Shift Logo
← Back to Home

Privacy Policy

Last updated: December 13, 2025

1. Introduction

Shift ("the App", "we", "our", or "us") is a habit-tracking application that helps users stay consistent with their habits through reminders and personalized reward offerings. This Privacy Policy explains how we collect, use, disclose, and protect your information.

This policy is designed to comply with:

  • GDPR (EU/UK General Data Protection Regulation)
  • CCPA/CPRA (California Consumer Privacy Act / Privacy Rights Act)
  • Apple App Store data requirements

By using Shift, you agree to the terms of this Privacy Policy.

2. Information We Collect

2.1 Personal Information

We collect the following information when you create an account or use the App:

  • Name
  • Email address
  • Age
  • Location (approximate or time-zone based)

2.2 Technical & Device Information

Collected automatically when using Shift:

  • Device model
  • Operating system
  • IP address
  • Crash logs and diagnostics
  • Usage statistics
  • Advertising identifiers (IDFA on iOS, GAID on Android)
  • App installation and launch events

2.3 Authentication Information

If you sign in using:

  • Apple Sign-In
  • Google Sign-In

We receive information such as your name, email address, and a unique user identifier.

2.4 Marketing & Analytics Data

To measure the effectiveness of our advertising campaigns and improve our marketing, we collect:

  • App installation events
  • App launch events
  • In-app purchases and subscription events
  • Advertising campaign interaction data
  • Device identifiers for attribution (IDFA/GAID)
  • Conversion events (e.g., completing onboarding, subscribing)

This data is collected through third-party analytics SDKs integrated into our App (see Section 6 for details).

3. How We Use Your Information

3.1 Habit Tracking & App Features

  • Creating and managing your habits
  • Sending reminders and notifications
  • Ensuring reminders match your local time zone

3.2 Personalized Reward Recommendations

Shift partners with brands to offer rewards. We use:

  • Age
  • Location
  • Preferences

…to provide relevant reward suggestions.

We do NOT share your personal data with partnered brands. All personalization is performed internally.

3.3 Security & Performance

  • Fraud prevention
  • Error monitoring and crash analysis
  • Service improvement and bug resolution

3.4 Advertising & Marketing Analytics

We use marketing and analytics data to:

  • Measure the effectiveness of our advertising campaigns
  • Understand which marketing channels drive app installations
  • Track conversion events such as app launches, subscriptions, and in-app purchases
  • Optimize our advertising spend and targeting
  • Improve user acquisition and retention

This information is shared with advertising platforms (such as TikTok) to help us understand how users find and engage with Shift. The data is used solely for attribution and analytics purposes.

4. Legal Bases for Processing (GDPR)

Under GDPR, we process personal data based on the following legal bases:

  • Contract performance: Creating and managing your account
  • Legitimate interests: App improvement, security, analytics, and marketing measurement
  • Consent: Location-based features, notifications, and advertising tracking (where required by law)
  • Legal obligations: Compliance with applicable laws

You may withdraw consent at any time where applicable. You can manage your advertising preferences through your device settings (Settings > Privacy > Tracking on iOS, or Settings > Google > Ads on Android).

5. How We Store Your Data

Your data is securely stored on:

  • Our own backend server (Express on AWS Lambda)
  • Our own database

We use industry-standard security measures, including:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Secure data transfer protocols
  • Regular security audits
  • Strict authentication limits

We do not share specific internal infrastructure details publicly for security reasons.

6. Third-Party Services We Use

RevenueCat

  • Used to manage subscriptions and purchases
  • May collect purchase metadata
  • Does not use your data for advertising

Apple Sign-In & Google Sign-In

  • Used for secure authentication
  • Provide basic account information with your permission
  • Do not use your data for advertising

Push Notification Services

  • Apple Push Notification Service (APNs) for iOS devices
  • Used solely to deliver habit reminders
  • We do not track whether you open notifications
  • You can disable notifications in your device settings at any time

TikTok SDK

We integrate the TikTok SDK to measure the effectiveness of our advertising campaigns on TikTok. This SDK collects:

  • Device identifiers (IDFA/GAID)
  • IP address
  • Device model and operating system
  • App installation events
  • App launch events
  • In-app purchase and subscription events
  • User interaction with ads

Purpose: This data helps us understand which TikTok advertising campaigns lead to app installations, launches, and subscriptions, allowing us to optimize our marketing efforts.

Data Sharing: The TikTok SDK automatically shares this information with TikTok for attribution and analytics purposes. TikTok may use this data in accordance with its own privacy policy.

Your Control: You can limit ad tracking through your device settings:

  • iOS: Settings > Privacy & Security > Tracking > Toggle off "Allow Apps to Request to Track"
  • Android: Settings > Google > Ads > Opt out of Ads Personalization

For more information about TikTok's data practices, please review TikTok's Privacy Policy at https://www.tiktok.com/legal/privacy-policy

7. Data Sharing

We do not sell your data. We do not share personal data with partnered brands.

We share your data with:

  • Service providers essential to operating the App (as listed in Section 6)
  • Advertising platforms (TikTok) for attribution and conversion tracking purposes only
  • Legal authorities if required by law or to protect our rights

Data shared with advertising platforms is limited to technical identifiers and event data necessary for measuring campaign performance. We do not share personally identifiable information such as your name or email address with advertising platforms.

8. Data Retention

We retain personal data only for as long as necessary to:

  • Maintain your account and provide services
  • Comply with legal obligations
  • Resolve disputes

When you delete your account, we will delete your personal data within 30 days, except where we are required to retain it by law. Note that advertising platforms may retain event data according to their own retention policies.

9. Your Rights (GDPR)

If you are in the EU or UK, you have the right to:

  • Access your personal data
  • Request corrections
  • Request deletion
  • Object to processing
  • Restrict processing
  • Request data portability
  • Withdraw consent (including for advertising tracking)
  • Lodge a complaint with a supervisory authority

To exercise your rights: max@shifthabits.app

We will respond to requests within 30 days.

10. Your Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect
  • Request deletion of your data
  • Opt-out of the "sale" or "sharing" of data for targeted advertising purposes
  • Correct inaccurate information
  • Access your information
  • Non-discrimination for exercising your rights

Note on "Sharing" for Advertising: Under CCPA/CPRA, sharing data with advertising platforms for attribution purposes may be considered "sharing" for cross-context behavioral advertising. While we do not sell your data, the TikTok SDK does share device identifiers and event data with TikTok for advertising measurement. You can opt out of this sharing by:

  • Limiting ad tracking in your device settings (as described in Section 6)
  • Contacting us at max@shifthabits.app to request opt-out from advertising attribution

To exercise other CCPA rights: max@shifthabits.app

We will respond to requests within 45 days.

11. Children's Privacy

Shift is not intended for children under 13. We do not knowingly collect data from children under 13. If we become aware of such data, we will delete it promptly.

If you believe we have collected information from a child under 13, please contact us immediately at max@shifthabits.app.

12. International Data Transfers

Shift operates globally and your data may be transferred to and processed in countries other than your own, including the United States where our servers are located.

When we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequate security measures
  • Compliance with applicable data protection laws

By using Shift, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection rules.

13. Push Notifications

Shift uses push notifications to send you habit reminders. Please note:

  • Notifications are sent based on your configured reminder times
  • We send reminders for your active habits only
  • We do not track whether you open or interact with notifications
  • You can disable notifications at any time in your device settings (Settings > Notifications > Shift)
  • Disabling notifications will not affect your ability to use other features of the App

14. Data Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

In the Event of a Data Breach:

If we discover a data breach that affects your personal information, we will:

  • Notify affected users within 72 hours of discovery
  • Inform relevant supervisory authorities as required by law
  • Take immediate steps to contain and remedy the breach
  • Provide guidance on steps you can take to protect yourself

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes:

  • We will update the "Last updated" date at the top of this policy
  • For material changes, we will notify you by email or through an in-app notification
  • Continued use of the App after changes take effect constitutes acceptance of the updated policy
  • You can review the current version at any time within the App or at [your website URL if applicable]

We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: max@shifthabits.app

Response Time: We aim to respond to all inquiries within 5 business days.

For GDPR requests: We will respond within 30 days.

For CCPA requests: We will respond within 45 days.

This Privacy Policy is effective as of the date listed above and applies to all users of the Shift app.