Privacy Policy

1. Introduction

Helm Shift ("we," "us," or "our") is a software platform built for independent restaurants. This Privacy Policy explains what information we collect, how we use it, and the choices you have. By using Helm Shift, you agree to the practices described here.

We are based in Nova Scotia, Canada, and we operate in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

2. Information we collect

Information you provide

• Account information: Restaurant name, owner name, email address, phone number, and login credentials when you create an account.
• Operational data: Information you input into the platform, including staff names and roles, schedules, inventory items, par levels, and supplier names.
• Staff-provided data (staff phone view — a mobile-friendly web link, no app install): Availability windows, time-off requests, sick-call events, shift swap/drop requests, voice notes, photos of inventory issues, optional opt-in contact-sharing flags, and device push-notification subscriptions.
• Communications: Messages, feedback, or questions you send us via email, chat, or other channels.

Information collected automatically

• Usage data: Log files, IP address, browser type, pages visited, and time spent in the application.
• Operational metrics: A "pickup score" tracking how often a staff member has voluntarily picked up an open shift. This is visible to the employee on their own profile and used by managers when proposing replacements for sick calls.
• Cookies: Small data files stored on your device to keep you signed in and remember your preferences.

Information we do not collect

We do not collect Social Insurance Numbers (SINs), employee banking information, biometric identifiers, or any data not necessary to deliver the service. We do not process payroll, tax filings, or any financial transactions on your behalf. We do not record a medical reason when a staff member calls in sick — only the fact and time of the call.

3. How we use information

• To provide and operate the Helm Shift platform.
• To generate AI-powered insights and recommendations relevant to your restaurant operations.
• To communicate with you about updates, changes, or support requests.
• To improve the platform based on aggregated usage patterns.
• To comply with legal obligations.

4. AI processing

Helm Shift uses a third-party AI service to power forecasting, the AI assistant, photo/voice interpretation, and replacement-suggestion features. Our current provider is Anthropic (Claude API). When you use these features, the relevant operational data — for example a question, an inventory photo, a voice note, or a forecast input — is sent to the AI provider for processing. The provider's data handling is governed by its own privacy policy and Data Processing Agreement, and it does not retain Helm Shift customer data for training purposes.

Decisions that materially affect a staff member (for example, who gets offered a replacement shift) are always reviewed by a human manager. AI output is a suggestion, never an automated decision.

We do not send sensitive personal information (such as government identifiers or financial data) to any AI service.

5. Data storage and security

Helm Shift is hosted on Cloudflare (Pages and Workers) with the database and authenticated storage operated by Supabase. Application data is encrypted in transit (HTTPS / TLS) and at rest. Voice notes and photo uploads from the staff phone view are stored in a private Supabase Storage bucket accessible only to members of the relevant restaurant.

Both Cloudflare and Supabase maintain SOC 2 Type II certifications. While we use reasonable administrative, technical, and physical safeguards, no system is 100% secure. We cannot guarantee absolute security and you use the service at your own risk.

Breach notification. If we become aware of a personal-information breach that creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada (and, where applicable, the Commission d'accès à l'information du Québec) as required by law, generally within 72 hours of confirming the incident.

6. Data sharing

We do not sell your data. We share information only in these circumstances:

• Service providers: With trusted vendors (hosting, AI processing, email) who help us deliver Helm Shift. These vendors are bound by their own privacy obligations.
• Legal compliance: When required by law, court order, or to protect our rights and the safety of users.
• Business changes: If Helm Shift is acquired, merged, or otherwise transferred, your data may be transferred as part of that transaction. You will be notified.

7. Your rights

Under PIPEDA and applicable laws, you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your account and associated data.
• Withdraw consent for our use of your information at any time.
• Lodge a complaint with the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, email us at [email protected].

8. Data retention

We retain your information for as long as your account is active or as needed to provide the service. Specific retention rules:

• Inventory photos and voice notes: Deleted 90 days after the related report is marked resolved.
• Sick-call records: Retained for 24 months for scheduling-pattern analysis, then deleted.
• Availability and shift history: Retained for the life of the account.
• Account closure: All personal data is deleted or anonymized within 90 days of cancellation, unless retention is required by law or for legitimate accounting purposes.

9. Children's privacy

Helm Shift is a business tool not intended for use by individuals under 18 years of age. We do not knowingly collect information from minors.

10. International users

Helm Shift is operated from Canada. If you access the service from outside Canada, you understand that your information may be transferred to, stored in, and processed in Canada or other countries where our service providers operate. Service providers based outside Canada are bound by contractual safeguards (Data Processing Agreements and, where applicable, EU Standard Contractual Clauses) requiring protection equivalent to Canadian law.

10a. Quebec residents (Law 25)

If you are located in Quebec, you have additional rights under An Act respecting the protection of personal information in the private sector (Law 25), including the right to data portability and the right to be informed before your personal information is used to render an automated decision. Helm Shift does not currently use any system to render decisions about you in a fully automated way. Our Privacy Officer for Quebec inquiries is the same as listed above and may be reached at [email protected].

10b. Commercial email (CASL)

Helm Shift sends marketing email only to recipients who have given express or implied consent under Canada's Anti-Spam Legislation. Every commercial email from Helm Shift identifies the sender, includes our physical mailing address, and provides a one-click unsubscribe link. Service emails directly related to your account (e.g. billing receipts, security notices) are sent regardless of marketing-email preferences.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date and, for material changes, notify you by email or through the platform.

12. Contact us

For any questions about this Privacy Policy or how Helm Shift handles your information:

Tyler MacDougall, Founder
Email: [email protected]
Helm Shift — Halifax, Nova Scotia, Canada