Legal
Privacy policy
Last updated 14 July 2026. Written to be read, not to be survived.
The short version
MedAligna is workforce software. We hold information about the people who work at your organisation (their names, roles, licences, shifts and hours) because that is what a schedule is made of. We do not hold information about your patients.
We do not sell your data. We do not share it with advertisers. We do not use it to train models for anybody else. You can export everything and you can ask us to delete it.
Who is responsible for what
Your organisation decides what staff information goes into MedAligna and why. In data-protection language, your organisation is the controller and MedAligna is the processor: we handle the data on your instructions, for the purpose of running your schedule.
If you are a member of staff and you want your information corrected or removed, your employer is the right first port of call, though you can always contact us directly and we will help.
What we collect
Account and organisation details: your name, work email, role, and the organisation you belong to.
Staff records: names, contact details, employment type, positions, skills, contracted hours, pay or bill rates where you enter them, and home location.
Credentials: licences, certifications, screening results and their expiry dates, along with any documents uploaded. Credential documents belong to the individual who uploaded them and are stored in a private bucket, reachable only through short-lived signed links.
Schedules and time: shifts, assignments, swaps, time-off requests, clock-in and clock-out records, and, where your organisation enables geofenced clock-in, the location captured at the moment of clocking in or out, and at no other time.
Client records, for home care organisations only: a client's name and address, held so that visits can be scheduled. This is the one category of information in MedAligna that constitutes protected health information, and it is treated accordingly, including a separate access log that records every read, not merely every change.
Technical data: log records, IP address, browser and device information, and error reports, used to keep the service running and secure.
What we don't collect
No patient names, diagnoses, charts, notes, or medical records. MedAligna schedules staff, not patients. Aggregate census counts ('eighteen patients on this unit tonight') identify nobody, and are used only to compute staffing ratios.
We do not run background checks or order consumer reports. Where a background check appears in MedAligna, it is a result your organisation obtained from its own provider and recorded here.
Who can see it
Tenant isolation is enforced at the database level, not by application code. One organisation cannot see another organisation's data, and a query that omits its filter returns nothing rather than everything.
Inside an organisation, access is by role. Owners, admins and schedulers can see staff records and credentials because credentialing is their job. Ordinary staff members see their own information and the shifts of colleagues they work alongside, not their colleagues' licence numbers or documents.
Every change to a schedule, credential, membership or time record is written to an append-only audit log that nobody, including us and including your account owner, can edit or delete.
Sub-processors
We use a small number of vendors to run the service: a database and file-storage provider, an application host, and an email provider for transactional messages. Each of them processes data only to deliver their part of the service.
Ask us for the current list and we will send it to you in writing.
How long we keep it
For as long as your organisation has an account with us, plus a limited period afterwards so that a cancelled account can be reinstated and so that payroll and audit records survive the year they relate to.
Cancelling does not delete. A lapsed or cancelled account becomes read-only: you keep everything, and you can export it. If you want it deleted, ask us and we will delete it.
Getting your data out, or deleted
Export: staff, schedules, credentials and hours export to CSV or JSON from inside the application, at any time, including after cancellation. This is a product feature, not a favour.
Deletion: write to us and we will delete your organisation's data. Note that entries in the audit log survive the deletion of the person they refer to: the actor is forgotten, but the record that something happened remains, because an audit log that can be erased by the people it audits is not an audit log.
Security
Traffic is encrypted in transit; data is encrypted at rest by our database provider. Uploaded documents live in a private bucket and are reachable only through short-lived signed links. Sessions expire. Access is role-based and enforced in the database.
The controls are described in more detail, and in checkable terms, on our security page.
Contact
Questions, requests, or a security questionnaire: hello@medicalstaffscheduling.com. A person answers, in writing.