Privacy Policy

Roster Technologies Limited ("Roster", "we", "us", or "our") is a private company limited by shares registered in Ireland under company number 813185, with its registered office in Dublin. We operate the Roster platform, a hospitality hiring platform that connects workers with venues across Ireland.

Roster Technologies Limited is the data controller for the personal data processed through the Platform. This means we determine how and why your personal data is processed.

We collect the following categories of personal data:

2.1 Information You Provide

• Account information: Full name, email address, phone number, and password.
• Profile information: Profile photo, bio, skills, work experience, availability preferences, and employment history.
• Identity documents: Proof of identity and right-to-work documentation where required for verification.
• Payment information: Bank account details and payment preferences processed through Stripe Connect. We do not store full bank account or card numbers on our servers.
• Venue information: Business name, address, Eircode, business description, and contact details (for Venue accounts).
• Communications: Messages sent through the Platform, support requests, and feedback.

2.2 Information Collected Automatically

• Location data: GPS coordinates collected during shift check-in and check-out to verify attendance. Location data is only collected when you actively use the check-in feature.
• Device information: Device type, operating system, app version, and unique device identifiers.
• Usage data: Pages viewed, features used, search queries, session duration, and interaction patterns.
• Log data: IP address, browser type, referring/exit pages, and timestamps.

2.3 Information from Third Parties

• Stripe: Payment processing status, payout history, and account verification results.
• Venues/Workers: Ratings, reviews, and shift completion records submitted by other users.

We use your personal data for the following purposes:

• Providing the Platform: Matching workers with shifts, processing applications, facilitating communication between workers and venues, and managing shift operations.
• Payments: Processing payments for completed shifts, managing Stripe Connect accounts, and handling payouts to workers.
• Quality and trust: Calculating reliability scores, quality scores, and star ratings to maintain platform quality and help venues make informed hiring decisions.
• Communications: Sending shift confirmations, reminders, payment notifications, and other transactional messages. Sending marketing communications where you have opted in.
• Analytics: Understanding how the Platform is used, identifying trends, and improving our services. We use anonymised and aggregated data for salary insights and market analytics.
• Safety and security: Detecting and preventing fraud, abuse, and unauthorised access. Verifying identities and right-to-work status.
• Legal compliance: Fulfilling our legal obligations, responding to legal requests, and enforcing our Terms of Service.

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases for processing your personal data:

• Performance of a contract (Article 6(1)(b)): Processing necessary to provide the Platform services, including account management, shift matching, payment processing, and communication features.
• Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, including fraud prevention, platform security, quality scoring, analytics, and service improvement, where these interests are not overridden by your rights and freedoms.
• Consent (Article 6(1)(a)): Where we rely on your consent, such as for marketing communications, push notifications, and certain uses of location data. You may withdraw consent at any time.
• Legal obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, such as tax reporting and responding to lawful requests from authorities.

We share your personal data with the following categories of recipients:

• Stripe (Stripe, Inc.): Payment processing, identity verification, and payout management. Stripe processes data as an independent controller under its own privacy policy.
• Expo (Expo, Inc.): Push notification delivery for the mobile application. Only device push tokens and notification content are shared.
• Sentry (Functional Software, Inc.): Error tracking and application monitoring to maintain platform reliability. Only technical error data and anonymised user identifiers are shared.
• Supabase (Supabase, Inc.): Database hosting and authentication services. Data is stored in compliance with their data processing agreement.
• Other users: Workers and venues can see relevant profile information (name, photo, skills, ratings, reliability scores) to facilitate shift matching and hiring. We never share your email address, phone number, or payment details with other users without your consent.

We do not sell your personal data to third parties. We do not share your data with advertisers or data brokers.

We retain your personal data for the following periods:

• Active accounts: Data is retained for as long as your account is active and you continue to use the Platform.
• Closed accounts: Core account data (name, email, shift history) is retained for 2 years after account closure for legal, tax, and audit purposes.
• Financial records: Payment and transaction records are retained for 7 years in accordance with Irish tax and accounting regulations.
• Identity documents: Retained only for as long as necessary for verification purposes, then securely deleted.
• Messages: Retained for 1 year after the last message in a conversation, then automatically deleted.
• Location data: GPS check-in data is retained for 90 days, then automatically anonymised or deleted.
• Analytics data: Aggregated and anonymised analytics data may be retained indefinitely.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can request that we correct any inaccurate or incomplete personal data.
• Right to erasure: You can request that we delete your personal data, subject to legal retention requirements.
• Right to data portability: You can request your data in a structured, commonly used, machine-readable format.
• Right to restriction: You can request that we restrict the processing of your personal data in certain circumstances.
• Right to object: You can object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you can withdraw that consent at any time.

To exercise any of these rights, please contact us at hello@roster.ie. We will respond to your request within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Commission of Ireland (dataprotection.ie).

We use cookies and similar technologies to operate and improve the Platform:

• Essential cookies: Required for authentication, security, and core Platform functionality. These cannot be disabled.

Roster does not use analytics, advertising, or tracking cookies. We set only the strictly-necessary cookies needed for authentication and security, which is why no cookie-consent banner is required to use the Platform.

We do not use advertising or tracking cookies. We do not participate in any third-party advertising networks.

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our third-party service providers (Stripe, Expo, Sentry, Supabase) are based.

Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where applicable.

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete such data promptly.

For any questions or concerns about how we handle your personal data, or to exercise your data protection rights, please contact our Data Protection Contact:

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. If we make material changes, we will notify you by email or through a prominent notice on the Platform at least 14 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after any changes constitutes your acceptance of the updated policy.