Rostly

Privacy Policy

Effective: April 20, 2026Last updated: April 20, 2026

This Privacy Policy describes how Rostly collects, uses, and shares information about you when you use our workforce scheduling platform. We are committed to handling your data with care and transparency.

1Information We Collect

Information you provide

When you create an account, we collect your name, email address, and password. If you create or join an organization, we collect organization name and billing details. Team members invited to your organization provide their name and email address.

Scheduling and operational data

We collect the roster and shift data you enter, including employee names, roles, shift times, availability preferences, and schedule notes. This is the core data required to provide the Service.

Usage data

We automatically collect information about how you interact with the Service, including pages visited, features used, actions taken, timestamps, and session duration. This helps us understand product usage and improve reliability.

Device and technical data

We collect IP address, browser type and version, operating system, time zone setting, and device identifiers. This information is used for security, fraud prevention, and service delivery.

Communications

If you contact us for support or send feedback, we retain those communications and any contact information you provide.

2How We Use Your Information

  • Provide, operate, and maintain the Service, including processing your scheduling data and sending you notifications about your shifts and team.
  • Authenticate your identity and secure your account against unauthorized access.
  • Process billing and payments, and send invoices and payment confirmations.
  • Send transactional emails, such as account verification, password resets, invitation emails, and schedule publication notifications.
  • Respond to support requests and troubleshoot issues.
  • Analyze usage patterns to improve the Service, develop new features, and fix bugs.
  • Detect, investigate, and prevent fraudulent transactions and other illegal activities.
  • Comply with legal obligations and respond to lawful requests from public authorities.

3How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

  • Service providers: We share data with trusted third-party vendors who help us operate the Service, including cloud hosting (e.g. Vercel, AWS), authentication infrastructure, transactional email delivery, error monitoring, and payment processing. These vendors are contractually bound to use your data only to perform services for us.
  • Within your organization: Managers and admins in your organization can view schedule data, team member profiles, and usage information for members of their organization. Team members can view their own shifts and, where enabled by the organization, the shifts of their colleagues.
  • Legal requirements: We may disclose information if required by law, regulation, or valid legal process, or if we believe in good faith that disclosure is necessary to protect rights, safety, or property.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

4Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service.

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Preference cookies: Store your settings such as language preference and timezone.
  • Analytics cookies: Help us understand how users navigate the Service so we can improve it. You can opt out of analytics tracking in your account settings.

You can control cookies through your browser settings. Note that disabling essential cookies will prevent you from logging in.

5Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data and organization content are retained for the duration of your subscription and for 30 days after account closure, after which they are permanently deleted.
  • Billing records and invoices are retained for 7 years as required by financial regulations.
  • Audit logs and security event records are retained for 12 months.
  • Anonymized, aggregated usage analytics may be retained indefinitely.

You may request early deletion of your account and associated data at any time by contacting contact@rostly.org.

6Security

We implement industry-standard security measures to protect your information, including:

  • Encryption of data in transit using TLS 1.2 or higher.
  • Encryption of sensitive data at rest.
  • Password hashing using a strong adaptive hashing algorithm.
  • Role-based access controls limiting internal access to your data.
  • Regular security assessments and penetration testing.

No method of transmission over the internet is completely secure. If you believe your account has been compromised, contact us immediately at contact@rostly.org.

7Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete data.
  • Deletion: Request that we delete your personal data, subject to legal retention requirements.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to our processing of your data in certain circumstances.
  • Restriction: Request that we restrict how we process your data while a dispute is resolved.

To exercise any of these rights, email contact@rostly.org. We will respond within 30 days. We may need to verify your identity before processing your request.

8International Data Transfers

Rostly operates globally and your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that differ from those of your country.

Where we transfer personal data from the European Economic Area or the United Kingdom, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses approved by the European Commission.

9Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child without parental consent, we will delete it promptly. If you believe we have collected data from a child, please contact contact@rostly.org.

10Third-Party Services and Links

The Service may contain links to or integrate with third-party websites and services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you use in connection with Rostly.

11Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email or by a prominent notice within the Service at least 14 days before the changes take effect. The updated policy will be indicated by a revised effective date.

12Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our privacy team at contact@rostly.org. You also have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data appropriately. Our Terms of Service are available at Terms of Service.

Privacy questions or requests?

Email us at contact@rostly.org

View Terms of Service
Privacy Policy | Rostly