Legal
GDPR & Data Protection
RotaBridge is built for UK small businesses. This page explains, in plain English, how we handle personal data under UK GDPR and UK data protection law — and what that means for organisation administrators and workers.
Last updated: 25 July 2026
Our commitment
We collect only the personal data needed to run shift cover — names, emails, shift activity, and basic account details. We do not sell personal data. We use reputable providers, secure connections, and clear roles so you know who is responsible for what.
This page is a summary for trust and transparency. The full legal detail is in our Privacy Policy, which forms part of how we operate under UK GDPR.
UK GDPR — who is responsible?
Under UK GDPR, different parties have different responsibilities depending on the data:
- Your organisation (administrator) — usually the data controller for worker personal data. You decide why worker data is collected and how shifts are managed. You are responsible for telling your staff how their data is used.
- RotaBridge — the data controller for organisation admin accounts, billing metadata, support enquiries, and website analytics (with consent).
- RotaBridge — the data processor when handling worker data on your organisation's instructions to deliver the Service.
If you are a worker invited by your employer, contact your organisation first for most data requests. You can also email us and we will help or redirect your request appropriately.
What data we process
At a high level:
- Organisation administrators — organisation name, your name, email, hashed password, optional phone, subscription plan
- Workers — name, email, hashed password, optional phone, roles, and shift-related activity (claims, approvals, assignments)
- Operations data — sites, roles, shifts, and related roster information your organisation enters
- Billing — payment is handled by Paddle; we receive subscription status and identifiers, not your full card number
- Technical data — IP address, browser type, logs, and session data needed to keep the Service secure and running
We do not ask you to store special category data (such as health information) in the Service.
Lawful bases (UK GDPR)
Where UK GDPR applies, we rely on:
- Contract — to provide the Service your organisation signed up for
- Legitimate interests — to keep the Service secure, reliable, and to prevent abuse, balanced against your rights
- Legal obligation — where we must comply with applicable law
- Consent — for non-essential analytics cookies and marketing communications where required
Organisation administrators must identify their own lawful basis for processing worker data and provide any required privacy notices to their staff.
Where your data is stored
We aim to store and process data in the United Kingdom and/or the European Economic Area where possible. Our primary hosting and database providers use UK/European infrastructure.
Some sub-processors (such as Paddle, Resend, or Google) may process data in other countries. Where required, we use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms approved under UK data protection law.
Sub-processors we use
We share personal data only with service providers that help us runRotaBridge, under contractual safeguards:
| Provider | Purpose | Location / notes |
|---|---|---|
| Hostinger | Website and application hosting | United Kingdom / European infrastructure |
| MongoDB Atlas | Database hosting | United Kingdom region |
| Paddle | Subscription billing and payments | May process data internationally (with safeguards) |
| Resend | Transactional email delivery | May process data internationally (with safeguards) |
| Google Analytics | Website analytics (only with your cookie consent) | May process data internationally (with safeguards) |
Security
We use technical and organisational measures to protect personal data, including:
- Encrypted connections (HTTPS) for all traffic
- Passwords stored in hashed form — never plain text
- Access controls and reputable hosted infrastructure
- Monitoring for abuse and security issues
No online service can guarantee absolute security. Please use a strong, unique password for your account.
Cookies and analytics
We use essential cookies and storage for authentication and security. Analytics cookies (Google Analytics 4) are used only if you accept them via our cookie banner.
Read our Cookie Policy for full details, or manage your choices below:
Your rights under UK GDPR
If UK GDPR applies to you, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request deletion of your data
- Restrict or object to certain processing
- Data portability
- Withdraw consent (where processing is based on consent)
- Lodge a complaint with a supervisory authority
To exercise your rights, email support@rotabridge.com. We may need to verify your identity. We aim to respond within one month.
In the UK, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk.
There is no self-service account deletion in the app at this time. To request deletion of personal data or closure of an organisation account, contact support@rotabridge.com.
For UK business customers
If you are an organisation administrator, you are typically the data controller for your workers' personal data. We act as your data processor when handling that data to deliver the Service.
A Data Processing Agreement (DPA) is available on request for organisation customers. This sets out how we process worker data on your instructions, including security and sub-processors.
Our service is governed by the laws of England and Wales. See our Terms & Conditions for the full agreement.
Related policies
- Privacy Policy — full legal detail on data collection, use, retention, and international transfers
- Cookie Policy — how we use cookies and similar technologies
- Terms & Conditions — your agreement for using the Service
Contact
Questions about data protection or how we handle personal data:
RotaBridge
Email: support@rotabridge.com
