Privacy policy
Effective 10 July 2026
ER Shift Scheduler is built so that your department's data stays on your devices. This policy explains what data the apps handle, where it lives, and what leaves your machine when you use the optional mobile sharing feature.
The short version
- There are no user accounts and no sign-up.
- We collect no analytics, telemetry or usage data. None.
- All scheduling data is stored in an encrypted database on the scheduler's computer.
- Data leaves your machine only when you explicitly publish a schedule to the mobile relay.
- We never sell data or share it with third parties for their own purposes.
Desktop app
The desktop app stores everything — doctor names, contact details, contracts, competencies, absences, schedules, time-off requests, audit history — in a local SQLite database encrypted with AES-256 (SQLCipher). The encryption key is generated on your machine and held in the operating system's secure keychain; it is never written to disk in plaintext and never transmitted anywhere.
Backups you create are encrypted the same way. The app works fully offline; its only network activity is the update check against GitHub Releases and, if you configure it, publishing to the relay described below.
Publishing to mobile (optional)
If you connect a relay so doctors can see schedules on their phones, publishing a schedule uploads the following to your department's relay endpoint:
- The published schedule: doctor names, shift assignments and dates
- The month's holiday calendar
- A cryptographic signature so phones can verify authenticity
The relay runs on Cloudflare's edge network and keeps a rolling window of the last 12 published months; older months are deleted automatically. Access requires a token, and all traffic is encrypted in transit (HTTPS). Clinical information, patient data, contract details, absences and audit logs are never sent to the relay.
Mobile app
The doctor companion app stores data only on the phone: the doctor's identity within the department, cached schedules, and connection settings. It sends to the relay:
- Time-off requests the doctor submits (date and optional note)
- A push-notification token, so the phone can be notified when a schedule is published
Push notifications are delivered through Expo's push service (Expo, Inc.); the notification itself contains only the fact that a schedule was published and for which month — never shift contents. Resetting the mobile app deletes its local data and removes the phone's push token from the relay.
What we can see
Nothing. There is no central server operated by us, no account system and no telemetry, so we have no access to any department's data. Each department's relay is its own isolated deployment, and the local database can only be decrypted on the machine that created it.
Data retention and deletion
- Desktop: data stays until you delete it. Factory reset (Setup › Backup) erases the local database completely.
- Relay: schedules older than 12 published months are pruned automatically; a department can delete its relay deployment entirely at any time.
- Mobile: resetting the app clears all local data and unregisters the push token.
Legal bases and your rights
Departments using the app to schedule staff act as the data controller for their doctors' data; the software processes it entirely under the department's control, on the department's own devices and relay. Doctors with questions about their data should contact their department's scheduler. For questions about the software's data handling, contact the address below.
Changes to this policy
If the apps' data handling changes, this page will be updated and the effective date revised before the change ships.
Contact
Use the contact form on the support page. Messages you send through it are delivered to us as email (via Resend, Inc.) and used only to respond to you — nothing else.