Privacy policy

Effective 10 July 2026

ER Shift Scheduler is built so that your department's data stays on your devices. This policy explains what data the apps handle, where it lives, and what leaves your machine when you use the optional mobile sharing feature.

The short version

Desktop app

The desktop app stores everything — doctor names, contact details, contracts, competencies, absences, schedules, time-off requests, audit history — in a local SQLite database encrypted with AES-256 (SQLCipher). The encryption key is generated on your machine and held in the operating system's secure keychain; it is never written to disk in plaintext and never transmitted anywhere.

Backups you create are encrypted the same way. The app works fully offline; its only network activity is the update check against GitHub Releases and, if you configure it, publishing to the relay described below.

Publishing to mobile (optional)

If you connect a relay so doctors can see schedules on their phones, publishing a schedule uploads the following to your department's relay endpoint:

The relay runs on Cloudflare's edge network and keeps a rolling window of the last 12 published months; older months are deleted automatically. Access requires a token, and all traffic is encrypted in transit (HTTPS). Clinical information, patient data, contract details, absences and audit logs are never sent to the relay.

Mobile app

The doctor companion app stores data only on the phone: the doctor's identity within the department, cached schedules, and connection settings. It sends to the relay:

Push notifications are delivered through Expo's push service (Expo, Inc.); the notification itself contains only the fact that a schedule was published and for which month — never shift contents. Resetting the mobile app deletes its local data and removes the phone's push token from the relay.

What we can see

Nothing. There is no central server operated by us, no account system and no telemetry, so we have no access to any department's data. Each department's relay is its own isolated deployment, and the local database can only be decrypted on the machine that created it.

Data retention and deletion

Legal bases and your rights

Departments using the app to schedule staff act as the data controller for their doctors' data; the software processes it entirely under the department's control, on the department's own devices and relay. Doctors with questions about their data should contact their department's scheduler. For questions about the software's data handling, contact the address below.

Changes to this policy

If the apps' data handling changes, this page will be updated and the effective date revised before the change ships.

Contact

Use the contact form on the support page. Messages you send through it are delivered to us as email (via Resend, Inc.) and used only to respond to you — nothing else.