RRoster

Last updated: 4 May 2026

Privacy Policy

1. Who we are

Roster ("we", "us", "our") is a software service operated as a sole trader by [YOUR FULL LEGAL NAME] trading as Roster, registered in England.

Contact: hello@roster.app

We are the "data controller" for personal data of agency users (people who sign up to use Roster). We are the "data processor" for personal data agencies upload about creators or brands they pitch to. Agencies remain the "data controller" for that data.

2. What data we collect

From agency users (account holders):

  • Name and email address (for sign-up and login)
  • Agency name, contact details, billing address (for invoicing)
  • Payment information (handled by Stripe — we never see card numbers)
  • Usage data: pages viewed, features used, IP address (for security and product improvement)

From creators (when their managing agency uploads):

  • Name, handle, bio, niche, location, photo
  • Social platform handles and statistics (followers, engagement rates)
  • Audience demographics provided by the agency
  • Email and phone number if provided by the agency

From brand contacts (when they submit a brief or view a pitch):

  • Name, email, phone (when submitted via the brief form)
  • IP address hash and user agent (for view tracking analytics — IPs are hashed, not stored in plain form)

3. How we use it

  • Provide the service: generate media kits, deliver pitch decks, send share links, accept brand briefs
  • Bill you: process subscription payments via Stripe
  • Communicate: account emails, important service notices, support replies
  • Improve the product: aggregated usage analytics — never sold or shared
  • Comply with law: tax records, anti-fraud, legal requests if required

We do not sell your data, share it with advertisers, or use it for advertising purposes. We do not use your data to train AI models.

4. Lawful basis for processing (UK GDPR Article 6)

  • Contract: we process account-holder data to deliver the service you purchased
  • Legitimate interest: security logs, usage analytics, and feature improvements
  • Consent: when you explicitly agree to OAuth integrations or marketing emails
  • Legal obligation: tax, accounting, and anti-fraud requirements

5. Data we receive from third-party platforms (OAuth)

When an agency connects a creator's TikTok, Instagram, YouTube, Twitch, Kick, or Snapchat account through Roster, we receive limited data via that platform's API: profile information, follower counts, audience demographics where available, and recent media metadata.

We use this data only to populate the creator's media kit and pitch decks. We do not post on the creator's behalf, do not contact their followers, and do not access their direct messages.

The creator may revoke our access at any time via the platform's own settings (e.g., Instagram → Settings → Apps and Websites).

6. Sharing your data

We share data only with these processors:

  • Supabase — database hosting and authentication (servers in EU)
  • Vercel — application hosting (servers in EU)
  • Stripe — payment processing
  • Resend — transactional email delivery
  • OAuth platforms (Google, Meta, TikTok, Twitch, Kick, Snap) — only when an agency authorises a connection

Each of these has appropriate data processing agreements in place. We do not transfer data outside the UK/EU without appropriate safeguards (Standard Contractual Clauses where required).

7. How long we keep data

  • Account data: for as long as your account is active, plus 30 days after deletion
  • Billing records: 6 years (HMRC requirement)
  • Pitch view analytics: 12 months
  • Anonymised usage data: indefinitely

8. Your rights (UK GDPR)

You have the right to:

  • Access a copy of your data (Subject Access Request)
  • Correct inaccurate data
  • Delete your account and associated data
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw consent at any time
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights, email privacy@roster.app. We'll respond within one month.

9. Cookies

We use essential cookies for authentication and session management. We do not use advertising cookies or third-party tracking cookies. We do not use a cookie banner because we don't use non-essential cookies.

10. Security

Your data is encrypted in transit (TLS) and at rest. Database access is restricted by row-level security policies so each agency only sees their own data. We use industry-standard authentication (Supabase Auth, OAuth 2.0) and do not store passwords directly — they are hashed.

In the unlikely event of a personal data breach, we will notify the ICO within 72 hours and affected users without delay, in accordance with UK GDPR Article 33.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we'll notify you by email or in-app.

12. Contact

Privacy questions: privacy@roster.app
General contact: hello@roster.app
Postal: [YOUR BUSINESS ADDRESS]