Privacy Policy

1. Who we are

SuperShift is operated by Sidestream OÜ, a company registered in the Republic of Estonia.

• Registry code: 17374822
• Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551
• Contact: support@supershift.app

In this policy, "we", "us", and "our" refer to Sidestream OÜ. "You" refers to anyone who uses the SuperShift platform ("Service").

2. What data we collect

We collect the following categories of personal data:

3. Legal basis for processing (GDPR)

We process your data based on the following legal grounds under the EU General Data Protection Regulation:

• Contract performance — processing necessary to provide the Service you signed up for (Art. 6(1)(b) GDPR).
• Legitimate interest — analytics, fraud prevention, and improving the Service (Art. 6(1)(f) GDPR).
• Legal obligation — complying with applicable laws, such as tax and accounting requirements (Art. 6(1)(c) GDPR).
• Consent — where required, for example for marketing emails (Art. 6(1)(a) GDPR). You may withdraw consent at any time.

4. How we use your data

• To provide, maintain, and improve the Service.
• To send transactional emails (schedule notifications, invites, password resets).
• To process payments and manage subscriptions.
• To monitor usage patterns and prevent abuse.
• To respond to support requests.
• To comply with legal obligations.

5. Data sharing & third-party processors

We share personal data only with the following categories of service providers:

• Stripe — payment processing (USA, EU SCCs in place).
• Resend — transactional email delivery.
• Hosting provider — cloud infrastructure for storing your data.

We do not sell, rent, or trade your personal data. We do not share data with advertisers.

6. International data transfers

Some of our service providers are located outside the European Economic Area (EEA). Where this is the case, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or the service provider's participation in an adequacy framework.

7. Data retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, tax, or accounting purposes (up to 7 years for financial records as required by Estonian law).

8. Your rights

Under the GDPR, you have the right to:

• Access your personal data.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten").
• Restrict processing of your data.
• Port your data to another service.
• Object to processing based on legitimate interest.
• Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email us at support@supershift.app. We will respond within 30 days. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee.

9. Security

We implement industry-standard security measures including encrypted data transmission (TLS), hashed passwords, role-based access controls, and regular security reviews. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

10. Children

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the revised policy.

12. Contact

If you have questions about this Privacy Policy or your personal data, contact us at: