Integritetspolicy

Senast uppdaterad: 28 april 2026

Den fullständiga svenska översättningen kommer snart. Den engelska versionen är gällande tills dess.

1. Who we are

Betweenshift is operated by A&S Health HB, a general partnership registered in Sweden. We are the data controller for personal data processed in connection with the Betweenshift mobile application and this website.

Contact: contact@betweenshift.com.

2. What data we collect

  • Account data: name, email address, password (stored as a salted hash), profession, country, region.
  • Profile data: avatar image, bio, mentor status, language preference.
  • Mood check-ins: mood selections, intensity values, and any optional notes you choose to add. Mood data describes mental state and therefore qualifies as sensitive personal data (special-category data) under Article 9 GDPR. We treat it accordingly — see section 3.
  • Posts and forum content: text, optional images, category, and an anonymity flag.
  • Mentor session content: chat messages, voice messages, and session metadata (start/end time, duration, mentor and member identifiers).
  • Payment data: handled by Stripe — we never see your card number. We store the Stripe customer ID, transaction ID, and amount of each payment.
  • Device data: device tokens used for push notifications, and anonymized crash reports collected via Sentry. Development builds are excluded from crash reporting.
  • Usage data: app version, operating-system version, and anonymized error logs to diagnose problems.

3. Why we collect it (legal basis)

  • Performance of a contract (Article 6(1)(b) GDPR): account creation, mentor sessions, payment processing.
  • Explicit consent (Article 6(1)(a) and Article 9(2)(a) GDPR): mood check-ins (sensitive data), push notifications, marketing emails. You can withdraw consent at any time.
  • Legitimate interest (Article 6(1)(f) GDPR): security, fraud prevention, abuse moderation, and product improvement. We balance this against your rights and freedoms.

4. Who we share it with

  • Supabase Inc. — provides our database, authentication, real-time messaging, and file storage. Acts as our processor under a Data Processing Agreement. We are migrating workloads to the EU region; some processing may currently occur in the United States under appropriate transfer safeguards.
  • Stripe Payments Europe Ltd — processes card payments. Stripe is an independent controller for the payment data they process; their privacy notice applies to that processing.
  • Sentry — receives anonymized crash reports to help us fix bugs.
  • We do not sell, rent, or share personal data with advertisers. We do not use advertising networks. Ever.

5. Where data is stored

We host primary data within the EU/EEA where possible. Where a processor's parent company is based outside the EEA (for example, Supabase Inc. in the United States), we rely on appropriate transfer mechanisms — Standard Contractual Clauses (SCCs) and supplementary measures — to ensure your data receives equivalent protection.

6. Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data (rectification).
  • Request erasure (the "right to be forgotten").
  • Receive your data in a portable format.
  • Restrict processing in certain circumstances.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time, without affecting prior lawful processing.
  • Lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten / IMY) at imy.se.

7. How to exercise your rights

Email contact@betweenshift.com from the address associated with your account. We respond within 30 days. We may ask you to verify your identity to protect your data from unauthorized access.

8. Retention periods

  • Account data: deleted within 30 days of account closure, with limited exceptions for ongoing legal or tax obligations.
  • Mood check-ins: stored as long as your account is active. Deleted with your account.
  • Posts and forum content: deleted with your account, except where content has been reported and is retained for safety review for up to 90 days.
  • Payment records: retained for seven (7) years to comply with Swedish accounting law (Bokföringslagen).

9. Children

Betweenshift is intended for users aged 16 and older. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Cookies and tracking

This marketing website uses no cookies, no tracking, and no analytics — there is nothing to consent to. The mobile app uses essential storage only (authentication tokens stored in the operating system's secure storage). We do not use advertising identifiers.

11. Security

We use TLS in transit, encryption at rest, row-level security policies on every database table, and salted password hashing. Access to production systems is limited and audited. No system is perfectly secure — if you discover a vulnerability, please report it to contact@betweenshift.com and we will respond promptly.

12. Changes to this policy

We will post material updates on this page and notify users in-app for significant changes. The "Last updated" date at the top reflects the most recent revision.

13. Contact

Questions about this policy or how we handle your data: contact@betweenshift.com.