Privacy Policy

Last updated: Thu 21 May 2026

This Privacy Notice for LOUD srl (“we”, “us”, or “our”) describes how and why we collect, store, use, and/or share (“process”) your personal information when you use our mobile application Shift2Cal: PDF a Calendar (the “App”) on iOS and Android.

If you do not agree with this Privacy Notice, please do not use the App.

If you have any questions or concerns, you can contact us at:
📧 hello@shift2cal.com

1. Who We Are

LOUD srl
Registered office: Via Vittorio Emanuele II, 1 – 25122 Brescia, Italy
VAT / Company ID: IT03902100985
Email: hello@shift2cal.com

LOUD srl is the data controller for the processing of personal data described in this Privacy Notice.

We do not have a designated Data Protection Officer (DPO).

2. What Information We Collect

2.1. Information you provide directly

When you use the App, we may collect the following information you provide:

• Account and authentication data
  • Email address
  • Password (if you register with email and password)
  • Information received from Apple or Google when you sign in with those providers (for example, name, email address, and a unique identifier, depending on your settings with those providers)
• Optional profile information
  • First name and last name
  • Age range
  • Phone number
  • Work sector (e.g. healthcare, retail, security, manufacturing)
  • Job role / position

  These fields are entirely optional: you are never required to provide them in order to use the core functionalities of the App. If you choose to share them, we will process them as described in section 2.5 (including, with your consent, for marketing analytics and advertising campaigns via Meta).

• Support communications
  • If you contact us by email (for support or questions), we will process the information you include in your message (e.g. email address, any additional data you provide).

We do not collect feedback via in-app forms or surveys at the moment.

2.2. Application data: images and calendar information

To provide the core functionality of the App, we process:

• Images, photos, PDFs, or screenshots of your work schedule / shift calendar
  • You can use the camera permission to capture a photo of your schedule or choose an existing image/PDF from your device.
  • These files are transmitted directly to Google Cloud AI services (e.g. Vertex AI / Gemini) to run AI-based extraction of shift information. The original image/PDF is not persistently stored on our backend: it is processed transiently by Google Cloud during the AI inference and then discarded once the extracted text/structured data is returned to the App.
• Extracted shift data and events
  • Our AI extracts dates, times and shift details from the uploaded image or PDF.
  • This extracted information is used to create events in your personal calendar (for example, Google Calendar, iOS Calendar, Outlook, or other calendar apps you choose).
  • Important: once the events are imported into your calendar, the shift data is stored only in your calendar. We do not keep a separate copy of your shift schedule on our own database for long-term storage or internal profiling.
• Access to your calendar
  • The App requests access to your calendar with write-only permissions, where technically possible.
  • We use this access only to create or update events related to your shifts.
  • We do not use your existing calendar data for analytics, profiling, or marketing.

2.3. Information collected automatically

When you use the App, certain technical data are collected automatically for security, diagnostics and analytics, for example:

• Device information (device model, OS version, language, app version)
• IP address or approximate location (country/region)
• App usage data (e.g. screens viewed, basic interactions, crash reports, performance metrics)
• Advertising identifiers – such as Apple’s IDFA (Identifier for Advertisers) on iOS and Google’s Advertising ID (AAID) on Android. On iOS, the IDFA is accessed only if you grant permission through the App Tracking Transparency (ATT) prompt described in section 2.6.

We mainly collect this via Firebase (Analytics and Crashlytics) and similar tools.

We do not collect special categories of personal data (such as health data, political opinions, etc.) intentionally through the App.

2.4. Refund-related information shared with Apple

If you purchase a paid feature or subscription via the Apple App Store and you later request a refund, Apple may notify us and ask for additional information to help evaluate your request. With your explicit prior consent, requested through a dedicated in-app prompt, we may share with Apple a set of pseudonymised information about your account and your use of the App (so-called “consumption data”), which may include, by way of example:

• account tenure;
• consumption status of the purchased product;
• delivery status of the content or service;
• lifetime amount purchased and refunded in the App;
• play time / usage time within the App;
• whether sample content was provided to you;
• the status of your user account (e.g. active, suspended);
• a pseudonymised account identifier (app account token);
• our refund preference recommendation.

This data is shared only with Apple, only in connection with the specific refund request, and only for the purpose of allowing Apple to make a refund decision. We do not use this data for advertising or independent profiling, and we do not share it with any other third party for this purpose.

If you do not provide your consent, no consumption data will be sent to Apple. You can still submit a refund request, but Apple may decide on it based only on the information available to it.

You can withdraw your consent at any time from the App settings. The withdrawal will not affect the lawfulness of any sharing carried out before the withdrawal. See section 4 for the related legal basis.

2.5. Marketing analytics and advertising via Meta (Meta SDK and Conversion API)

With your explicit prior consent, requested through a dedicated in-app prompt, we use the Meta SDK and the Meta Conversion API (provided by Meta Platforms, Inc.) to measure the performance of our marketing activities and to deliver more relevant advertising for the App on Meta services (e.g. Facebook and Instagram).

Depending on the information you have voluntarily shared with us (see sections 2.1 and 2.2), the data we may transmit to Meta for this purpose includes:

• email address;
• first name and last name;
• age range;
• phone number;
• work sector and job role;
• information related to the shift schedules you upload to the App (for example, the fact that a schedule has been uploaded and basic event-level signals), without sharing the original image/PDF file itself;
• app events and technical identifiers collected by the Meta SDK (for example, app open, registration, subscription, advertising identifiers where allowed by the operating system).

Before sending any of the personal identifiers above (email, name, phone number, etc.) to Meta, we apply cryptographic hashing (typically SHA-256) on your device or on our servers. Meta receives only the hashed values and uses them to match users for advertising audiences and campaign measurement, without us disclosing the underlying plain-text data.

The data shared with Meta is used to:

• measure the effectiveness of our advertising campaigns and attribute installs, registrations or subscriptions to specific campaigns;
• build and update custom and lookalike audiences to show our ads to people who may be interested in the App;
• deliver personalised advertising for Shift2Cal on Meta services and on partners of the Meta advertising network.

Sharing data with Meta for these purposes is based on your consent (Art. 6(1)(a) GDPR). Providing this consent is not required to use the App: if you refuse or withdraw consent, no personal data will be sent by us to Meta for marketing/advertising purposes, and you will continue to be able to use all core features.

On iOS devices, in addition to the in-app consent above, the use of certain device identifiers (in particular Apple’s IDFA) by the Meta SDK is also subject to the App Tracking Transparency (ATT) permission described in section 2.6. If you do not grant ATT permission, the Meta SDK will operate in a limited mode and the IDFA will not be available for tracking.

For some processing operations, LOUD srl and Meta Platforms, Inc. may act as joint controllers within the meaning of Art. 26 GDPR (for example, for the use of certain Meta business tools). In such cases, Meta’s role and obligations are described in its own documentation (for instance the Meta Controller Addendum). You can find more information about Meta’s processing in its Privacy Policy.

You can withdraw your consent at any time from the App settings. The withdrawal will not affect the lawfulness of processing carried out before the withdrawal. You can also exercise the rights described in section 8 in relation to this processing.

2.6. App Tracking Transparency (iOS users)

On iOS devices, Shift2Cal complies with Apple’s App Tracking Transparency (ATT) framework. The first time the App needs to access tracking identifiers (in particular the IDFA – Identifier for Advertisers), iOS shows you a standard system prompt asking whether you allow the App to track your activity across other companies’ apps and websites.

You can choose between two options:

• “Allow Tracking” – the App and its marketing partners (in particular the Meta SDK) may access your IDFA and use it together with the data described in section 2.5 to attribute installs and to deliver and measure personalised advertising for Shift2Cal.
• “Ask App Not to Track” – the App will not access your IDFA. The Meta SDK will operate in a limited mode, advertising attribution and audience matching will be significantly reduced, but you will continue to be able to use all features of the App without limitations.

The ATT permission is independent from the in-app consent for marketing described in section 2.5: both are required for full IDFA-based tracking on iOS. Denying either one is sufficient to prevent IDFA-based tracking.

You can change your ATT choice at any time from iOS Settings → Privacy & Security → Tracking (or from iOS Settings → Shift2Cal → Allow Tracking). On Android, similar controls are available under Settings → Privacy → Ads (resetting or limiting the Advertising ID).

Refusing tracking does not affect your ability to use the App or any of its core functionalities.

3. How We Use Your Information

We process your personal data for the following purposes:

1. To provide and operate the App
   • Create and manage your user account
   • Authenticate your login (email/password, Apple, Google)
   • Process uploaded images/PDFs to extract shifts and transform them into calendar events
   • Write events into your chosen calendar (Google, iOS, Outlook, etc.)
   • Provide reminders and in-app notifications related to your shifts (if enabled)
2. To ensure the security and proper functioning of the App
   • Monitor app performance and stability
   • Detect, prevent and fix bugs, crashes and technical issues
   • Protect against abuse or misuse of the App
3. To perform analytics and improve the App
   • Understand how users interact with the App (on an aggregated or pseudonymised basis)
   • Improve usability, features, and overall user experience
4. To respond to your requests
   • Answer your support emails or technical questions
   • Handle requests to exercise your privacy rights
5. To comply with legal obligations
   • Fulfil obligations under applicable laws (e.g. data protection laws)
   • Cooperate with authorities where required by law
6. For marketing analytics and advertising (only with your consent)
   • Measure the performance of our marketing campaigns and attribute installs, registrations or subscriptions
   • Build custom and lookalike audiences and deliver personalised advertising for the App via Meta services (Facebook, Instagram), using hashed personal identifiers as described in section 2.5

We do not sell your personal data. We use your data for marketing analytics and personalised advertising only with your explicit consent (see section 2.5), which you can withdraw at any time from the App settings.

4. Our Legal Bases (EU/UK Users)

If you are located in the European Union or United Kingdom, we process your personal data under the following legal bases (GDPR / UK GDPR):

• Performance of a contract (Art. 6(1)(b) GDPR)
  To create and manage your account, authenticate your login, process images to extract shifts, and write events into your calendar—these actions are necessary to provide the App’s core functionality you requested.
• Legitimate interests (Art. 6(1)(f) GDPR)
  For app security, fraud prevention, diagnostics, crash logs, and aggregated analytics to improve the App, as long as these interests are not overridden by your rights and freedoms.
• Legal obligation (Art. 6(1)(c) GDPR)
  Where we are required to retain or disclose certain information to comply with applicable law.
• Consent (Art. 6(1)(a) GDPR)
  We rely on your explicit consent for:
  • the sharing of consumption data with Apple in connection with App Store refund requests (see section 2.4);
  • the use of the Meta SDK and Meta Conversion API for marketing analytics and personalised advertising, including the transmission of hashed personal identifiers to Meta (see section 2.5).
  You can withdraw your consent at any time from the App settings, without affecting the lawfulness of any processing carried out before the withdrawal.

Where we rely on legitimate interests, we have balanced our interests with your rights and concluded that our processing is proportionate and has minimal impact on your privacy. You have the right to object to processing based on legitimate interests (see section 8).

5. Google API and Social Logins

5.1. Google APIs and Google login

If you choose to log in with your Google account or connect your Google Calendar, we will receive certain information from Google (for example name, email address, basic profile information and tokens necessary to create events in your calendar).

Our use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

We use this information only to:

• Authenticate your identity
• Connect the App to your Google Calendar to create or update shift events
• Maintain your session and account status

We do not use Google Calendar data for marketing, unrelated analytics, or selling data.

5.2. Apple login

If you choose to sign in with Apple, we receive the information Apple shares with us (such as an email address and a unique user identifier) according to your Apple ID settings. We use this only for authentication and account management.

6. Third-Party Services We Use

We rely on the following third-party providers to operate the App and the related website:

• Firebase (Google LLC / Google Ireland Ltd)
  • Firebase Analytics: technical and usage analytics for app improvement (data also accessible through a connected GA4 property).
  • Firebase Crashlytics: crash reports and diagnostics.
  • Firebase Cloud Messaging / Notifications: sending push notifications (for example reminders about shifts, service messages).
• Google Analytics (GA4) – website (Google LLC / Google Ireland Ltd)
  • Used on the website shift2cal.com to measure traffic, page views and basic interactions (aggregated/pseudonymised). On the website, this service relies on cookies and similar technologies and is activated in accordance with our cookie banner and your preferences.
• Google Cloud (AI services) (Google LLC / Google Ireland Ltd)
  • Used to perform AI-based extraction of shift information from the images / PDFs you upload (see section 2.2). Images are processed transiently and not retained by us after extraction.
  • Google Cloud also supports certain backend operations related to authentication (e.g. Google login).
• DigitalOcean, LLC
  • Hosting of our backend servers and database, used to store account information, app metadata and operational data necessary to run the App (excluding the original shift images/PDFs, which are not persistently stored as explained in section 2.2).
• Amazon Web Services (AWS)
  • Used exclusively for DNS resolution of the shift2cal.com domain (Amazon Route 53). No personal data of the users is stored by us on AWS.
• RevenueCat, Inc.
  • Used to manage in-app subscriptions and purchases across the Apple App Store and Google Play, including subscription status, renewals, entitlements and the refund-request flow described in section 2.4.
  • RevenueCat receives pseudonymous user identifiers and transaction/event data; it does not receive your shift images or your calendar content.
• Proton AG (Switzerland)
  • Used as our email service provider for the hello@shift2cal.com address (e.g. support and account-related correspondence). Any email you send us is processed by Proton on our behalf.
• Apple Inc.
  • For users who purchase via the App Store: handling of payments, subscriptions and refunds under Apple’s own terms and policies.
  • If you provide your explicit consent, we may transmit pseudonymised consumption data to Apple to assist with refund decisions related to your purchases (see section 2.4).
• Meta Platforms, Inc. (Facebook, Instagram)
  • Meta SDK integrated in the App and Meta Conversion API (server-to-server), used for marketing analytics and personalised advertising.
  • Activated only with your explicit consent. The data transmitted to Meta includes app events and hashed personal identifiers (email, name, phone, etc.) as described in section 2.5.
  • For some of these processing operations, LOUD srl and Meta may act as joint controllers under Art. 26 GDPR.

Most of these providers act as our data processors where they handle data on our behalf, and are bound by contractual obligations to process personal data only according to our instructions, implement appropriate security measures, and not use data for their own purposes. Some providers (in particular Apple for App Store transactions and Meta for its business tools) act as independent controllers or joint controllers for the parts of the processing carried out under their own terms and policies.

7. How Long We Keep Your Information

We keep your personal data only for as long as is reasonably necessary for the purposes described in this Privacy Notice, or as required by law.

In particular:

• Account and authentication data
  • Stored for as long as your account remains active.
  • If you request account deletion, your account will enter a 30-day 'soft delete' period. During this window, your data is retained but inaccessible, allowing you to reactivate your account by contacting us at hello@shift2cal.com. After this 30-day period, all personal data will be permanently deleted or irreversibly anonymized, unless retention is required for legal obligations.
• Images / PDFs / screenshots of your schedules
  • Original images and PDFs are not persistently stored on our backend (DigitalOcean). They are transmitted to Google Cloud AI for inference and transiently processed there during extraction.
  • Once the extracted text/structured data is returned, the file is no longer kept by us. Any transient handling on Google Cloud is governed by Google’s data processing terms.
• Extracted shift information
  • Used to create events in your own calendar and then retained only in your calendar application (Google Calendar, iOS Calendar, Outlook, etc.) under the control of those providers and your device settings.
  • We do not keep a long-term copy of your shift data on our own database for independent profiling.
• Technical logs, diagnostics and analytics data
  • Stored for a limited time necessary to ensure security and app performance. Where possible, this data is aggregated or pseudonymised.
• Marketing data shared with Meta
  • Hashed identifiers and app events transmitted to Meta are retained by Meta under its own retention policies. On our side, we keep only the minimum information necessary to manage your consent (e.g. the fact that you have consented or withdrawn consent, with timestamp).

If you ask us to delete your data, we will follow up without undue delay and in accordance with applicable law (see section 8).

8. Your Privacy Rights

Depending on your location, you may have some or all of the rights listed below regarding your personal data:

• Right of access – to obtain confirmation as to whether we process your personal data and receive a copy.
• Right to rectification – to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) – to request deletion of your personal data, where applicable.
• Right to restriction of processing – to limit how we process your data in certain circumstances.
• Right to data portability – to receive your personal data in a structured, commonly used and machine-readable format and transmit it to another controller, where applicable.
• Right to object – to object to processing based on our legitimate interests.
• Right to withdraw consent – where we rely on consent (if ever applicable), you can withdraw it at any time.

If you are in the EU or UK, you also have the right to lodge a complaint with your local supervisory authority (for example, in Italy: Garante per la Protezione dei Dati Personali – www.gpdp.it).

You can exercise your rights at any time by contacting us at:
📧 hello@shift2cal.com

We may ask you to provide certain information to verify your identity before responding to your request.

9. Children’s Privacy

The App is not intended for use by children under the age of 16 (or the minimum age required by the law in your country, if different).

We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete such information as soon as reasonably possible.

If you believe a child has provided us with personal data, please contact us at hello@shift2cal.com.

10. Security of Your Information

We use appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration or destruction. These measures include, for example:

• Encryption in transit (e.g. HTTPS) and, where appropriate, at rest
• Access controls and authentication
• Regular monitoring and logging
• Use of reputable cloud providers (Firebase, Google Cloud, AWS) with strong security standards

However, no method of transmission or storage can be guaranteed to be 100% secure. You use the App at your own risk and should also take steps to protect your data (for example, by using strong passwords and keeping your device secure).

11. International Transfers

Some of our service providers may be located in countries outside the European Economic Area (EEA) or the UK. In particular:

• Google (Firebase, Google Analytics, Google Cloud AI), Meta, Apple, RevenueCat, DigitalOcean, AWS – primarily based in the United States, with global infrastructure.
• Proton AG – based in Switzerland, a country covered by an adequacy decision of the European Commission.

Where personal data is transferred outside the EEA/UK, we ensure that appropriate safeguards are in place, such as:

• An adequacy decision by the European Commission (e.g. EU–US Data Privacy Framework, Switzerland);
• Standard Contractual Clauses approved by the European Commission; or
• Other appropriate safeguards required by data protection laws.

You can contact us at hello@shift2cal.com if you want more information about these safeguards.

12. US Residents (Brief Notice)

If you are a resident of certain US states with specific privacy laws (for example, California, Colorado, Virginia), you may have additional rights, such as:

• The right to know which categories of personal information we collect and for what purposes
• The right to access and delete your personal information
• The right to correct inaccurate personal information
• The right to know whether your personal information is sold or shared

We do not sell your personal information for money. We may engage in targeted advertising and certain forms of “sharing” of personal information (as those terms are defined under some US state privacy laws) when we use the Meta SDK and Meta Conversion API for marketing purposes, but only after you have provided your explicit consent through the App (see section 2.5). You can withdraw your consent or opt out at any time from the App settings.

You can exercise your rights or ask questions by emailing hello@shift2cal.com. We will respond according to applicable US state laws.

13. Changes to This Privacy Notice

We may update this Privacy Notice from time to time, for example to reflect changes in the App, our processing activities, or applicable laws.

When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you within the App (for example via a notice or prompt).

We encourage you to review this Privacy Notice periodically to stay informed about how we protect your data.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Notice or our handling of your personal data, you can contact us at:

📧 hello@shift2cal.com
📮 LOUD srl – Via Vittorio Emanuele II, 1 – 25122 Brescia, Italy