RotaBridge

Legal

Privacy Policy

This policy explains how RotaBridge collects, uses, and protects personal data when you use our website and shift-management service. It applies to organisation administrators, workers, and website visitors.

Last updated: 25 July 2026

1. Who we are

RotaBridge("we", "us", "our") provides a web-based shift and rota management service at rotabridge.com(the "Service").

We operate internationally. We are not currently registered as a company in any jurisdiction; if that changes (for example, registration in the United Kingdom), we will update this policy with our registered details.

For data protection purposes, we act as:

  • Data controller for personal data we collect to run our business — for example, organisation administrator accounts, billing, website analytics (with your consent), and support enquiries.
  • Data processor for personal data about workers that organisation administrators upload or invite into the Service. In those cases, the organisation is usually the data controller and decides why and how worker data is used.

Contact us about privacy: support@rotabridge.com

2. Who this policy applies to

  • Organisation administrators who register and manage an account
  • Workers who join an organisation via invite link
  • Website visitors who browse our marketing pages

The Service is intended for business use. It is not directed at children under 16, and we do not knowingly collect their personal data.

3. Personal data we collect

3.1 Organisation administrators

When you create an organisation account, we collect:

  • Organisation name
  • Your name and email address
  • Password (stored in hashed form — we never store plain-text passwords)
  • Phone number (optional)
  • Selected subscription plan

3.2 Workers

When a worker joins via an organisation invite link, we collect:

  • Name and email address
  • Password (stored in hashed form)
  • Phone number (optional)
  • Worker roles assigned or chosen at registration
  • Shift-related activity (for example, claims, approvals, and availability)

3.3 Data your organisation enters about operations

Administrators may add sites, roles, shifts, and related operational data. This may include location names and shift times. We do not ask you to store special category data (such as health information) in the Service, and you should not enter it unless you have a lawful basis and appropriate safeguards.

3.4 Billing and subscription data

Paid plans are processed by Paddle, our payment provider. Paddle collects payment and billing information directly. We receive limited billing metadata (such as subscription status, plan, and Paddle customer or subscription identifiers) — not your full card number.

3.5 Technical and usage data

  • IP address, browser type, device information, and request logs
  • Authentication tokens and session data needed to keep you signed in
  • Website analytics via Google Analytics 4, only if you accept analytics cookies (see our Cookie Policy)

3.6 Communications

We send transactional emails (for example, account and service-related messages) from addresses such as notifications@rotabridge.com. We do not send marketing emails unless you have opted in.

4. How we use personal data

We use personal data to:

  • Provide, maintain, and improve the Service
  • Create and manage organisation and worker accounts
  • Publish shifts, process claims, and support roster workflows
  • Process subscriptions and enforce plan limits
  • Send service-related emails and respond to support requests
  • Monitor security, prevent abuse, and troubleshoot errors
  • Analyse website usage (with consent) to improve our marketing and product
  • Comply with legal obligations

5. Lawful bases (UK GDPR / EU GDPR)

Where UK GDPR or EU GDPR applies, we rely on the following lawful bases:

  • Contract — to provide the Service you or your organisation signed up for
  • Legitimate interests — to secure the Service, prevent fraud, and improve reliability, balanced against your rights
  • Legal obligation — where we must comply with applicable law
  • Consent — for non-essential cookies (analytics) and marketing communications where required

Organisation administrators are responsible for identifying their own lawful basis for processing worker data and for providing any required notices to their staff.

6. Workers — important information

If you are a worker, your employer or organisation administrator invited you to use RotaBridge. Your organisation decides which data to collect and how shifts are managed.

We process worker data on the organisation's instructions to deliver the Service. For most worker-related requests (access, correction, or deletion), contact your organisation first. You may also contact us at support@rotabridge.com, and we will assist or redirect your request as appropriate.

7. Who we share data with

We do not sell personal data. We share data only with service providers ("sub-processors") that help us run the Service, under appropriate contractual safeguards:

  • Hostinger — website and application hosting (United Kingdom / European infrastructure)
  • MongoDB Atlas — database hosting (United Kingdom region)
  • Paddle — subscription billing and payment processing
  • Resend — transactional email delivery
  • Google Analytics — website analytics (only with your cookie consent)

We may also disclose data if required by law, to protect rights and safety, or in connection with a business transfer (for example, merger or acquisition), with notice where permitted.

A Data Processing Agreement (DPA) for organisation customers is available on request — email support@rotabridge.com.

8. International transfers

We aim to store and process data in the United Kingdom and/or the European Economic Area where possible. Some sub-processors (such as Paddle, Resend, or Google) may process data in other countries, including the United States.

Where required, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms approved under UK and EU data protection law.

9. How long we keep data

We retain personal data only as long as necessary for the purposes above:

  • Active accounts— for the duration of your or your organisation's use of the Service
  • After account closure — we delete or anonymise data within a reasonable period, except where we must retain it for legal, tax, or dispute-resolution purposes
  • Server logs — typically up to 90 days, unless needed for security investigations
  • Billing records — as required by tax and accounting rules

10. Security

We use technical and organisational measures to protect personal data, including encrypted connections (HTTPS), hashed passwords, access controls, and hosted infrastructure with reputable providers. No method of transmission or storage is 100% secure; please use a strong, unique password for your account.

11. Your rights

Depending on where you live (including the UK and EEA), you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Restrict or object to certain processing
  • Data portability
  • Withdraw consent (where processing is based on consent)
  • Lodge a complaint with a supervisory authority

In the UK, you may contact the Information Commissioner's Office (ICO) at ico.org.uk. In the EEA, contact your local data protection authority.

To exercise your rights, email support@rotabridge.com. We may need to verify your identity before responding. We aim to respond within one month.

12. Account and data deletion

There is no self-service account deletion in the app at this time. To request deletion of your personal data or closure of an organisation account, contact support@rotabridge.com. We will process verified requests in line with applicable law and our retention obligations.

Organisation administrators should remove workers they no longer employ and cancel subscriptions before requesting organisation deletion.

13. Cookies

We use essential cookies for authentication and security. We use analytics cookies only with your consent. See our Cookie Policy for details and how to manage your choices.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and change the "Last updated" date. For material changes, we may notify organisation administrators by email or in-app notice.

Effective from: 25 July 2026

15. Contact

Questions about this Privacy Policy or our use of personal data:

RotaBridge
Email: support@rotabridge.com

This document is provided for information purposes. It is not legal advice. If you have questions about how we handle your data, contact support@rotabridge.com.