← Back to Home

GDPR Compliance Statement

Last Updated: January 2025

1. Our Commitment to Data Protection

RosterIQ is committed to protecting the privacy and personal data of our users in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our data protection responsibilities seriously and have implemented comprehensive measures to ensure compliance.

2. Our Role as Data Controller and Processor

2.1 Data Controller

RosterIQ acts as a data controller for personal data we collect directly from you, such as:

• Account information (name, email, phone number)
• Billing and payment information
• Website usage and analytics data
• Marketing preferences

2.2 Data Processor

RosterIQ acts as a data processor for personal data you input into our Service, such as:

• Staff member information
• Shift schedules and attendance records
• Leave requests and balances
• Qualifications and certifications

As a data processor, we process this data on your behalf and in accordance with your instructions. You, as the data controller, are responsible for ensuring you have appropriate legal basis for processing this data.

3. Legal Basis for Processing

We process personal data under the following legal bases as required by UK GDPR:

• Contract (Article 6(1)(b)): To provide the Service you have subscribed to
• Legitimate Interests (Article 6(1)(f)): To improve our Service, ensure security, and prevent fraud
• Consent (Article 6(1)(a)): Where you have given clear consent (e.g., marketing communications)
• Legal Obligation (Article 6(1)(c)): To comply with applicable laws (e.g., tax records)
• Vital Interests (Article 6(1)(d)): To protect health and safety in care home environments

4. Data Subject Rights

Under UK GDPR, individuals have the following rights, which we fully support:

4.1 Right of Access (Article 15)

You have the right to request a copy of all personal data we hold about you. We will provide this within one month (may be extended by two months for complex requests).

4.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

4.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data, subject to legal obligations that may require us to retain certain data (e.g., financial records for 7 years).

4.4 Right to Restrict Processing (Article 18)

You can request that we limit how we process your data in certain circumstances (e.g., while accuracy is being verified).

4.5 Right to Data Portability (Article 20)

You can receive your data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV). You can export your data from the Service at any time.

4.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds.

4.7 Rights Related to Automated Decision-Making (Article 22)

While our AI scheduling provides recommendations, all final scheduling decisions are made by managers. You have the right to request human review of any automated decisions that significantly affect you.

4.8 Right to Withdraw Consent (Article 7)

Where processing is based on consent, you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

5. Exercising Your Rights

To exercise any of these rights, please contact us at jay@rosteriq.co.uk. We will:

• Respond within one month (extendable to three months for complex requests)
• Verify your identity before processing requests (for security)
• Provide information free of charge (unless requests are manifestly unfounded or excessive)
• Explain any refusals and inform you of your right to complain to the ICO

6. Data Security Measures

We implement appropriate technical and organizational measures to protect personal data:

6.1 Technical Measures

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access control, multi-factor authentication available
• Network Security: Firewalls, intrusion detection, regular security audits
• Backup and Recovery: Regular encrypted backups, tested disaster recovery procedures
• Monitoring: Continuous monitoring for security breaches and anomalies

6.2 Organizational Measures

• Staff training on data protection and GDPR compliance
• Data protection policies and procedures
• Confidentiality agreements with all staff and contractors
• Regular security assessments and audits
• Incident response procedures

7. Data Breach Notification

In the unlikely event of a data breach that poses a risk to individuals' rights and freedoms, we will:

• Notify the UK Information Commissioner's Office (ICO) within 72 hours
• Notify affected individuals without undue delay if the breach poses a high risk
• Provide clear information about the nature of the breach, potential consequences, and mitigation measures
• Document all breaches and our response actions

8. Data Processing Agreements

Where we act as a data processor on your behalf, we enter into Data Processing Agreements (DPAs) that:

• Specify the subject matter, duration, and purposes of processing
• Define the types of personal data and categories of data subjects
• Set out our obligations and your rights
• Ensure we only process data in accordance with your instructions
• Include appropriate security measures

Our Standard Data Processing Agreement is available upon request. Enterprise customers will receive a customized DPA as part of their subscription.

9. International Data Transfers

Your data is primarily stored and processed in the United Kingdom and European Economic Area (EEA). If we need to transfer data outside the UK/EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the UK government
• Other approved transfer mechanisms as required by UK GDPR

10. Data Protection Impact Assessments (DPIA)

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, such as:

• Large-scale processing of special category data
• Systematic monitoring of publicly accessible areas
• Automated decision-making with significant effects

DPIAs help us identify and mitigate privacy risks before implementing new features or processing activities.

11. Records of Processing Activities

We maintain detailed records of our processing activities as required by Article 30 of UK GDPR, including:

• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• Data retention periods
• Security measures implemented

12. Your Responsibilities as a Data Controller

When using RosterIQ, you are responsible for:

• Ensuring you have appropriate legal basis for processing staff and resident data
• Obtaining necessary consents where required
• Providing privacy notices to your staff and data subjects
• Responding to data subject requests regarding data you control
• Ensuring data accuracy and keeping data up to date
• Implementing appropriate security measures for your access credentials

We provide tools and features to help you comply with your obligations, but ultimate responsibility lies with you as the data controller.

13. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

• Account Data: While account is active + 7 years (legal/compliance requirements)
• Workforce Data: While subscription is active + 7 years (audit/compliance)
• Marketing Data: Until consent is withdrawn or you opt out
• Support Data: 3 years after last contact

You can request deletion of your data at any time, subject to legal retention requirements.

14. Cookies and Tracking

We only use cookies and tracking technologies with your consent (except for strictly necessary cookies). See our Cookie Policy for details.

15. Contact Our Data Protection Officer

For any data protection inquiries or to exercise your rights, please contact us:

Data Protection Officer
RosterIQ
Email: jay@rosteriq.co.uk
Website: rosteriq.co.uk

16. Right to Complain

If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

17. Updates to This Statement

We may update this GDPR Compliance Statement from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by updating the "Last Updated" date and, where appropriate, sending you an email notification.

18. Related Documents

For more information, please review:

• Privacy Policy - Detailed information about data collection and use
• Cookie Policy - Information about our use of cookies
• Terms of Service - Our terms and conditions