Contents
01 Overview
ShiftMD, Inc. ("ShiftMD," "we," "us," or "our") operates the ShiftMD platform — an AI-powered staff scheduling service for urgent care clinics. This Privacy Policy explains what information we collect, how we use it, and what rights you have over it.
This policy applies to:
- Clinic administrators and account owners who manage a ShiftMD subscription
- Authorized users (providers, MAs, front desk, billing staff) who access the platform
- Visitors to shiftmd.co and legal.shiftmd.co
02 Information We Collect
Information You Provide
| Category | Examples | Who provides it |
|---|---|---|
| Account information | Name, email address, password, clinic name, billing address | Account owner at signup |
| Staff profiles | Name, role (MD, PA, NP, MA, front desk), employment type, contact info | Admin when adding team members |
| Availability & preferences | Shift preferences, days off requests, max consecutive shifts, on-call eligibility | Staff members via the app |
| Scheduling data | Generated schedules, shift assignments, swap requests, on-call rotations | Generated by AI or entered by admin |
| Clinic configuration | Coverage minimums, location details, custom rules, pay period settings | Admin during setup |
| Payment information | Billing contact name, email; card details processed by Stripe (we do not store card numbers) | Account owner at checkout |
| Communications | Support emails, feedback, feature requests | Any user who contacts us |
Information Collected Automatically
When you use the Service or visit our websites, we automatically collect:
- Usage data — pages visited, features used, schedule generations initiated, session duration
- Device & browser data — browser type, operating system, screen resolution, device type
- Log data — IP address, timestamps, error logs, API request logs
- Cookies & similar technologies — see Section 6
Information We Do Not Collect
ShiftMD is a scheduling tool. We are not designed to collect and do not intentionally collect:
- Protected Health Information (PHI) as defined under HIPAA
- Patient names, diagnoses, or clinical records
- Social Security numbers or government-issued ID numbers
- Biometric data
03 How We Use Information
We use the information we collect to:
- Provide the Service — generate schedules, manage accounts, process payments, send notifications
- Improve the Service — analyze usage patterns, identify bugs, prioritize features
- Communicate with you — send product updates, billing notices, security alerts, and support responses
- Enforce our agreements — detect and prevent fraud, abuse, and violations of our Terms
- Comply with legal obligations — respond to lawful requests from government authorities
- Train and improve AI models — using aggregated, anonymized scheduling data only (see Section 5)
We do not use your information for advertising or sell it to data brokers, advertisers, or third parties for their own marketing purposes.
05 AI & Scheduling Data
ShiftMD's core product is AI-powered scheduling. Here's exactly how your scheduling data interacts with our AI systems:
What Gets Sent to AI Models
When you generate a schedule, the following inputs are sent to our AI scheduling engine:
- Staff roles and availability (no full names — staff are referenced by role and identifier)
- Clinic rules, coverage requirements, and shift configurations
- Historical scheduling patterns (anonymized)
We do not send full names, contact information, or any personally identifiable information to third-party AI model providers as part of schedule generation.
AI Model Training
ShiftMD may use aggregated, anonymized scheduling data to improve its own scheduling algorithms. This means:
- We may use: anonymized patterns (e.g., "clinics with 8 providers and 3 locations tend to need X coverage configuration") to improve scheduling accuracy
- We will not use: individually identifiable staff data, clinic names, or Customer Data that could be re-identified
- We will not use: your data to train third-party AI models without your explicit written consent
AI Output Responsibility
AI-generated schedules are recommendations. You are responsible for reviewing all schedules before publishing them to staff and for ensuring compliance with applicable labor laws, licensing requirements, and clinical coverage standards. ShiftMD is not liable for scheduling errors, coverage gaps, or compliance failures resulting from AI-generated output.
06 Cookies & Tracking
What We Use
| Type | Purpose | Can you opt out? |
|---|---|---|
| Essential cookies | Authentication, session management, security. Required for the app to function. | No — required |
| Analytics cookies | Understanding how visitors use shiftmd.co (page views, session duration, referral source). Uses anonymized Google Analytics data. | Yes — see below |
| Preference cookies | Remembering your UI preferences (e.g., dark mode, last viewed location). | Yes |
| Marketing pixels | Google Ads and Meta conversion tracking on shiftmd.co only (not in the app). | Yes — see below |
How to Opt Out
- Browser settings: Most browsers allow you to refuse or delete cookies via settings
- Google Analytics: Install the Google Analytics Opt-out Browser Add-on
- Meta: Manage ad preferences at facebook.com/adpreferences
- Do Not Track: We honor browser-level Do Not Track signals for analytics cookies
Opting out of analytics or marketing cookies does not affect your ability to use the ShiftMD app.
07 Security
We implement commercially reasonable technical and organizational safeguards to protect your information, including:
- Encryption in transit (TLS 1.2+) for all data moving between your browser and our servers
- Encryption at rest for all data stored in our database
- Role-based access controls limiting which ShiftMD employees can access Customer Data
- Regular security reviews and dependency auditing
- Incident response procedures with customer notification protocols
No system is 100% secure. If you discover a potential security vulnerability, please report it to support@shiftmd.co before public disclosure. We take security reports seriously and will respond within 48 hours.
08 Data Retention
We retain information for as long as necessary to provide the Service and fulfill the purposes described in this policy:
- Active accounts: All data retained for the duration of your subscription
- After cancellation: Customer Data retained for 90 days to allow for export or reactivation
- After 90 days: Customer Data deleted from production systems. Backups purged within 30 additional days.
- Billing records: Retained for 7 years as required by tax and accounting law
- Support communications: Retained for 2 years from last contact
- Anonymized analytics: May be retained indefinitely in aggregated form
You may request early deletion of your account and associated data at any time by contacting support@shiftmd.co. We will complete deletion within 30 days of a verified request, except where retention is required by law.
09 Your Rights
Depending on your location, you may have the following rights over your personal information:
Request a copy of the personal information we hold about you.
Request correction of inaccurate or incomplete information.
Request deletion of your personal information, subject to legal retention requirements.
Request an export of your data in a machine-readable format (CSV or JSON).
Object to processing of your information for certain purposes, including AI training.
Request that we restrict processing of your information in certain circumstances.
How to Exercise Your Rights
Email support@shiftmd.co with the subject line "Privacy Request." We will respond within 30 days. We may need to verify your identity before fulfilling your request.
California Residents (CCPA)
California residents have the right to know what personal information we collect and share, the right to delete personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising these rights. To submit a CCPA request, contact support@shiftmd.co.
EEA / UK Residents (GDPR)
If you are located in the European Economic Area or United Kingdom, you have additional rights under GDPR including the right to lodge a complaint with your local supervisory authority. Our legal basis for processing personal data is: (a) contract performance for providing the Service; (b) legitimate interests for analytics and security; and (c) consent for marketing communications. ShiftMD's data is processed and stored in the United States. By using the Service, EEA/UK users consent to this transfer.
10 Children's Privacy
ShiftMD is a business software platform intended for use by healthcare professionals and clinic staff. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have collected information from a minor, we will delete it promptly. If you believe a minor has provided us with personal information, please contact support@shiftmd.co.
11 Policy Changes
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email to the address on your account and by posting a notice in the app at least 30 days before the changes take effect.
The "Effective date" at the top of this policy reflects when the current version took effect. We encourage you to review this policy periodically. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.
Previous versions of this policy are available upon request.
12 Contact Us
Questions, concerns, or requests related to this Privacy Policy:
- Email: support@shiftmd.co
- Subject line: "Privacy Request" for data rights requests
- Response time: Within 5 business days for general questions; within 30 days for formal data rights requests
- Mailing address: ShiftMD, Inc. — Scottsdale, AZ 85251
This Privacy Policy is governed by the laws of the State of Arizona. Any dispute arising under this policy shall be resolved in accordance with the dispute resolution provisions in our Terms of Service.