Privacy Policy

Last updated: May 23, 2026

1. Data controller and territorial scope

Giacomo Cacciatore
E-mail: info@turnix.ch
For formal postal requests, please contact us by e-mail to request the controller's postal address; responses to privacy requests are provided within 30 days of submission.

Minimum age of use: 18 years old (the service is intended for adult healthcare professionals) or, alternatively, the minimum digital consent age established by the user's country of residence (art. 8 GDPR: between 13 and 16 years depending on the member state) with the explicit authorization of the holder of parental responsibility. The UK Age Appropriate Design Code 2020 ("Children's Code") issued by the ICO additionally applies in the United Kingdom. Turnix does not knowingly collect or process data of minors without the authorizations required by law; any processing detected in violation will be deleted immediately.

Turnix is available in the following 32 jurisdictions:

• European Union (27 member states): Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
• European Economic Area (EEA, 3 non-EU states): Norway, Iceland, Liechtenstein.
• Switzerland (CH).
• United Kingdom (UK), post-Brexit.

This policy complies with:

• Regulation (EU) 2016/679 (GDPR) — applicable to EU 27 + EEA.
• UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 — applicable to the United Kingdom post-Brexit.
• Swiss Federal Act on Data Protection (nFADP/revFADP, also known as nLPD/revDSG) in force since September 1, 2023, and the related Ordinance (DPO) — applicable to Switzerland.

Switzerland benefits from an EU adequacy decision (January 15, 2024, EU Commission Decision 2024/254). The United Kingdom benefits from an EU adequacy decision (June 28, 2021, Decision 2021/1772), currently in force and subject to periodic review.

2. Data collected

• E-mail address (registration and authentication via e-mail and password or via Google Sign-In OAuth)
• Account password (stored in encrypted form on Supabase Auth, never in plaintext; NOT applicable if the user signs in exclusively via Google Sign-In)
• Identifying name chosen in the app
• Work shift data: date, cropped image of the PDF cell (visual sticker) and visual pHash fingerprint (perceptual hash of the cell) to recognize identical or modified shifts. The app does NOT automatically interpret the meaning of the cell (shift code, color, times): it only shows the real image from the PDF.
• Any extracted times (when available in the PDF legend) are used only for local scheduling of alarms/reminders.
• Clusters of similar cells (pHash grouping) and user classification "working/off" indicated manually in Statistics.
• Google OAuth tokens: (a) if the user signs in via Google Sign-In (optional alternative to sign-in with e-mail and password), or (b) if a Premium user connects Google Calendar sync. Tokens are stored exclusively on the device (Hive box) and are never sent to Turnix servers.
• Push tokens (Firebase Cloud Messaging) to receive team shift distribution notifications.
• Temporary PDF files during processing (not retained on the consumer server; archived in team_archive only for team distribution uploads in Enterprise mode).
• Anonymous diagnostic data: crash stack-traces, app version, device model, operating system (sent to Sentry to fix bugs — no personal data).

Categories of health data (art. 9 GDPR / art. 5 nFADP): at present, Turnix does NOT collect biometric data, genetic data, data revealing religious, philosophical, political or trade-union opinions, ethnic or racial origin, social data or criminal-conviction data. Work shift data constitute ordinary personal data.

Future optional feature — Menstrual cycle tracking: Turnix plans to introduce, in a future release, an optional feature for the manual tracking of the menstrual cycle (which falls under "data concerning health" within the meaning of art. 9 para. 1 GDPR). This feature is NOT currently enabled and will be activatable exclusively via a separate, dedicated explicit opt-in with a dedicated consent UI (legal basis: art. 9 para. 2 lett. a GDPR — explicit consent; for the UK: art. 9 para. 2 lett. a UK GDPR; for Switzerland: art. 6 para. 7 lett. a nFADP). The user will be able to disable the feature at any time, with full deletion of the related data and without having to delete the account. This policy will be updated with a dedicated "Menstrual cycle tracking" section as soon as the feature is activated.

No automated profiling: Turnix does NOT carry out profiling or automated decision-making on your data within the meaning of art. 22 GDPR / UK GDPR / art. 21 nFADP. The visual cluster grouping based on pHash is a deterministic image comparison (perceptual hash fingerprint of the PDF cell) and does NOT constitute profiling or an automated evaluation of personal aspects of the user. The "working/off" cluster classification is always indicated manually by the user in the Statistics section.

3. Purposes and legal basis

Legal basis under GDPR (EU + EEA) and UK GDPR:

• Service provision (art. 6 para. 1 lett. b GDPR / UK GDPR — contract performance)
• Persistence of visual pHash clusters to recognize identical and modified shifts across different months (legitimate interest, art. 6 para. 1 lett. f GDPR / UK GDPR)
• Subscription management via RevenueCat (contract performance)
• Optional authentication via Google Sign-In (explicit consent, art. 6 para. 1 lett. a GDPR / UK GDPR) — alternative to sign-in with e-mail and password. The user can freely choose which authentication method to use. Google OAuth tokens are stored exclusively on the device and are never sent to Turnix servers.
• Optional sync to Google Calendar (explicit consent, art. 6 para. 1 lett. a GDPR / UK GDPR) — activated only if the Premium user connects their Google account. Consent can be withdrawn at any time.
• Crash diagnostics and app stability via Sentry (legitimate interest, anonymous data)
• Push notification delivery for team shift distribution via Firebase Cloud Messaging (contract performance, Enterprise team mode only)
• Google AdMob advertising for freemium users (explicit consent via the UMP SDK for users in the EU/EEA/UK/CH, art. 6 para. 1 lett. a GDPR / UK GDPR + ePrivacy Directive 2002/58/EC as transposed by each member state)

Legal basis under the Swiss nFADP/revDSG: processing necessary for contract performance, for the legitimate interest of the controller, and based on the user's explicit consent for ancillary purposes (art. 31 nFADP).

4. Data retention

Data is retained as long as the account is active. The user can delete all their data at any time via Settings → Reset all data. After deletion, data is removed from backups within 30 days.

Retention by category:

• Account e-mail address: retained as long as the account is active. Deletion within 30 days of the user's request (Settings → Reset all data) + complete removal from backups within the next 90 days (data minimization principle + right to erasure art. 17 GDPR / UK GDPR / art. 32 nFADP).
• Cell crop images (visual stickers): automatically deleted after 365 days (data minimization principle, nFADP).
• Google Calendar OAuth tokens: deleted immediately when the user disconnects the account via Settings → Google Calendar Sync → Disconnect. The user can also revoke access directly from myaccount.google.com → Security → Apps with access to your account.
• Firebase Cloud Messaging tokens: deleted on logout or data reset.
• PDFs distributed by the team leader (Enterprise team mode): rolling FIFO retention, max 6 months.
• Sentry diagnostic data: 90-day retention on Sentry EU Frankfurt servers.

5. Third parties (sub-processors)

Supabase Inc. (data storage, authentication) — Server region: eu-west-1 (Ireland, EU). DPA available at supabase.com/privacy.

RevenueCat Inc. (subscription management) — Privacy policy: revenuecat.com/privacy. RevenueCat only receives an anonymous purchase identifier, not shift data.

Google Mobile Ads / AdMob (Google LLC) — only for freemium users (after the 14-day trial, no Premium subscription). Shows small, non-invasive advertising banners. AdMob may collect the device advertising identifier (Android advertising ID / iOS IDFA), IP address, and ad interaction information. NO shift data or personal data is shared. Privacy policy: policies.google.com/privacy. Ad types (personalized vs non-personalized) are controlled via UMP SDK consent on first app launch + reset in Settings → "Reset advertising consent". Premium users (CHF/EUR 19.90/year) do NOT receive ads and Google Mobile Ads is NOT enabled for them.

Google LLC — Google Calendar API (only for Premium users who activate the optional sync). The app accesses only the "calendar.events" scope (CRUD on events in the user's primary calendar, NO access to the calendar list or to other events). OAuth tokens are stored exclusively on the device (Hive box "google_calendar_sync_v1") and are never sent to Turnix servers. The user can disconnect or revoke access at any time via Settings → Google Calendar Sync → Disconnect, or from myaccount.google.com → Security. Google receives the events (date, time, cluster label) but NO sensitive data (employee name, OCR shift code), in line with the Strada B Pura principle.

Google LLC — Firebase Cloud Messaging (FCM). Enterprise team mode only, to receive push notifications when the team leader distributes a PDF. The FCM token is stored on Supabase (RLS active, accessible only by the Cloud Run backend). Privacy policy: firebase.google.com/support/privacy.

Sentry (Functional Software Inc.) — crash diagnostics and stability. Server in the EU region: Sentry Frankfurt (ingest.de.sentry.io). Receives only stack-traces, app version, device model, and operating system. The sendDefaultPii=false flag is configured — NO personal data (email, IP, user identifiers) is sent. Data retention: 90 days. Privacy policy: sentry.io/privacy.

No shift data is sold or transferred to third parties for advertising purposes.

5.1 Cookies and tracking technologies

Compliance with the ePrivacy Directive 2002/58/EC (as transposed by each EU/EEA member state — e.g. Legislative Decree 196/2003 art. 122 in Italy, TTDSG § 25 in Germany, French Data Protection Act art. 82, LSSI-CE art. 22 in Spain) + UK Privacy and Electronic Communications Regulations (PECR) 2003 + art. 45c nFADP for Switzerland.

Turnix mobile app: does NOT use HTTP cookies (native apps do not have browser cookies). Local storage is used exclusively for:

• Local Hive boxes (user preferences, language locale, pHash cluster cache, Google OAuth tokens if Premium is enabled): these are NOT cookies and are NOT accessible to third parties.
• Android SharedPreferences / iOS NSUserDefaults: UMP SDK advertising consent state, onboarding completion flag. These are essential technologies for the operation of the service (no ePrivacy consent required).

AdMob advertising (freemium users): the Google UMP SDK manages explicit consent within the meaning of art. 6 para. 1 lett. a GDPR / UK GDPR + ePrivacy Directive 2002/58/EC for users in the EU/EEA/UK/CH. Consent can be revoked at any time via Settings → "Reset advertising consent" (this reopens the UMP SDK consent dialog).

turnix.ch website: uses only essential technical cookies (no analytics, no tracking, no profiling, no third-party cookies). No cookie consent banner is required under art. 122 Legislative Decree 196/2003 + EDPB cookie guidelines 03/2022.

5.2 Data Protection Officer (DPO)

Turnix is not required to appoint a Data Protection Officer (DPO) within the meaning of art. 37 para. 1 GDPR / UK GDPR / art. 10 nFADP: the controller is not a public authority, does not carry out large-scale processing of sensitive data (arts. 9-10 GDPR), and does not carry out large-scale systematic monitoring of data subjects. A Data Protection Impact Assessment (DPIA, art. 35 GDPR) is not required for the processing carried out by Turnix on the basis of the EDPB WP248 criteria.

For any personal data protection request, exercise of data subject rights (see §7) or complaint, please contact the data controller directly at info@turnix.ch. We will respond within 30 days of the request (art. 12 para. 3 GDPR).

6. International data transfers

Personal data may be transferred outside the EU/EEA, the United Kingdom and Switzerland in the cases described below. Each transfer is based on appropriate safeguards pursuant to arts. 44-49 GDPR / UK GDPR and arts. 16-18 nFADP.

Data transfer by provider:

• Supabase Inc. (US) — servers in eu-west-1 (Ireland, EU) explicitly selected. Any US transfer (backups) is based on the Standard Contractual Clauses (SCC) under EU Decision 2021/914 + the EU-US Data Privacy Framework (DPF, July 2023) adequacy decision. For UK: International Data Transfer Agreement (IDTA), UK ICO. For CH: SCCs are valid under the CH-EU adequacy decision.
• Google LLC (AdMob, Calendar, FCM) — transfer to the United States under:
  • EU/EEA: EU-US Data Privacy Framework adequacy decision (Google LLC is DPF-certified) + SCCs as fallback.
  • UK: UK Extension to the EU-US DPF + International Data Transfer Agreement (IDTA).
  • CH: Swiss-US DPF (parallel to the EU-US DPF) + SCCs as fallback.
• RevenueCat Inc. (US) — transfer to the United States based on the Standard Contractual Clauses (SCC), EU 2021/914. For UK: IDTA. For CH: appropriate SCCs.
• Sentry — Functional Software Inc. (US/EU) — EU Frankfurt servers (ingest.de.sentry.io) explicitly selected. NO US transfer for Turnix diagnostic data. GDPR / UK GDPR / nFADP compliance is ensured by the EU server location.

For UK customers, the Data Protection Act 2018 (DPA 2018) also applies, supplementing the UK GDPR. For Switzerland, the nFADP ensures a level of protection equivalent to the GDPR.

7. Data subject rights and right of withdrawal

Under the GDPR (arts. 15-22), the UK GDPR (arts. 15-22) and the nFADP (arts. 25-27), you have the right to:

• Access your personal data (art. 15)
• Rectify inaccurate data (art. 16)
• Erasure ("right to be forgotten") (art. 17) — available directly in the app: Settings → Reset all data
• Data portability in a structured format (art. 20)
• Object to processing (art. 21)
• Restrict processing (art. 18)
• Not to be subject to automated decision-making (art. 22) — Turnix does NOT carry out automated decision-making on your data
• Withdraw advertising consent: Settings → "Reset advertising consent"
• Withdraw Google Calendar consent: Settings → Google Calendar Sync → Disconnect (or myaccount.google.com → Security)

14-day right of withdrawal

• EU 27 + EEA: Directive 2011/83/EU on consumer rights. You have 14 days from the purchase of the Premium subscription to withdraw without giving any reason. Withdrawal is exercised by communicating the decision (e-mail info@turnix.ch) or via your store account (App Store / Google Play). The refund is issued by the store within 14 days of the notice.
• UK: Consumer Rights Act 2015 + Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (SI 2013/3134) — 14-day cooling-off period for digital services, excluding full pre-withdrawal use (digital content unbundling rule).
• CH: Swiss law does not provide for a mandatory legal right of withdrawal for digital distance services, but Turnix voluntarily guarantees the same 14-day period for cross-territory consistency.

To exercise these rights, write to: info@turnix.ch

8. Supervisory authorities

You have the right to lodge a complaint with the supervisory authority of your country of residence or habitual stay. Below is the list of the 32 competent authorities in the jurisdictions where Turnix is available.

European Data Protection Board (EDPB) — official up-to-date list of all EU+EEA authorities: edpb.europa.eu/about-edpb/about-edpb/members_en

European Union (27 states)

• Italy: Garante per la protezione dei dati personali — garanteprivacy.it
• France: CNIL (Commission Nationale Informatique et Libertés) — cnil.fr
• Germany: BfDI (Bundesbeauftragter für Datenschutz und Informationsfreiheit) — bfdi.bund.de
• Spain: AEPD (Agencia Española de Protección de Datos) — aepd.es
• Portugal: CNPD (Comissão Nacional de Proteção de Dados) — cnpd.pt
• Netherlands: AP (Autoriteit Persoonsgegevens) — autoriteitpersoonsgegevens.nl
• Belgium: APD/GBA (Autorité de Protection des Données) — autoriteprotectiondonnees.be
• Luxembourg: CNPD (Commission Nationale pour la Protection des Données) — cnpd.lu
• Ireland: DPC (Data Protection Commission) — dataprotection.ie
• Denmark: Datatilsynet — datatilsynet.dk
• Sweden: IMY (Integritetsskyddsmyndigheten) — imy.se
• Finland: Tietosuojavaltuutettu — tietosuoja.fi
• Austria: DSB (Datenschutzbehörde) — dsb.gv.at
• Poland: UODO (Urząd Ochrony Danych Osobowych) — uodo.gov.pl
• Czech Republic: ÚOOÚ (Úřad pro ochranu osobních údajů) — uoou.cz
• Hungary: NAIH (Nemzeti Adatvédelmi és Információszabadság Hatóság) — naih.hu
• Slovakia: ÚOOÚ (Úrad na ochranu osobných údajov) — dataprotection.gov.sk
• Slovenia: IP (Informacijski pooblaščenec) — ip-rs.si
• Romania: ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) — dataprotection.ro
• Bulgaria: КЗЛД (Commission for Personal Data Protection) — cpdp.bg
• Croatia: AZOP (Agencija za zaštitu osobnih podataka) — azop.hr
• Greece: HDPA (Hellenic Data Protection Authority) — dpa.gr
• Cyprus: Commissioner for Personal Data Protection — dataprotection.gov.cy
• Malta: IDPC (Information and Data Protection Commissioner) — idpc.org.mt
• Estonia: AKI (Andmekaitse Inspektsioon) — aki.ee
• Latvia: DVI (Datu Valsts Inspekcija) — dvi.gov.lv
• Lithuania: VDAI (Valstybinė Duomenų Apsaugos Inspekcija) — vdai.lrv.lt

European Economic Area (EEA, 3 non-EU states)

• Norway: Datatilsynet — datatilsynet.no
• Iceland: Persónuvernd — personuvernd.is
• Liechtenstein: DSS (Datenschutzstelle) — datenschutzstelle.li

Switzerland

• FDPIC/EDÖB (Federal Data Protection and Information Commissioner) — edoeb.admin.ch

United Kingdom (UK, post-Brexit)

• ICO (Information Commissioner's Office) — ico.org.uk

9. Security

Data is protected by Row Level Security (RLS) on Supabase: each user accesses only their own data. Communication takes place over HTTPS/TLS.

Personal data breach notification: in the event of a personal data breach that entails a risk to the rights and freedoms of the user, Turnix will notify the competent supervisory authority of the user's country of residence within 72 hours of becoming aware of the breach, pursuant to art. 33 GDPR / UK GDPR and art. 24 nFADP. Where the breach is likely to result in a high risk to the rights and freedoms of the affected users (art. 34 GDPR), Turnix will communicate the breach directly to the users concerned without undue delay, in clear and plain language, indicating: the nature of the breach, the data and categories concerned, the likely consequences, the measures taken or proposed to mitigate the effects, and the point of contact info@turnix.ch.

10. Changes

Any material changes will be notified via the app. Continued use of the app after notice constitutes acceptance.