How we handle your data. The full version.

This Privacy Policy explains how Rostor Labs, Inc. ("Rostor," "we," "us") collects, uses, shares, and protects personal data when you visit rostor.app, use the Rostor platform, or interact with us as a prospect, customer, employee of a customer, or applicant for a job.

Rostor acts in two distinct capacities: (a) as a controller of personal data we collect directly (e.g., contact form submissions, marketing leads, job applicants); and (b) as a processor of personal data our customers provide as part of their use of the Service. Sections 06 and 07 spell out how those roles differ.

Four principles guide every decision we make about your data:

• Minimize. We collect only what we need to operate the Service, keep it secure, and meet legal obligations.
• Be explicit. Where we use data for something beyond core operation, we ask.
• Don't train on you. We do not use Customer Data to train shared, multi-tenant models without written consent.
• Make exits painless. You can export, delete, or migrate your data at any time, without paying a penalty.

Account & billing data. Names, work emails, job titles, company names, billing addresses, and payment instruments. Purpose: to create accounts, send invoices, and provide support. Legal basis: contract, legitimate interest.

Customer Data uploaded to the Service. Employee records, shift histories, time punches, availability, leave history, skill credentials, and any other data your operators upload. Purpose: to operate the Service for you. Legal basis: your instructions, our contract with you. We process this as a processor — see section 06.

Telemetry and usage data. Pages visited, features used, latency metrics, errors, and device/browser metadata. Purpose: to operate, secure, and improve the Service. Legal basis: legitimate interest, balanced against your privacy.

Cookies and similar technologies. Strictly necessary cookies for authentication and security; optional analytics cookies for product improvement. You can disable optional cookies in our Cookie Preferences center.

Marketing data. If you submit a form, attend an event, or otherwise opt in, we hold contact details. Purpose: to respond to inbound interest and, where you've opted in, to send occasional product updates.

We use personal data only for the purposes described above and for the legitimate operation of our business. In practice, this means:

• Operating, securing, and improving the Service.
• Communicating with you about your account, billing, or security events.
• Providing support and customer success.
• Building product analytics in aggregated, de-identified form.
• Complying with legal obligations and defending legal claims.
• Recruiting, when you apply for a role.

We do not sell personal data. We do not share personal data with advertisers. We do not run third-party ad pixels on our application surfaces.

Rostor's AI features (demand forecasting, no-show prediction, burnout detection) are trained primarily on aggregated, de-identified labor and shift data, plus per-customer models trained only on that customer's Customer Data and operated only for them.

We do not use one customer's Customer Data to train a shared, multi-tenant model serving other customers without that customer's written consent. Per-customer model weights are deleted alongside Customer Data on termination.

AI Features produce probabilistic outputs that an authorized human at the customer reviews and approves before any roster is published. The AI does not make employment decisions.

When customers upload data about their employees, we act as a processor. Our customers are the controllers. We process this data only on their documented instructions, including for the limited purpose of providing the Service.

Our Data Processing Addendum ("DPA"), incorporating the EU Standard Contractual Clauses where applicable, is available at rostor.app/dpa. Enterprise customers can also sign a customized DPA.

Subprocessors. We rely on a small set of subprocessors (cloud infra, payment, support tooling) listed at rostor.app/subprocessors. Customers receive 30-day notice of new subprocessors and can object before they go live.

Depending on where you live, you may have rights to: (a) access the personal data we hold about you; (b) correct inaccurate data; (c) request deletion; (d) object to or restrict certain processing; (e) data portability; (f) withdraw consent; and (g) lodge a complaint with a supervisory authority.

If you are an employee of a Rostor customer, please direct rights requests to your employer first — they are the controller of your employment data. We will support them in fulfilling any valid request.

If you are a Rostor account holder or visitor, you can exercise your rights by emailing hello@rostor.co. We will respond within 30 days (and free of charge, except for manifestly unfounded or excessive requests).

Rostor is SOC 2 Type II, ISO 27001, and HIPAA-ready, with full BAA support on paid plans. Our security program includes:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Least-privilege access enforced via SSO + MFA across all internal systems.
• Quarterly penetration tests by an external firm; results available on request under NDA.
• Comprehensive logging, immutable audit trails, and 24/7 on-call security response.
• Annual third-party SOC 2 Type II audit by a Big-Four firm.

We notify affected customers without undue delay (and in any case within 72 hours) of any confirmed security incident materially affecting their data.

We retain personal data only as long as needed for the purposes described, then either delete or anonymize it. Specific retention periods include:

• Customer Data: for the term of your subscription, then 30 days post-termination for export, then deleted.
• Billing records: 7 years, to satisfy tax law.
• Audit logs: 7 years on Enterprise, 12 months on Starter and Growth.
• Marketing leads: 24 months from last interaction, then anonymized.
• Job applicant data: 12 months after the role closes, unless you ask us to keep your profile longer.

Rostor is headquartered in the United States and operates in the EU, the UK, and Canada. We use the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum where applicable.

Enterprise customers may elect EU data residency, which keeps Customer Data inside our Frankfurt and Dublin regions, with no replication to US infrastructure outside of break-glass disaster recovery.

The Service is intended for use by employers managing adult employees. We do not knowingly collect personal data from anyone under 16. If you believe we have, contact hello@rostor.co and we will delete it.

We may update this Privacy Policy from time to time. If we make a material change, we'll notify customers by email and post a banner on rostor.app at least 30 days before the change takes effect. Continued use after the effective date constitutes acceptance.

Email: hello@rostor.co

Nigeria office: 21 Joel Ogunnaike Street, Ikeja, Lagos, Nigeria

Ireland office: 81 Merrion Square, Dublin 2, Ireland

Phone: +234 815 487 4842