Back to Veri-Shift

Privacy Policy

Last updated: 12 May 2026

This privacy policy explains how Veri-Shift (“we”, “us”) processes personal data when you use the Veri-Shift platform at veri-shift.co.uk. It is written to meet the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who is the data controller?

Veri-Shift is the data controller for personal data submitted by users of the platform (account holders and team members). For data submitted by locums to a pharmacy using Veri-Shift (such as invoices), the pharmacy is the data controller and Veri-Shift acts as a data processor.

What data we collect

Account holders and team members: name, email, hashed password, organisation name and address, role within that organisation, login activity.

Locums (entered by the pharmacy): name, email, phone, date of birth, professional registration body and number, pay arrangements, employment dates, and uploaded documents.

Invoice submissions: submitter name and email, work date, invoice amount, attached invoice file, and any clinical service counts.

Technical data: IP address, browser type, and basic usage telemetry needed to operate the service securely.

Why we process it (lawful basis)

  • Performance of a contract with the pharmacy account holder, to provide the service.
  • Legitimate interests, to keep the service secure, debug faults, and prevent fraud.
  • Legal obligation, where we are required to retain financial records.

Who we share it with

We share personal data only with the sub-processors we use to deliver the service:

  • Vercel — hosting (EU/UK regions)
  • Neon — database hosting (eu-west-2)
  • Resend — transactional email delivery
  • Stripe — payment processing for subscriptions

We do not sell personal data. We do not use it for advertising. We do not share invoice content with anyone other than the recipient pharmacy and, if the pharmacy has enabled accounting forwarding, the accounting email address they have configured.

How long we keep it

We retain account and operational data for as long as your organisation has an active Veri-Shift account, plus a reasonable wind-down period. Financial records (invoices, payment confirmations) are retained for at least 6 years to meet UK tax and accounting obligations.

Where a locum exercises their right to erasure, their personal data is anonymised — shift and invoice records are preserved with the locum's name replaced by “Anonymised”, and all attached documents are deleted.

Your rights

You have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate or incomplete data;
  • request erasure of your data (subject to legal retention requirements);
  • object to or restrict certain types of processing;
  • data portability — receive your data in a machine-readable format;
  • withdraw consent at any time, where processing relies on consent;
  • complain to the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, contact us at the address below. If you are a locum, you can also contact the pharmacy directly, since they are the controller of your data within the platform.

Cookies

Veri-Shift uses essential cookies only — specifically, a session cookie to keep you logged in. We do not use cookies for advertising, tracking, or analytics that identifies individuals.

Security

Personal data is stored encrypted at rest and in transit. Access is gated by role-based permissions. Uploaded files are stored in private blob storage and served only to authenticated users belonging to the relevant organisation.

International transfers

All primary infrastructure is hosted within the UK or European Economic Area. Where any sub-processor operates outside the UK/EEA, we rely on standard contractual clauses or equivalent safeguards.

Contact

For privacy questions or to exercise any of the rights above, email [email protected].

We aim to respond to data-rights requests within one calendar month, as required by UK GDPR.

This policy is a placeholder template. Before launching to real pharmacies, replace the contact email, confirm sub-processor list and locations, and have it reviewed by a UK data-protection professional or solicitor.