Privacy Policy
Last updated: 2026-06-19
1. Data controller and territorial scope
Giacomo Cacciatore
E-mail: info@turnix.ch
For formal postal requests, please contact us by e-mail to request the
controller's postal address; responses to privacy requests are provided
within 30 days of submission.
Minimum age of use: 18 years old (the service is intended for adult healthcare professionals) or, alternatively, the minimum digital consent age established by the user's country of residence (art. 8 GDPR: between 13 and 16 years depending on the member state) with the explicit authorization of the holder of parental responsibility. The UK Age Appropriate Design Code 2020 ("Children's Code") issued by the ICO additionally applies in the United Kingdom. Turnix does not knowingly collect or process data of minors without the authorizations required by law; any processing detected in violation will be deleted immediately.
Turnix is available globally. We apply the GDPR (Regulation (EU) 2016/679) as the baseline standard for all users, wherever they are located. In the following regimes we ensure full compliance with local law:
- European Union (EU) and European Economic Area (EEA): Regulation (EU) 2016/679 (GDPR).
- United Kingdom: UK GDPR + Data Protection Act 2018.
- Switzerland: Swiss Federal Act on Data Protection (nFADP/revDSG, also known as nLPD), in force since September 1, 2023, + the related Ordinance (OLPD/DPO).
For users in other countries we apply the GDPR standard as a minimum level of protection and respect the data-protection rights provided by the applicable local law. Such users may contact their own competent local supervisory authority (see ยง8).
Switzerland benefits from an EU adequacy decision (January 15, 2024, EU Commission Decision 2024/254). The United Kingdom benefits from an EU adequacy decision (June 28, 2021, Decision 2021/1772).
2. Data collected
- E-mail address (registration and authentication via e-mail and password or via Google Sign-In OAuth)
- Account password (stored in encrypted form on Supabase Auth, never in plaintext; NOT applicable if the user signs in exclusively via Google Sign-In)
- Identifying name chosen in the app
- Work shift data: date, cropped image of the PDF cell (visual sticker) and visual pHash fingerprint (perceptual hash of the cell) to recognize identical or modified shifts. The app does NOT automatically interpret the meaning of the cell (shift code, color, times): it only shows the real image from the PDF.
- Any extracted times (when available in the PDF legend) are used only for local scheduling of alarms/reminders.
- Clusters of similar cells (pHash grouping) and user classification "working/off" indicated manually in Statistics.
- Google OAuth tokens: (a) if the user signs in via Google Sign-In (optional alternative to sign-in with e-mail and password), or (b) if a Premium user connects Google Calendar sync. Tokens are stored exclusively on the device (Hive box) and are never sent to Turnix servers.
- Push tokens (Firebase Cloud Messaging) to receive team shift distribution notifications.
- Temporary PDF files during processing (not retained on the consumer server; archived in team_archive only for team distribution uploads in Enterprise mode).
- Anonymous diagnostic data: crash stack-traces, app version, device model, operating system (sent to Sentry to fix bugs โ no personal data).
Special categories of data (art. 9 GDPR / art. 5 lett. c nFADP): Turnix does NOT collect biometric data, genetic data, data revealing religious, philosophical, political or trade-union opinions, ethnic or racial origin, social data or criminal-conviction data. Work shift data constitute ordinary personal data.
Optional health features โ data ONLY on the device (local-only)
Turnix offers three optional health features, off by default, each enabled individually via separate explicit consent (art. 9 para. 2 lett. a GDPR / art. 6 para. 7 lett. a nFADP). The data in these features constitutes health data (special category, art. 9 GDPR):
- Menstrual cycle: start day, flow intensity, estimated duration, free note, predicted days.
- Sleep: bedtime, wake time, sleep quality (duration is computed, not stored).
- Wellbeing: mood, symptoms and energy (selected tags) plus a free note.
This feature's data stays only on this device: it is never sent to our servers or to third parties. It is not restored on a new phone and is lost if you uninstall the app.
It is encrypted at-rest on the device (AES, with a key generated locally in the phone's secure keystore), excluded from the operating system's automatic backups, never synced to the cloud and never sent to sub-processors. You can disable each feature at any time: disabling it permanently deletes the related data from the device, without having to delete your account.
Turnix is not a medical device: this feature's data is for informational and personal use only and does not replace a doctor's advice.
No automated profiling: Turnix does NOT carry out profiling or automated decision-making on your data within the meaning of art. 22 GDPR / UK GDPR / art. 21 nFADP. The visual cluster grouping based on pHash is a deterministic image comparison (perceptual hash fingerprint of the PDF cell) and does NOT constitute profiling or an automated evaluation of personal aspects of the user. The "working/off" cluster classification is always indicated manually by the user in the Statistics section.
3. Purposes and legal basis
Legal basis under GDPR (EU + EEA) and UK GDPR:
- Service provision (art. 6 para. 1 lett. b GDPR / UK GDPR โ contract performance)
- Persistence of visual pHash clusters to recognize identical and modified shifts across different months (legitimate interest, art. 6 para. 1 lett. f GDPR / UK GDPR)
- Subscription management via RevenueCat (contract performance)
- Optional authentication via Google Sign-In (explicit consent, art. 6 para. 1 lett. a GDPR / UK GDPR) โ alternative to sign-in with e-mail and password. The user can freely choose which authentication method to use. Google OAuth tokens are stored exclusively on the device and are never sent to Turnix servers.
- Optional sync to Google Calendar (explicit consent, art. 6 para. 1 lett. a GDPR / UK GDPR) โ activated only if the Premium user connects their Google account. Consent can be withdrawn at any time.
- Crash diagnostics and app stability via Sentry (legitimate interest, anonymous data)
- Push notification delivery for team shift distribution via Firebase Cloud Messaging (contract performance, Enterprise team mode only)
- Optional health features (cycle, sleep, wellbeing): processing carried out exclusively locally on the device on the basis of explicit consent (art. 9 para. 2 lett. a GDPR / art. 6 para. 7 lett. a nFADP), withdrawable at any time by disabling the feature (with deletion of the data)
Legal basis under the Swiss nFADP/revDSG: processing necessary for contract performance, for the legitimate interest of the controller, and based on the user's explicit consent for ancillary purposes (art. 31 nFADP).
4. Data retention
Data is retained as long as the account is active. The user can delete all their data at any time via Settings โ Reset all data. After deletion, data is removed from backups within 30 days.
Retention by category:
- Account e-mail address: retained as long as the account is active. Deletion within 30 days of the user's request (Settings โ Reset all data) + complete removal from backups within the next 90 days (data minimization principle + right to erasure art. 17 GDPR / UK GDPR / art. 32 nFADP).
- Cell crop images (visual stickers): automatically deleted after 365 days (data minimization principle, nFADP).
- Health-feature data (cycle, sleep, wellbeing): kept only on the device while the feature is enabled. Deleted immediately by disabling the feature, via Settings โ Reset all data, or by uninstalling the app. It is NEVER present on our servers or in cloud backups.
- Google Calendar OAuth tokens: deleted immediately when the user disconnects the account via Settings โ Google Calendar Sync โ Disconnect. The user can also revoke access directly from myaccount.google.com โ Security โ Apps with access to your account.
- Firebase Cloud Messaging tokens: deleted on logout or data reset.
- PDFs distributed by the team leader (Enterprise team mode): rolling FIFO retention, max 6 months.
- Sentry diagnostic data: 90-day retention on Sentry EU Frankfurt servers.
5. Third parties (sub-processors)
Supabase Inc. (data storage, authentication) โ Server region: eu-west-1 (Ireland, EU). DPA available at supabase.com/privacy.
RevenueCat Inc. (subscription management) โ Privacy policy: revenuecat.com/privacy. RevenueCat only receives an anonymous purchase identifier, not shift data.
Health-feature data (cycle, sleep, wellbeing): no sub-processor. It stays encrypted on the device and is not transmitted to Supabase or to any third party.
Google LLC โ Google Calendar API (optional Premium feature, active only if the Premium user connects their own Google account). The app uses two scopes: "calendar.events" (CRUD on the events in the user's primary calendar: the app writes only your events/reminders to Google and reads the events of your primary calendar) and "calendar.readonly" (read-only, to import into Turnix the events of your other Google calendars โ e.g. Birthdays, Holidays and custom calendars). Synchronisation concerns exclusively shifts, events and reminders: data from the health features (cycle, wellbeing, sleep) is NEVER transmitted. OAuth tokens are stored exclusively on the device (managed by Google Sign-In) and are never sent to Turnix servers. The user can disconnect or revoke access at any time via Settings โ Google Calendar Sync โ Disconnect, or from myaccount.google.com โ Security. Google receives the events (date, time, cluster label) but NO sensitive data (employee name, OCR shift code), in line with the Strada B Pura principle.
Google LLC โ Firebase Cloud Messaging (FCM). Enterprise team mode only, to receive push notifications when the team leader distributes a PDF. The FCM token is stored on Supabase (RLS active, accessible only by the Cloud Run backend). Privacy policy: firebase.google.com/support/privacy.
Sentry (Functional Software Inc.) โ crash diagnostics and stability.
Server in the EU region: Sentry Frankfurt (ingest.de.sentry.io). Receives only stack-traces,
app version, device model, and operating system. The sendDefaultPii=false flag
is configured โ NO personal data (email, IP, user identifiers) is sent.
Data retention: 90 days. Privacy policy:
sentry.io/privacy.
No shift data is sold or transferred to third parties for advertising purposes.
5.1 Cookies and tracking technologies
Compliance with the ePrivacy Directive 2002/58/EC (as transposed by each EU/EEA member state โ e.g. Legislative Decree 196/2003 art. 122 in Italy, TTDSG ยง 25 in Germany, French Data Protection Act art. 82, LSSI-CE art. 22 in Spain) + UK Privacy and Electronic Communications Regulations (PECR) 2003 + art. 45c nFADP for Switzerland.
Turnix mobile app: does NOT use HTTP cookies (native apps do not have browser cookies). Local storage is used exclusively for:
- Local Hive boxes (user preferences, language locale, pHash cluster cache, Google OAuth tokens if Premium is enabled): these are NOT cookies and are NOT accessible to third parties.
- Android SharedPreferences / iOS NSUserDefaults: onboarding completion flag, local preferences (language, theme). These are essential technologies for the operation of the service (no ePrivacy consent required).
turnix.ch website: uses only essential technical cookies (no analytics, no tracking, no profiling, no third-party cookies). No cookie consent banner is required under art. 122 Legislative Decree 196/2003 + EDPB cookie guidelines 03/2022.
5.2 Data Protection Officer (DPO)
Turnix is not required to appoint a Data Protection Officer (DPO) within the meaning of art. 37 para. 1 GDPR / UK GDPR / art. 10 nFADP: the controller is not a public authority, does not carry out large-scale processing of sensitive data (arts. 9-10 GDPR), and does not carry out large-scale systematic monitoring of data subjects.
In relation to the optional health features (special category, art. 9 GDPR), a Data Protection Impact Assessment (DPIA, art. 35 GDPR) was nonetheless conducted. The DPIA confirmed the absence of high risks to the rights and freedoms of data subjects thanks to the local-only architecture: no server-side processing, data encrypted at-rest on the user's device alone and under their sole control, separate explicit consent, and immediate deletion on request.
For any personal data protection request, exercise of data subject rights (see ยง7) or complaint, please contact the data controller directly at info@turnix.ch. We will respond within 30 days of the request (art. 12 para. 3 GDPR).
6. International data transfers
Personal data may be transferred outside the EU/EEA, the United Kingdom and Switzerland in the cases described below. Each transfer is based on appropriate safeguards pursuant to arts. 44-49 GDPR / UK GDPR and arts. 16-18 nFADP.
Data transfer by provider:
- Supabase Inc. (US) โ servers in eu-west-1 (Ireland, EU) explicitly selected. Any US transfer (backups) is based on the Standard Contractual Clauses (SCC) under EU Decision 2021/914 + the EU-US Data Privacy Framework (DPF, July 2023) adequacy decision. For UK: International Data Transfer Agreement (IDTA), UK ICO. For CH: SCCs are valid under the CH-EU adequacy decision.
- Google LLC (Calendar, FCM) โ transfer to the United States under:
- EU/EEA: EU-US Data Privacy Framework adequacy decision (Google LLC is DPF-certified) + SCCs as fallback.
- UK: UK Extension to the EU-US DPF + International Data Transfer Agreement (IDTA).
- CH: Swiss-US DPF (parallel to the EU-US DPF) + SCCs as fallback.
- RevenueCat Inc. (US) โ transfer to the United States based on the Standard Contractual Clauses (SCC), EU 2021/914. For UK: IDTA. For CH: appropriate SCCs.
- Sentry โ Functional Software Inc. (US/EU) โ EU Frankfurt servers (ingest.de.sentry.io) explicitly selected. NO US transfer for Turnix diagnostic data. GDPR / UK GDPR / nFADP compliance is ensured by the EU server location.
Health-feature data (cycle, sleep, wellbeing): no international transfer. It stays on the user's device and never leaves the phone.
For UK customers, the Data Protection Act 2018 (DPA 2018) also applies, supplementing the UK GDPR. For Switzerland, the nFADP ensures a level of protection equivalent to the GDPR.
7. Data subject rights and right of withdrawal
Under the GDPR (arts. 15-22), the UK GDPR (arts. 15-22) and the nFADP (arts. 25-27), you have the right to:
- Access your personal data (art. 15)
- Rectify inaccurate data (art. 16)
- Erasure ("right to be forgotten") (art. 17) โ available directly in the app: Settings โ Reset all data
- Data portability in a structured format (art. 20)
- Object to processing (art. 21)
- Restrict processing (art. 18)
- Not to be subject to automated decision-making (art. 22) โ Turnix does NOT carry out automated decision-making on your data
- Withdraw consent for health features: disable the feature (Settings โ Cycle/Sleep/Wellbeing section), with immediate deletion of the data from the device
- Withdraw Google Calendar consent: Settings โ Google Calendar Sync โ Disconnect (or myaccount.google.com โ Security)
14-day right of withdrawal
- EU/EEA: Directive 2011/83/EU on consumer rights. You have 14 days from the purchase of the Premium subscription to withdraw without giving any reason. Withdrawal is exercised by communicating the decision (e-mail info@turnix.ch) or via your store account (App Store / Google Play). The refund is issued by the store within 14 days of the notice.
- UK: Consumer Rights Act 2015 + Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (SI 2013/3134) โ 14-day cooling-off period for digital services, excluding full pre-withdrawal use (digital content unbundling rule).
- CH: Swiss law does not provide for a mandatory legal right of withdrawal for digital distance services, but Turnix voluntarily guarantees the same 14-day period for cross-territory consistency.
To exercise these rights, write to: info@turnix.ch
7.1 Users outside the EU/EEA/Switzerland/United Kingdom (including USA, Brazil, Canada, Australia)
Turnix is available globally and applies the GDPR as the minimum level of protection in every country. The following are the additions for the main additional jurisdictions.
United States โ California (CCPA/CPRA)
- We do not sell or "share" your personal data, including for cross-context behavioral advertising purposes: Turnix contains no advertising.
- Categories collected: identifiers (email), commercial information (purchase history via RevenueCat), app usage and diagnostic data. The sensitive data of the health features stays exclusively on your device and is neither collected nor processed by our servers.
- Rights: to know/access, delete and correct your data; to opt out of the sale/sharing (not applicable โ we do not sell); to limit the use of sensitive data (already limited: it stays on the device); not to suffer discrimination for exercising your rights.
- To exercise them: info@turnix.ch (including through an authorized agent).
Brazil (LGPD)
We recognize the rights provided by the LGPD (confirmation, access, correction, anonymization/deletion, portability, withdrawal of consent) and the ANPD authority. Data controller: Giacomo Cacciatore (info@turnix.ch).
Other countries (Canada, Australia, etc.)
We apply the GDPR standard as the minimum level and respect the rights provided by the applicable local laws.
8. Supervisory authorities
You have the right to lodge a complaint with the competent supervisory authority. The reference authorities for the regimes we explicitly follow are:
- European Union and European Economic Area: your country's national data protection authority. Official up-to-date list from the European Data Protection Board (EDPB): edpb.europa.eu/about-edpb/about-edpb/members_en
- Switzerland: FDPIC/EDรB (Federal Data Protection and Information Commissioner) โ edoeb.admin.ch
- United Kingdom: ICO (Information Commissioner's Office) โ ico.org.uk
For countries whose authority is not listed above, you may contact the local data protection authority of your own country, where one exists.
9. Security
Data is protected by Row Level Security (RLS) on Supabase: each user accesses only their own data. Communication takes place over HTTPS/TLS.
Personal data breach notification: in the event of a personal data breach that entails a risk to the rights and freedoms of the user, Turnix will notify the competent supervisory authority of the user's country of residence within 72 hours of becoming aware of the breach, pursuant to art. 33 GDPR / UK GDPR and art. 24 nFADP. Where the breach is likely to result in a high risk to the rights and freedoms of the affected users (art. 34 GDPR), Turnix will communicate the breach directly to the users concerned without undue delay, in clear and plain language, indicating: the nature of the breach, the data and categories concerned, the likely consequences, the measures taken or proposed to mitigate the effects, and the point of contact info@turnix.ch.
10. Changes
Any material changes will be notified via the app. Continued use of the app after notice constitutes acceptance.