Roster+

This page is a placeholder summary of how Roster+ handles personal data. It will be replaced by our counsel-reviewed policy before general availability. If you need the final version ahead of launch, email privacy@roster.plus.

What we collect

Identity: name, work email, avatar. Sourced from your WorkOS or SSO provider when your employer signs up.
Scheduling data: shifts, availability, swap requests, clock-in events. Owned by your employer.
Operational metadata: IP, user agent, and timestamps on auth events, stored in an append-only audit table.

How we use it

To run the rota scheduling features you and your employer rely on.
To keep accounts secure and to investigate abuse or fraud.
To improve the product in aggregated, de-identified form.

Where it lives

Data is stored in a Postgres cluster on Supabase, in a region your employer can configure. Row-level security is enforced on every table, which means no tenant's rows are ever visible to another tenant — not even to us in day-to-day operation.

Your rights

You can request export or deletion of your personal data at any time by emailing privacy@roster.plus. Where required by law (GDPR, UK GDPR, CCPA), we will reply within the statutory deadline.

Subprocessors

Vercel — hosts the Roster+ web app.
Supabase — Postgres database and auth infrastructure.
WorkOS — authentication, SSO, directory sync.

Contact

Privacy questions or data-subject requests: privacy@roster.plus.