Shift Logo
← Back to Home

Privacy Policy

Last updated: January 15, 2026

1. Introduction

Shift ("the App", "we", "our", or "us") is a habit-tracking application that helps users stay consistent with their habits through reminders and personalized reward offerings. This Privacy Policy explains how we collect, use, disclose, and protect your information.

This policy is designed to comply with:

  • GDPR (EU/UK General Data Protection Regulation)
  • CCPA/CPRA (California Consumer Privacy Act / Privacy Rights Act)
  • Apple App Store data requirements

By using Shift, you agree to the terms of this Privacy Policy.

2. Information We Collect

2.1 Personal Information

We collect the following information when you create an account or use the App:

  • Name
  • Email address
  • Age
  • Location (approximate or time-zone based)

2.2 Technical & Device Information

Collected automatically when using Shift:

  • Device model
  • Operating system
  • IP address
  • Crash logs and diagnostics
  • Usage statistics
  • Advertising identifiers (IDFA on iOS, GAID on Android)
  • App installation and launch events

2.3 Authentication Information

If you sign in using:

  • Apple Sign-In
  • Google Sign-In

We receive information such as your name, email address, and a unique user identifier.

2.4 Marketing & Analytics Data

To measure the effectiveness of our advertising campaigns and improve our marketing, we collect:

  • App installation events
  • App launch events
  • In-app purchases and subscription events
  • Advertising campaign interaction data
  • Device identifiers for attribution (IDFA/GAID)
  • Conversion events (e.g., completing onboarding, subscribing)

This data is collected through third-party analytics SDKs integrated into our App (see Section 6 for details).

3. How We Use Your Information

3.1 Habit Tracking & App Features

  • Creating and managing your habits
  • Sending reminders and notifications
  • Ensuring reminders match your local time zone

3.2 Personalized Reward Recommendations

Shift partners with brands to offer rewards. We use:

  • Age
  • Location
  • Preferences

…to provide relevant reward suggestions.

We do NOT share your personal data with partnered brands. All personalization is performed internally.

3.3 Security & Performance

  • Fraud prevention
  • Error monitoring and crash analysis
  • Service improvement and bug resolution

3.4 Advertising & Marketing Analytics

We use marketing and analytics data to:

  • Measure the effectiveness of our advertising campaigns
  • Understand which marketing channels drive app installations
  • Track conversion events such as app launches, subscriptions, and in-app purchases
  • Optimize our advertising spend and targeting
  • Improve user acquisition and retention

This information is shared with advertising platforms (such as TikTok) to help us understand how users find and engage with Shift. The data is used solely for attribution and analytics purposes.

4. Legal Bases for Processing (GDPR)

Under GDPR, we process personal data based on the following legal bases:

  • Contract performance: Creating and managing your account
  • Legitimate interests: App improvement, security, analytics, and marketing measurement
  • Consent: Location-based features, notifications, and advertising tracking (where required by law)
  • Legal obligations: Compliance with applicable laws

You may withdraw consent at any time where applicable. You can manage your advertising preferences through your device settings (Settings > Privacy > Tracking on iOS, or Settings > Google > Ads on Android).

5. How We Store Your Data

Your data is securely stored on:

  • Our own backend server (Express on AWS Lambda)
  • Our own database

We use industry-standard security measures, including:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Secure data transfer protocols
  • Regular security audits
  • Strict authentication limits

We do not share specific internal infrastructure details publicly for security reasons.

6. Third-Party Services We Use

RevenueCat

  • Used to manage subscriptions and purchases
  • May collect purchase metadata
  • Does not use your data for advertising

Apple Sign-In & Google Sign-In

  • Used for secure authentication
  • Provide basic account information with your permission
  • Do not use your data for advertising

Push Notification Services

  • Apple Push Notification Service (APNs) for iOS devices
  • Used solely to deliver habit reminders
  • We do not track whether you open notifications
  • You can disable notifications in your device settings at any time

TikTok SDK

We integrate the TikTok SDK to measure the effectiveness of our advertising campaigns on TikTok. This SDK collects:

  • Device identifiers (IDFA/GAID)
  • IP address
  • Device model and operating system
  • App installation events
  • App launch events
  • In-app purchase and subscription events
  • User interaction with ads

Purpose: This data helps us understand which TikTok advertising campaigns lead to app installations, launches, and subscriptions, allowing us to optimize our marketing efforts.

Data Sharing: The TikTok SDK automatically shares this information with TikTok for attribution and analytics purposes. TikTok may use this data in accordance with its own privacy policy.

Your Control: You can limit ad tracking through your device settings:

  • iOS: Settings > Privacy & Security > Tracking > Toggle off "Allow Apps to Request to Track"
  • Android: Settings > Google > Ads > Opt out of Ads Personalization

For more information about TikTok's data practices, please review TikTok's Privacy Policy at https://www.tiktok.com/legal/privacy-policy

6.1 AI-Powered Features (OpenAI Integration)

Shift uses third-party artificial intelligence to provide personalized habit recommendations. This section explains exactly how we use AI, what data is shared, and your control over these features.

AI Service Provider

Shift uses OpenAI's artificial intelligence technology to provide personalized experiences, including generating habit suggestions, finding trends and patterns in your wellness journey, summarizing your information for tailored recommendations, and helping you make meaningful lifestyle improvements. OpenAI is a third-party AI service provider based in the United States.

When AI is Used

AI features are used to enhance your experience in several ways:

  • Personalized habit suggestions: During onboarding and when adding new habits from the Add Habit screen
  • Trend analysis: Finding patterns in your wellness data to provide insights
  • Information summarization: Analyzing your preferences and progress to deliver tailored recommendations
  • Lifestyle improvements: Providing personalized guidance based on your goals and behavior

Data is only sent to OpenAI when you actively request AI-generated suggestions. We do not continuously send data to AI services.

Data Shared with OpenAI

When you enable AI features and request habit suggestions, we share the following preference data with OpenAI:

  • Demographics: Your age (calculated from date of birth, not the exact date) and gender
  • Wellness Information: Your interests, focus areas (e.g., fitness, mindfulness, productivity), wellness goals, and any specific challenges you've shared (e.g., sleep issues, focus challenges)
  • Activity Preferences: Workout frequency, preferred workout timing (morning/evening/weekends), preferred movement types (cardio, strength, yoga, etc.)
  • Schedule Information: Your work schedule, work hours, whether you can do habits during work, best time of day for habits, wake time, and sleep time
  • Learning & Productivity Preferences: Your preferred learning type and administrative task preferences
  • Starting Intensity: Your preferred intensity level for new habits (beginner/moderate/advanced)
  • Exclusions: Any activities or categories you want to avoid
  • Existing Habits: The names of habits you're currently tracking (to avoid suggesting duplicates)

Data NOT Shared with OpenAI

We do NOT share the following information with OpenAI:

  • Your name
  • Your email address
  • Your exact date of birth
  • Your location data (GPS coordinates, specific address, country, or region)
  • Your user ID or any unique identifiers
  • Your habit completion data or progress
  • Your points, rewards, or gamification data
  • Your subscription or payment information
  • Any personally identifiable information beyond age and gender

How OpenAI Uses Your Data

  • Purpose: OpenAI uses your preference data solely to generate personalized habit recommendations that are then returned to Shift
  • Data Transmission: Data is transmitted securely via HTTPS to OpenAI's API servers
  • Processing: OpenAI's AI model processes your preferences to create habit suggestions that match your goals, schedule, and lifestyle
  • NOT used for training: Your data is NOT used to train OpenAI's AI models
  • NOT stored: OpenAI does NOT store your data after generating recommendations
  • NOT shared: OpenAI does NOT share your data with other third parties

OpenAI's use of your data is governed by their Privacy Policy, available at: https://openai.com/policies/privacy-policy

Why We Share This Data

We share this preference information to provide meaningful, personalized experiences across all AI features. Without this context, AI-generated insights and suggestions would be generic and potentially unsuitable for your lifestyle. For example:

  • Your schedule information ensures habit suggestions fit your available time slots
  • Your activity preferences ensure recommendations match your fitness level and interests
  • Your goals enable AI to identify relevant trends and patterns in your progress
  • Your existing habits prevent duplicate suggestions and help AI understand your wellness journey
  • Your preferences allow AI to summarize information in ways that are most relevant to your lifestyle improvements

Your Consent & Control

AI features are opt-in and require your explicit consent:

  • Consent required: You must explicitly grant permission before any data is shared with OpenAI
  • Clear disclosure: Before granting consent, you'll see exactly what data is shared and how it's used
  • Decline without penalty: You can decline AI features and still use Shift's full habit library manually
  • Change your mind: You can enable or disable AI features anytime in Settings → AI Features
  • Revoke consent: Disabling AI features immediately stops all data sharing with OpenAI
  • No impact on other features: Disabling AI does not affect habit tracking, reminders, or any other app functionality

Data Retention (AI Features)

  • Shift: We store your AI consent status (granted/denied) and the date you made your choice
  • OpenAI: Does not retain your data after generating recommendations
  • Deletion: You can request deletion of your AI consent data by deleting your Shift account

Legal Basis for AI Data Processing (GDPR)

We process your data with OpenAI based on your explicit consent. You have the right to withdraw this consent at any time by disabling AI features in Settings.

7. Data Sharing

We do not sell your data. We do not share personal data with partnered brands.

We share your data with:

  • Service providers essential to operating the App (as listed in Section 6)
  • OpenAI for AI-powered habit suggestions (only when you've enabled AI features - see Section 6.1)
  • Advertising platforms (TikTok) for attribution and conversion tracking purposes only
  • Legal authorities if required by law or to protect our rights

Data shared with advertising platforms is limited to technical identifiers and event data necessary for measuring campaign performance. Data shared with AI services (OpenAI) is limited to wellness preferences needed for personalization and requires your explicit consent. We do not share personally identifiable information such as your name, email address, or exact location with advertising or AI platforms.

8. Data Retention

We retain personal data only for as long as necessary to:

  • Maintain your account and provide services
  • Comply with legal obligations
  • Resolve disputes

When you delete your account, we will delete your personal data within 30 days, except where we are required to retain it by law. Note that advertising platforms may retain event data according to their own retention policies.

9. Your Rights (GDPR)

If you are in the EU or UK, you have the right to:

  • Access your personal data
  • Request corrections
  • Request deletion
  • Object to processing
  • Restrict processing
  • Request data portability
  • Withdraw consent (including for advertising tracking)
  • Lodge a complaint with a supervisory authority

To exercise your rights: max@shifthabits.app

We will respond to requests within 30 days.

10. Your Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect
  • Request deletion of your data
  • Opt-out of the "sale" or "sharing" of data for targeted advertising purposes
  • Correct inaccurate information
  • Access your information
  • Non-discrimination for exercising your rights

Note on "Sharing" for Advertising: Under CCPA/CPRA, sharing data with advertising platforms for attribution purposes may be considered "sharing" for cross-context behavioral advertising. While we do not sell your data, the TikTok SDK does share device identifiers and event data with TikTok for advertising measurement. You can opt out of this sharing by:

  • Limiting ad tracking in your device settings (as described in Section 6)
  • Contacting us at max@shifthabits.app to request opt-out from advertising attribution

To exercise other CCPA rights: max@shifthabits.app

We will respond to requests within 45 days.

11. Children's Privacy

Shift is not intended for children under 13. We do not knowingly collect data from children under 13. If we become aware of such data, we will delete it promptly.

If you believe we have collected information from a child under 13, please contact us immediately at max@shifthabits.app.

12. International Data Transfers

Shift operates globally and your data may be transferred to and processed in countries other than your own, including the United States where our servers are located.

When we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequate security measures
  • Compliance with applicable data protection laws

By using Shift, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection rules.

13. Push Notifications

Shift uses push notifications to send you habit reminders. Please note:

  • Notifications are sent based on your configured reminder times
  • We send reminders for your active habits only
  • We do not track whether you open or interact with notifications
  • You can disable notifications at any time in your device settings (Settings > Notifications > Shift)
  • Disabling notifications will not affect your ability to use other features of the App

14. Data Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

In the Event of a Data Breach:

If we discover a data breach that affects your personal information, we will:

  • Notify affected users within 72 hours of discovery
  • Inform relevant supervisory authorities as required by law
  • Take immediate steps to contain and remedy the breach
  • Provide guidance on steps you can take to protect yourself

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes:

  • We will update the "Last updated" date at the top of this policy
  • For material changes, we will notify you by email or through an in-app notification
  • Continued use of the App after changes take effect constitutes acceptance of the updated policy
  • You can review the current version at any time within the App or at [your website URL if applicable]

We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: max@shifthabits.app

Response Time: We aim to respond to all inquiries within 5 business days.

For GDPR requests: We will respond within 30 days.

For CCPA requests: We will respond within 45 days.

This Privacy Policy is effective as of the date listed above and applies to all users of the Shift app.