Updated: March 2, 2026 | Data Controller: Ekfix LLP | NDPR Compliant

1. Introduction

Ekfix Shift Manager operated by Ekfix LLP ("we," "us," "our," or "Ekfix") operates the volunteer shift management platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and ensuring you have a positive experience on our platform. Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Full name, phone number, email address, and preferred locations when creating your account.
  • Schedule Information: Your availability preferences across days of the week and time periods (morning, afternoon, evening).
  • Authentication Data: 8-digit PIN (hashed and encrypted) for volunteer login and passphrase/TOTP for manager authentication.
  • Profile Data: Optional profile information, preferences, and location settings you choose to provide.
  • Communication Data: Messages, feedback, and support requests you send to our team.

2.2 Information Automatically Collected

  • Log Data: IP address, browser type, operating system, pages visited, and access timestamps.
  • Device Information: Device type, mobile operating system, and unique device identifiers.
  • Usage Analytics: Features used, session duration, interactions, and performance metrics.
  • Cloudflare Analytics: Security and performance metrics via Cloudflare's analytics service.

2.3 Information from Third Parties

  • Cloudflare Services: Security validation through Turnstile CAPTCHA verification.
  • Managers/Administrators: Information provided by organization administrators during user creation and management.

3. How We Use Your Information

  • Service Delivery: To provide, maintain, and improve the shift management functionality.
  • Authentication & Security: To verify your identity, prevent fraud, and protect account security.
  • Shift Management: To match volunteer availability with shifts and coordinate scheduling.
  • Communications: To send system notifications, schedule updates, and important announcements.
  • Analytics & Improvements: To understand usage patterns and optimize Service performance.
  • Compliance: To comply with legal obligations and enforce Terms of Service.
  • Audit & Logging: To maintain comprehensive access logs and audit trails for security and accountability.

4. Data Security

We implement comprehensive security measures to protect your personal information:

  • Encryption: All data in transit uses TLS 1.3+ encryption. Sensitive data at rest is encrypted.
  • Authentication: Phone-number based authentication with 8-digit PIN for volunteers; passphrase + TOTP for managers. TOTP is mandatory for all manager accounts.
  • Password Hashing: All authentication credentials use bcrypt hashing with cost factor 10-12.
  • Rate Limiting: Failed login attempts trigger automatic account lockouts and Turnstile verification.
  • Content Security Policy: Strict CSP headers prevent XSS and injection attacks.
  • Edge Security: Cloudflare DDoS protection and security screening at edge.
  • Access Controls: Role-based access control (RBAC) segregates volunteer and manager permissions.
  • Audit Logging: All sensitive operations logged with timestamps for security investigation.

While we implement robust security measures, no system is entirely secure. We cannot guarantee absolute security.

5. Data Sharing & Disclosure

5.1 Information Shared Within the Platform

Managers can view volunteer names, phone numbers, availability, and shift assignments to coordinate schedules effectively.

5.2 Third-Party Service Providers

We may share data with trusted third parties for:

  • Cloudflare: Security verification, DDoS protection, and analytics.
  • Cloud Hosting Providers: Database and application infrastructure (Cloudflare Workers, D1 Database).

5.3 Legal Requirements

We may disclose your information if required by law, court order, government request, or to protect our legal rights and safety.

6. Data Retention

We retain personal information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy. Specifically:

  • Active Accounts: User data retained while account is active.
  • Deleted Accounts: Data deleted upon request or account deletion, except where required by law.
  • Audit Logs: Security and access logs retained for 90 days for security purposes.
  • Backups: Backup copies may retain data for up to 30 days before being purged.

7. Your Data Rights

Depending on your location, you may have the following rights:

  • Right to Access: Request a copy of your personal data held by us.
  • Right to Correction: Request corrections to inaccurate data.
  • Right to Deletion: Request deletion of your personal data (subject to legal obligations).
  • Right to Portability: Request your data in a portable format.
  • Right to Opt-Out: Opt out of certain uses of your data.

To exercise these rights, contact us at support@ekfix.com. We will respond to verified requests within 30 days.

8. Cookies & Tracking Technologies

We use the following cookies and tracking technologies:

  • Session Authentication Cookie: HttpOnly, Secure, SameSite=Strict cookie named 'shift_session' used to maintain user authentication sessions. This cookie is essential for functionality.
  • No Tracking Cookies: We do not use cookies for tracking, profiling, or advertising purposes.
  • Third-Party Cookies: Cloudflare may set security-related cookies for DDoS protection and threat prevention.

Most browsers allow you to control cookies through settings. Disabling essential authentication cookies will prevent login functionality.

9. Children's Privacy

Our Service is not intended for individuals under 13 years of age. We do not knowingly collect information from children under 13. If we learn we have collected data from a child under 13, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by updating the "Last Updated" date or sending a notification through the Service. Your continued use constitutes acceptance of changes.

11. Contact Us

If you have questions about this Privacy Policy or our privacy practices:

Email: privacy@ekfix.com
Data Protection Officer: dpo@ekfix.com
Organization: Ekfix LLP
Response Time: 30 business days

© 2026 Ekfix LLP. All rights reserved. Ekfix Shift Manager.