Privacy Policy

Last updated: May 27, 2026

1. Introduction

ShiftTrained, Inc. ("we," "our," or "us") provides an AI-powered menu training platform for restaurants. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services at shifttrained.com.

2. Data We Collect

Account information, name, email address, phone number, organization details (name, address, logo, brand colors)
Menu data, uploaded PDF files and AI-parsed content (item names, descriptions, prices, categories, ingredients)
Quiz data, questions, configurations, quiz results, scores, completion times
Employee data, names, email addresses, phone numbers, quiz performance history
Payment information, processed by Stripe. We do not store credit card numbers, CVVs, or full card details on our servers.
Usage data, quiz completion times, feature usage, login activity, page visits
Communications, support tickets, contact form submissions, in-app messages
Consent records, date, time, IP address, and browser information when you agree to our Terms of Service and Privacy Policy
Two-factor authentication data, if enabled, encrypted TOTP secrets or recovery codes associated with your account (coming soon)

3. Team Member Data

When an account holder invites team members (managers, admins, viewers) to their organization, we collect those individuals' names, email addresses, and account credentials. The account holder represents that they have the authority and consent to provide this information. Invited team members can manage their own account data from their dashboard settings.

4. Employee Data Collection

Employee information (name, email, phone number) may be collected directly from the employee when they take their first quiz, or entered by the restaurant manager. In both cases, the restaurant is the data controller and ShiftTrained is the data processor. The restaurant is responsible for ensuring they have appropriate authorization to collect and process employee data through the platform.

5. How We Use Your Data

To provide the ShiftTrained service, quiz generation, score tracking, leaderboards, analytics
To process payments via Stripe
To send transactional emails, quiz invitations, study guides, billing alerts, account notifications
To send marketing emails, onboarding drip, product updates, broadcasts. You can opt out from Settings → Notification Preferences or by clicking unsubscribe in any marketing email.
To respond to customer support requests, investigate technical issues, and reproduce reported bugs
To test new features and experimental functionality before they are released to all customers
To improve, train, and develop our AI systems, including our menu parsing pipeline, question generation algorithms, fact-check models, and future AI features. When your data is used for AI training or feature development, it is used in aggregated and de-identified form with all restaurant-identifying information (your restaurant name, employee names, brand-specific identifiers) removed before processing. Individual identifiable restaurant data is never used to train models in a form that could be attributed back to you.

What this means in plain English:our team may look at your menus, questions, quizzes, and how your team uses the platform, both to help you when you ask for support and to make ShiftTrained better for everyone. When we use that data to train our AI, your restaurant's name and identity is stripped first. We do not sell your data, and we do not share your data with third parties for their own marketing purposes.

We never sell your data to third parties. We never share identifiable Customer Data with third parties for their own marketing or commercial purposes without your explicit consent.

6. Consent Tracking

We record the date, time, IP address, and browser information when you agree to our Terms of Service and Privacy Policy during account creation or team member onboarding. This record is maintained as proof of consent and cannot be modified.

7. Data Visibility Within Organizations

Within an organization, authorized team members (owners, admins, managers) can view employee names, quiz scores, completion history, and training analytics. Viewer-role team members have read-only access. This data sharing is necessary to provide the training management functionality of the Service.

8. Two-Factor Authentication

ShiftTrained supports two-factor authentication (2FA) as an additional security measure for your account. When enabled, encrypted authentication secrets are stored securely. Recovery codes are generated at setup and should be stored safely by the user. ShiftTrained cannot recover accounts where 2FA recovery codes have been lost.

9. Data Retention

Active accounts, data retained as long as your account is active
Study guides, automatically deleted after 30 days
Deleted accounts, all data permanently deleted within 24 hours of confirmation
Data exports, available for download for 30 days, then automatically deleted
Consent records, retained as proof-of-consent audit trail; not deletable on request except via account deletion
Stripe, retains payment records per their own privacy policy

10. Your Rights

Export, download all your data at any time from Settings → Your Data
Deletion, delete your account and all associated data from Settings → Your Data. Deletion is permanent and cannot be undone.
Correction, update your information at any time from your dashboard
Opt-out, disable marketing emails from Settings → Notification Preferences

11. Data Portability

You have the right to export your data in a portable format (CSV) at any time from Settings → Your Data. Exported data includes employees, quizzes, quiz attempts, questions, menus, badges, study guides, support tickets, notifications, and referrals.

12. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. ShiftTrained does not sell personal information. To exercise your CCPA rights, contact hello@shifttrained.com.

13. International Data Transfer & Jurisdictional Compliance

ShiftTrained is operated from the United States. If you access the Service from outside the United States, you consent to the transfer and processing of your data in the United States in accordance with this Privacy Policy.

Australian customers (APP): ShiftTrained handles personal information collected from Australian customers in accordance with the Australian Privacy Principles (APP) under the Privacy Act 1988 (Cth). You may request access, correction, or deletion of your personal information by emailing hello@shifttrained.com. If you have a complaint about how we have handled your personal information, you may contact us first; if unresolved, you have the right to refer the complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

UK and EU customers (UK GDPR / EU GDPR): ShiftTrained complies with the UK Data Protection Act 2018 and UK GDPR for UK customers, and with the EU General Data Protection Regulation (GDPR) for EU customers. You have the right to access, rectify, erase, restrict, or port your personal data, and to object to processing. The lawful bases on which we process your data are: (a) performance of our contract with you (providing the Service), (b) your consent (marketing communications, where applicable), and (c) our legitimate interests in operating, securing, and improving the Service. For cross-border data transfers from the UK or EU to the United States, we rely on Standard Contractual Clauses (SCCs) where required. Data subject requests: hello@shifttrained.com. You also have the right to lodge a complaint with your national supervisory authority (ICO in the UK; the relevant DPA in EU member states).

Canadian customers (PIPEDA): ShiftTrained handles personal information collected from Canadian customers in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). You may request access or correction by contacting hello@shifttrained.com.

Customers from any other jurisdiction with applicable privacy laws may exercise equivalent rights by contacting hello@shifttrained.com. We respond to all verified data-rights requests within 30 days.

14. Data Security

All data encrypted in transit (TLS) and at rest (Supabase encryption)
Authentication via Supabase Auth with industry-standard security
Payment processing via Stripe (PCI DSS compliant)
Row-level security policies on all database tables
Access controls, your data is only accessible to you and ShiftTrained administrators for support purposes

15. Third-Party Services

Supabase, database, authentication, file storage (supabase.com/privacy)
Stripe, payment processing (stripe.com/privacy)
Anthropic Claude, AI menu parsing and question generation. Menu data is sent for processing but not retained by Anthropic. (anthropic.com/privacy)
Resend, transactional email (resend.com/privacy)
Twilio, SMS notifications (twilio.com/privacy)
Vercel, hosting (vercel.com/privacy)
Cloudflare, anti-bot verification and security (cloudflare.com/privacypolicy)

16. Enterprise

Enterprise customers may request a Data Processing Agreement (DPA) by contacting hello@shifttrained.com.

17. SMS Communications

Program Details

Program name: ShiftTrained

Program operator: ShiftTrained, Inc.

Contact: hello@shifttrained.com

What Messages Are Sent

Training-related text messages on behalf of the employee's employer. Specifically: quiz invitations, reminders, and study guides.

How Employees Opt In

A restaurant manager with a ShiftTrained account invites the employee to take a training quiz.
The employee opens the quiz link and lands on the registration screen at /q/{slug}.
The employee sees an optional SMS consent checkbox on that screen, unchecked by default and labeled “Optional · SMS Updates.”
The Continue button is enabled at all times. The employee may proceed to the quiz with or without ticking the SMS consent checkbox; SMS consent is not a condition of taking the quiz.
If the employee ticks the checkbox and taps Continue, this constitutes affirmative consent to receive SMS messages. The timestamp, the verbatim consent text shown at that moment, and the employee's IP address are recorded against the employee's record.
If the employee taps Continue without ticking the checkbox, they proceed to the quiz but no SMS messages are sent to them. The employee's manager continues to reach them via email only.

Consent Text Shown at Registration

“By checking this box and providing my phone number, I agree to receive SMS messages from ShiftTrained for restaurant menu training purposes. Messages may include quiz invitations, reminders, and study guides. Up to 5 messages per month. Message and data rates may apply. Reply STOP to opt out at any time. Reply HELP for help. ShiftTrained will not share or sell my mobile information, phone number, or SMS consent records with any third parties, affiliates, or lead generators for any purpose.”

Message Frequency

Up to 5 messages per month per employee, varying with training activity.

Message and Data Rates

Message and data rates may apply. Contact your carrier for details. ShiftTrained does not charge employees for text messages.

Opt-Out

Reply STOP to any message to opt out at any time. After opting out, no further messages will be sent to that number.

Help

Reply HELP to any message for support information, or contact hello@shifttrained.com.

Data Sharing

No mobile information, including phone numbers and SMS consent records, will be shared or sold with any third parties, affiliates, or lead generators for any purpose. Text messaging originator opt-in data and consent will not be shared with any third parties. Mobile information is used solely to deliver the training-related messages described in this section.

A live visual demonstration of the opt-in screen is also available at https://www.shifttrained.com/sms as a supplementary reference. All information above is self-contained on this page.

Visual Evidence of SMS Consent Flow

The screenshots below show the actual SMS opt-in screen employees encounter in production (mobile) and the full content of our public SMS Program & Consent Demonstration page at /sms (desktop).

Registration screen (mobile) — top of the form. SMS consent is labeled 'Optional · SMS Updates' and is unchecked by default.

Registration screen (mobile) — full consent text shown. The Continue button is always enabled; SMS consent is optional and never required to take the quiz.

Registration screen (mobile) — optional SMS consent checkbox ticked. The employee has opted in to receive future training-related SMS messages (quiz reminders, study guides).

SMS Program & Consent Demonstration page (desktop) — page header and Program Overview.

SMS Program & Consent Demonstration page (desktop) — opt-out instructions (STOP/HELP), data sharing policy, full policy links, and contact information.

18. Cookies

We use essential cookies to maintain your authentication session and remember your preferences (e.g. active location, dismissed announcements). We do not use advertising or tracking cookies.

19. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children.

20. Marketing & Publicity Use of Customer Identity

By using the Service, you grant ShiftTrained, Inc. permission to use your restaurant's name, logo, brand assets, and general use case to identify you as a ShiftTrained customer in our marketing materials, website, social media, advertising, sales decks, customer testimonials, success stories, email broadcasts, and the public community hub at /community.

This permission is granted by default upon account creation and does not require a separate signed marketing release. We use this clause to operate normal SaaS marketing activities, including customer logo walls, "trusted by" sections, press mentions, and publicity around new customer wins.

Your name and logo are used to identify you as a customer. Identifiable Customer Data inside your account (your menus, employee names, quiz scores, training analytics) is never shared in marketing materials, never sold, and never disclosed publicly without your explicit consent.

Opt-out: You may revoke this permission at any time by emailing hello@shifttrained.com with the subject line "Marketing Opt-Out." Upon receipt, we will remove your name and logo from new marketing materials within 30 days. Existing printed materials, archived social media posts, and previously distributed assets may continue to display your information until they are naturally retired. See Section 14 of our Terms of Service for the full marketing & publicity rights clause.

21. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

22. Contact Us

If you have questions about this Privacy Policy or your personal data, contact us at:

hello@shifttrained.com

ShiftTrained by ShiftTrained, Inc.
980 N Michigan Ave, Ste 1090
Chicago, IL 60611, USA