Privacy Policy
Last updated: 7 May 2026. This policy explains what Rota Done stores, why we store it, and how managers and staff can ask about their data.
Who We Are
Rota Done is a rota management service for hospitality venues. For account, billing, website, support and service administration data, Rota Done is the data controller.
Contact: support@rotadone.co.uk.
What We Store
| Data | Purpose | Lawful Basis |
|---|---|---|
| Name, email, password hash, verification state | Create accounts, verify email addresses and keep users signed in securely. | Contract |
| Venue name, manager membership, staff membership | Provide each venue workspace and control who can manage or view rotas. | Contract |
| Rota state: staff names, roles, rates, target hours, employment type labels, availability, absences, shifts, revenue forecasts and publish timestamps | Save, solve, publish and reopen rotas across devices. | Contract; legitimate interests for service integrity |
| Invite email, invite token, staff name, expiry and used timestamp | Invite staff into the correct venue and match them to their shifts. | Contract |
| Holiday or absence requests | Let staff request time off and let managers approve or decline requests. | Contract; legitimate interests |
| Contact and feedback messages | Respond to enquiries, bug reports and product feedback. | Legitimate interests |
| Admin audit events | Record safety-critical admin actions such as deleting venues, deleting users, resetting rotas and deciding absence requests. | Legitimate interests |
| Stripe customer and subscription references, if billing is enabled | Manage subscriptions and payment status. Card details are handled by Stripe, not stored by Rota Done. | Contract |
| Session cookies and basic security logs | Authentication, abuse prevention and service reliability. | Strictly necessary; legitimate interests |
Venue Staff Data
Managers may enter staff names, roles, rates, target hours, employment type labels, availability, absences and shifts. For that staff rota data, the venue or manager is normally the data controller. Rota Done stores and processes the rota data for the venue.
Storage, Cookies, Local Storage And Third Parties
- Data is stored in PostgreSQL on a UK-hosted VPS.
- Passwords are hashed; we cannot read them.
- All traffic is encrypted over HTTPS.
- We use session cookies to keep users signed in.
- We use browser localStorage for interface preferences such as light mode and staff grouping.
- IONOS SMTP is used to send verification, invite and rota emails.
- Stripe may be used for subscription billing once billing is enabled.
- We do not sell data and do not use advertising trackers.
Retention
- Account and venue data is kept while the account or venue exists.
- Published rotas are retained as a historical work record unless the venue or account is deleted.
- Unpublished draft rotas are kept until deleted by a manager or admin.
- Invites expire after 7 days and should be cleaned up after expiry.
- Contact and feedback messages should be kept for no longer than 12 months unless needed for an active support issue.
- Admin audit events are retained to protect customers and support incident review.
- Deleted venues and users should be removed from production systems unless a short backup retention window applies.
Your Rights
Under UK GDPR you can request access, correction, deletion, restriction, objection or portability of your personal data. You can also complain to the ICO if you believe your data has been mishandled.
To exercise a right, email support@rotadone.co.uk. We will respond within one month unless the request is unusually complex.
Rota Done · support@rotadone.co.uk · rotadone.co.uk