Privacy policy
Rostora is a scheduling tool operated by Q10 Labs BV(company number BE 1034.312.582), registered in Belgium. We are the data controller for the personal data you provide when you use Rostora. This policy explains what we collect, why, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR).
What we collect
We collect only what we need to run the product:
- Account data — name, email address, password (stored as a bcrypt hash), role, department, initials, default floor, and whether you are an admin or manager.
- Workspace data — company name, country (for public holidays), department list, floor count, and your subscription status.
- Schedule data — the schedule patterns and day-level overrides you and your colleagues record.
- Feedback/support messages — if you send feedback, we receive the message, email address, page path, and source IP so we can respond and prevent abuse.
- Billing data — if you subscribe, Stripe processes your payment details. We store a Stripe customer ID and subscription metadata; we never see or store your card number.
- Pending signups — if you start signing up but don't verify your email, we keep your name, email, company, country, and password hash temporarily so you can finish. These records expire automatically.
- Trial abuse prevention — we keep a recent-trial marker for the signup email for 30 days so the free trial cannot be restarted repeatedly by deleting and recreating a workspace.
Why we use it
- To provide the service you signed up for (legal basis: performance of a contract).
- To send transactional email — verification, password resets, billing receipts (legal basis: performance of a contract).
- To keep the service secure and debug issues (legal basis: legitimate interest).
- To comply with tax and accounting obligations (legal basis: legal obligation).
We do not sell your data, we do not use it to train machine-learning models, and we do not share it with advertisers. We use Vercel Analytics and Vercel Speed Insights to measure aggregate traffic and page performance. Both are cookieless, anonymise visitors at source (no persistent identifier), and do not track you across sites.
Where it is stored
Your data is hosted inside the European Union. Our database runs on Neon in the eu-central-1 region (Frankfurt, Germany) and the application runs on Vercel. A handful of sub-processors help us deliver the service:
| Processor | Purpose | Region |
|---|---|---|
| Neon | Database hosting | EU (Frankfurt) |
| Vercel | Application hosting, CDN, and cookieless aggregate analytics (Vercel Analytics & Speed Insights) | EU region |
| Resend | Transactional email | EU / US |
| Stripe | Payment processing | EU / US |
| Sentry | Error tracking & diagnostics using internal user/workspace IDs | EU / US |
| Slack | Workspace integration (only when an admin installs it) | US |
| Calendar sync (only when an individual user connects their Google account) | EU / US |
Some of these sub-processors may handle data in the United States. Each is certified under the EU-US Data Privacy Framework, and we rely on that mechanism plus their standard contractual clauses to protect transfers. The Slack and Google sub-processors are only engaged if your workspace opts into those integrations.
How long we keep it
- Active workspaces — for as long as the workspace exists.
- Deleted workspaces — when an admin deletes a workspace from Team settings, all users, schedule patterns, and overrides belonging to that workspace are permanently removed within 24 hours.
- Pending signups — automatically deleted after the verification link expires.
- Trial markers — automatically deleted after 30 days.
- Feedback/support messages — retained only as long as needed to handle the request and maintain support history.
- Billing records — retained for up to 10 years as required by Belgian accounting law.
- Backups — database backups are retained by Neon for up to 30 days and then rotated out.
Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you.
- Correct it if it is inaccurate — most of this you can do yourself from Settings.
- Request deletion of your account and associated data.
- Port your data to another service.
- Object to or restrict processing.
- Lodge a complaint with your national supervisory authority — in Belgium that is the Gegevensbeschermingsautoriteit.
To exercise any of these rights, email us at the address below. If you are a user inside a workspace, note that your admin is the first person to contact — they control the workspace and can remove you directly.
Cookies
Rostora uses a single cookie — rostora-session — to keep you signed in. It is strictly necessary for the service to work and does not require consent under the ePrivacy Directive. We do not set any advertising or analytics cookies.
Automated decision-making
We do not carry out any automated decision-making or profiling within the meaning of Article 22 of the GDPR. Rostora is not directed at children and is not intended for use by anyone under the age of 16.
Data breaches
If we discover a security incident that has exposed your personal data, we will notify the affected workspace admins by email within 72 hours of confirmation, in line with our obligation under Article 33 of the GDPR to report to the Belgian Gegevensbeschermingsautoriteit. The notification will describe what happened, what data was affected, what we have done to contain it, and what you can do to protect yourself.
Changes
If we make material changes to this policy we will notify active workspace admins by email at least 30 days before the change takes effect. The date at the top of this page shows when it was last revised.
Data protection questions or requests: info@rostora.com