Skip to content

Privacy Policy

Effective: 26 May 2026 · Version 2.0

This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have. We have written it in plain language. If anything is unclear, contact us using the details in Section 21.

1. Introduction and overview

RosterAid® is a roster, scheduling, attendance, and payment management application for class givers, teachers, trainers, coaches, and instructors. It is offered as a mobile app (iOS, with Android planned) and as web applications at rosteraid.com (this marketing site) and web.rosteraid.com (signup and billing).

2. Who we are (Data Controller)

The “data controller” is the person or entity that decides why and how your personal data is processed. For this Privacy Policy, the controller is:

TGS Enterprise
San Diego, California, United States of America
Email: support@rosteraid.com

Data Protection Officer. We have not appointed a Data Protection Officer; we are not required to do so under GDPR Article 37(1). For any privacy matter, please use the contact details in Section 21.

Throughout this policy, “we”, “us”, and “our” refer to the controller above. “You” refers to the person whose personal data we process — most commonly a coach, teacher, trainer, or instructor using RosterAid, but in some cases a client (whether adult or minor), a parent or guardian, or a visitor to our website.

3. EU Representative (GDPR Article 27)

Because we are established outside the European Union but offer services to people in the EU, EU law requires us to designate a representative in the Union.

We are a small business and are working toward formal designation of an EU representative. While we work toward that designation, EU and EEA users may contact us directly at support@rosteraid.com for any GDPR matter — we commit to responding within the statutory one-month window for any data-subject rights request. We will update this section as soon as a representative is in place.

4. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on personal data — collection, storage, use, disclosure, deletion, and so on.
  • “Our Service” means the RosterAid mobile and web applications, the websites rosteraid.com and web.rosteraid.com, and related infrastructure.
  • “You” means the data subject — typically an account holder (coach, teacher, trainer, instructor) or a visitor to our website. In some sections we also refer to “clients” (and, where the client is a minor in an educational setting, also “students”) — these are people whose information is entered into our Service by a coach using their own account.
  • “GDPR” means Regulation (EU) 2016/679. “UK GDPR” is the United Kingdom equivalent.

5. What personal data we collect

5.1 Data you give us directly (account, profile, and payment)

When you create an account or use our paid plans, we collect:

  • Identity data: first name, last name (optional), display name.
  • Contact data: email address, optional phone number.
  • Authentication data: password (stored only as a salted hash), session tokens.
  • Profile data: profile photo if you upload one, preferred language.
  • Payment data: billing name, billing country, and a token representing your payment method. We do not see or store your full card number, CVV, or bank credentials — these are handled by our payment processors (see Section 7).
  • Communications: the content of any emails, contact-form submissions, or support requests you send us.

5.2 Data we collect from third parties (OAuth identity providers)

If you choose to sign in with Google or Apple, we receive a limited identity payload from them:

  • From Google: your name, email address, and Google account identifier, in line with the scopes you grant during the OAuth consent screen.
  • From Apple: your name (only at first sign-in) and either your real email or an Apple-generated relay email (if you choose “Hide my email”). We treat both as your contact email.

We do not receive your Google or Apple password, full contact list, or unrelated account information.

5.3 Data you upload about other people (your “clients”)

RosterAid lets you, as a coach, teacher, trainer, or instructor, enter information about the people you train, instruct, or otherwise serve. We call these people your “clients”. Depending on the kind of work you do, your clients may be adults (e.g., adult-amateur tennis players, personal-training clients, adult music students) or minors (e.g., children in a kids' class). What we collect typically includes:

  • Name (and where used, a parent's or guardian's name)
  • Optional contact details (email, phone)
  • Optional date of birth
  • Attendance records, schedules, notes, and payment records you create

These individuals are data subjects too. Because they did not give us their information directly — you did — we have specific duties to them under GDPR Article 14 (information to a data subject when data is not collected from them) and GDPR Article 26 (joint controllership) regardless of their age. See Section 14 (Joint controllership with coaches), which applies to all clients you enter. Section 13 (Children's data) sets out additional rules that apply when a client is a minor.

5.4 Data we collect automatically

When you use the app or visit our websites:

  • Device and technical data: device type, operating system version, app version, screen size, language setting, time zone.
  • Log data: IP address, request timestamps, error logs, basic security/audit logs.
  • Usage data: in-app navigation events used to diagnose bugs and improve features (no third-party advertising trackers; no cross-site profiling).
  • Cookies and similar technologies on rosteraid.com: see Section 19. Google Analytics is loaded only after you grant consent through our cookie banner.

The mobile app does not contain advertising SDKs, third-party trackers, or cross-app identifiers.

5.5 What happens if you do not provide certain data

Providing the data marked required is a contractual requirement (GDPR Art. 13(2)(e)) — that is, we need it to enter into and perform the agreement to deliver the Service to you. There is no statutory obligation to provide your data, but without it we cannot create or operate your account. For example, we cannot create an account without an email address, and we cannot process a paid subscription without payment data.

Optional data (such as a date of birth, or analytics consent) is not required to use the Service. Choosing not to provide it does not affect your access.

6. Why we process your data, and on what legal basis

GDPR requires us to identify a legal basis (Article 6) for every purpose of processing. The table below maps each purpose to its basis.

PurposeData usedLegal basis (GDPR Art. 6)
Create and operate your account; deliver the core ServiceIdentity, contact, authentication, content you uploadContract — Art. 6(1)(b)
Process subscription paymentsIdentity, payment dataContract — Art. 6(1)(b)
Customer support and replies to your messagesIdentity, contact, communicationsContract — Art. 6(1)(b) for paid users; legitimate interest — Art. 6(1)(f) for free-tier users
Transactional emails (password reset, billing receipts, security alerts)Identity, contactContract — Art. 6(1)(b)
Optional marketing emails (product news, tips)Identity, contactConsent — Art. 6(1)(a) (separately captured, never pre-ticked)
Secure the Service (rate limits, fraud detection, bot protection)Log data, technical data, hCaptcha tokens (see Section 7)Legitimate interest — Art. 6(1)(f)
Measure visitor use of our marketing siteCookies, IP, page-view data via Google Analytics 4Consent — Art. 6(1)(a) (via cookie banner)
Comply with legal obligations (tax, accounting, court orders)Payment data, communicationsLegal obligation — Art. 6(1)(c)
Defend, exercise, or establish legal claimsAll categories as neededLegitimate interest — Art. 6(1)(f)

Balancing tests for legitimate interest (summary):

  • Security. Interest: keeping accounts and client roster data safe from unauthorized access, abuse, and fraud. Necessity: rate-limiting, hCaptcha, and login lockouts are the least-intrusive technical means we are aware of that achieve this goal; alternatives like blanket IP blocking would be more restrictive and less effective. Balance: users reasonably expect a SaaS provider handling roster data — which in some deployments includes data about minors — to take these precautions; the privacy impact is low (no profiling, no third-party advertising); users may object under Section 10, item 6.
  • Customer support for free-tier users. Interest: responding to inquiries the user themselves initiated. Necessity: we cannot answer a support question without using the contact details in the message. Balance: data is not repurposed; retained only as long as needed to resolve the matter.
  • Legal claims. Interest: defending against or pursuing legal claims arising from the Service. Necessity: limited to the data actually relevant to a specific dispute. Balance: users can object; we assess and document.

You may object to processing based on legitimate interest at any time. See Section 10, item 6.

7. Who we share your data with (Recipients and sub-processors)

We do not sell your personal data, and we do not share it for advertising purposes. We share data only with the service providers we need to operate. Each is bound by a Data Processing Agreement under GDPR Article 28.

Sub-processorWhat they do for usWhere based / processed
Supabase Inc.Hosts our database, authentication, and edge functionsUnited States (AWS infrastructure)
Vercel Inc.Hosts our marketing site and the signup/billing siteUnited States
Stripe Inc. / Stripe Payments Europe Ltd.Card payment processing (used by web.rosteraid.com)United States and Ireland (EU transactions routed via Stripe Payments Europe Ltd., Dublin)
PayPal (Europe) S.à r.l. et Cie, S.C.A. / PayPal, Inc.Alternative payment processorLuxembourg and United States
Google LLCOAuth identity for “Sign in with Google”; Google Analytics 4 on our marketing site (only after consent)United States
Apple Distribution International Ltd. (Cork, Ireland) for EU/EEA/UK/Swiss users; Apple Inc. (Cupertino, USA) for all other users“Sign in with Apple” and App Store distributionIreland (EU users) / United States (others)
Intuition Machines, Inc. (hCaptcha)Bot protection on the contact formUnited States
Web3Forms (operated by Pelosys SARL)Contact-form relay serviceFrance

We may also share data:

  • With other RosterAid users you authorize — for example, a coach who shares roster information with a substitute or team co-owner. You control these shares from within the app.
  • With legal and tax advisors, accountants, or auditors, under confidentiality obligations.
  • In response to lawful requests by public authorities — see Section 17.
  • In connection with a business transfer (merger, acquisition, asset sale). We would notify you in advance and you would retain all rights under this policy.

The sub-processor table in this Section 7 is the current sub-processor list; we update this Privacy Policy when it changes. We will provide reasonable advance notice (via email or in-app notice) before adding a new sub-processor that has a material effect on the processing of your data, so you have an opportunity to object before the new processor goes live.

8. Where your data is processed (International transfers)

Most of our infrastructure is hosted in the United States. When you use RosterAid from the European Economic Area, the United Kingdom, or Switzerland, your personal data is transferred to and stored in the US.

We use the following safeguards under GDPR Articles 44–49 / UK GDPR equivalents:

  1. EU-US Data Privacy Framework (DPF) and UK Extension — where the receiving company is self-certified.
  2. Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914, Module 2 (controller-to-processor) or Module 3 (processor-to-processor), for transfers where DPF does not apply or to provide a backstop.
  3. UK International Data Transfer Addendum and the Swiss Federal Data Protection and Information Commissioner's recognized clauses where applicable.

Supplementary measures: We require encryption in transit (TLS 1.3 where the client supports it, with TLS 1.2 as the minimum acceptable) and encryption at rest for stored personal data; we restrict access through least-privilege role controls; and we keep an audit trail of administrative access.

You can request a copy of the SCCs that apply to your data by emailing support@rosteraid.com. We may redact commercially confidential terms but will provide the data-protection clauses in full.

9. How long we keep your data (Retention)

We keep personal data only as long as we need it for the purposes set out in Section 6, or as required by law.

CategoryRetention periodNotes
Account and profile dataWhile active; 30 days after account deletion data is permanently erased from production.Backups follow the schedule below.
Content you upload (clients, schedules, attendance)Same as account data.Deleted with the account.
Payment records (invoices, receipts)Up to 7 years after the transaction.In line with common US business-records retention practice; specific records may be retained for shorter periods where law permits.
Login and security logs12 monthsUsed for fraud and abuse investigation.
Contact-form submissions12 monthsUsed to answer your question.
Google Analytics 4 data (marketing site)14 monthsAggregate visitor data, only if you consented.
Database backups30 daysEncrypted; restored only for disaster recovery. After 30 days, data deleted from production is also gone from backups.
Unverified accounts (signup never completed)30 daysAbandoned signups are purged automatically.
Cookie consent records12 months from the date you set or last changed your preferences.So we can demonstrate valid consent under Art. 7(1).

If you exercise your right to erasure (Section 10, item 3), we honor it within 30 days unless we have a legal obligation to retain a specific record (in which case we tell you which record and why).

10. Your rights

If GDPR or UK GDPR applies to you, you have the following rights. You can exercise any of them by emailing support@rosteraid.com. We will respond within one month (extendable by two further months for complex requests, with notice).

  1. Right of access (Art. 15) — get a copy of the personal data we hold about you.
  2. Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  3. Right to erasure / “right to be forgotten” (Art. 17) — have your data deleted, subject to legal-retention exceptions.
  4. Right to restriction of processing (Art. 18) — pause our use of your data while a dispute is being resolved.
  5. Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format. Until our in-app export feature ships, we provide this manually on request, within 30 days.
  6. Right to object (Art. 21) — object to processing based on legitimate interest (Section 6) or to direct marketing (we will stop immediately).
  7. Right to withdraw consent (Art. 7(3)) — for processing based on consent (e.g., marketing, analytics cookies). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  8. Right not to be subject to a solely automated decision producing legal or similarly significant effects (Art. 22) — see Section 12.

We do not charge for these requests unless they are manifestly unfounded or excessive (in which case we will tell you first).

If you are a California resident, see the CCPA/CPRA addendum in Section 18.

11. Right to lodge a complaint with a supervisory authority

If you believe we have mishandled your personal data, you have the right to complain to a supervisory authority.

  • EU/EEA users — your local Data Protection Authority. A current list is maintained by the European Data Protection Board at edpb.europa.eu.
  • UK users — the Information Commissioner's Office (ICO) at ico.org.uk.
  • Swiss users — the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

We would appreciate the chance to address your concern first — please write to support@rosteraid.com before lodging a complaint — but this is your choice and not a precondition.

12. Automated decision-making and profiling

We do not make decisions that produce legal or similarly significant effects about you using solely automated means within the meaning of GDPR Article 22.

Some features of the Service look automated — for example, attendance rollovers, reminder notifications, or recurring session generation. These are convenience tools that you control and that you can manually override or disable at any time. They do not score, profile, or rank you.

We do not use your data to train third-party machine-learning models, and we do not sell or share it with data brokers.

13. Children's data

RosterAid is intended for adults aged 18 or over (the coach/teacher/trainer/instructor who creates the account — see our Terms). The clients you enter into RosterAid may include minors (and, where you work in an educational setting, students).

13.1 Children using RosterAid directly

We do not knowingly create accounts for children. The minimum age to create a RosterAid account is 18. If we learn we have created an account for a child, we will delete it.

GDPR Article 8 sets a baseline digital-consent age of 16, which member states may lower to no less than 13 (for example, France: 15; Spain: 14; Portugal: 13). Germany applies the GDPR default age of 16. Where local law sets a lower age, that age applies.

For US users: the Children's Online Privacy Protection Act (COPPA, 15 USC §6501 et seq.) prohibits collection of personal data from children under 13 without verifiable parental consent. RosterAid does not knowingly collect data directly from any child under 18. Where a coach enters data about a US-resident minor under 13 into the Service, the coach is responsible for obtaining the verifiable parental consent COPPA requires.

13.2 Additional rules when the client is a minor

The joint-controllership arrangement in Section 14 applies to all clients a coach enters into the Service — adult or minor. The Article 14 notice designation in Section 14 also applies to minors. The following additional rules apply specifically when a client is a minor:

  • Parental / guardian consent warranty. Before adding a minor's data to RosterAid, the coach must have obtained parental or legal-guardian consent (or another valid lawful basis under their local law). This warranty is restated in our Terms of Service.
  • Parental / guardian rights — who to contact. Parents and guardians may contact either RosterAid (support@rosteraid.com) or the coach to exercise any data-subject right on behalf of the minor. With reasonable proof of identity and relationship, RosterAid will act on its own authority where the request concerns the technical handling of the data (e.g., deletion from our systems, export, restriction). We coordinate with the coach where the request concerns the content of the roster (e.g., whether the child should be in the class at all). We respond within one month of a valid request.

13.3 Special categories (Article 9)

We do not knowingly process special-category personal data (health, religion, racial or ethnic origin, and other categories listed in GDPR Article 9). If you include such information in free-text fields (for example, a medical note in a session comment), you must have a valid Article 9(2) basis to do so — typically the explicit consent of the data subject (or their parent/guardian for minors). We will treat the data under the same security measures as the rest of your data, but we strongly recommend you avoid entering special-category data into the Service.

14. Joint controllership with coaches: who is responsible for what

When you use RosterAid to manage information about other people — your clients, whether adults or minors — you and RosterAid are joint controllers within the meaning of GDPR Article 26 for that data. We share responsibility — but not symmetrically. The “essence” of the arrangement under Art. 26(1) is:

  • The coach decides who is entered, what data is entered, and why (the purposes of processing).
  • RosterAid decides where the data is stored, how long it is retained, what security measures protect it, and which sub-processors handle it (the means of processing).
  • Either party may receive and act on a data-subject rights request, and will coordinate with the other where the request crosses our respective responsibilities.

Article 14 notice. Because client data reaches us from a coach rather than directly from the client, GDPR Article 14 requires us to inform the data subject about how we process their data. This Privacy Policy serves as the Article 14 notice for every client a coach enters into the Service — adult or minor. If you are a client (or, where the client is a minor, their parent or guardian) and would like a copy of this notice in your language, or want to know which coach entered your data, contact us at support@rosteraid.com.

In more detail:

You (the coach) are responsible for:

  1. Having a lawful basis (typically consent from the parent/guardian, or another basis under your local law) before entering a person into RosterAid.
  2. Telling the data subject (or their parent/guardian) that you use RosterAid and that you have entered their information.
  3. The accuracy and lawfulness of the content of the records you create.
  4. Responding to data-subject requests that relate to the content of your roster (e.g., “should this person be on your roster at all?” or “why is this client still listed as active?”).
  5. Keeping your account credentials confidential.

We (RosterAid) are responsible for:

  1. The technical and organizational security of the data (Section 15).
  2. Where the data is stored, how long it is retained, and which sub-processors handle it (Sections 7 and 9).
  3. Acting on data-subject requests that relate to the technical handling of the data (e.g., deletion from our systems, export, restriction).
  4. Breach notification under Articles 33–34 (Section 16).
  5. Making this Privacy Policy available as the Article 14 notice to affected data subjects.

Either party may receive and act on a rights request from an affected person (or their parent/guardian). We will coordinate with each other in good faith. Affected data subjects can contact either of us at any time — see Section 21 for our contact, and contact your coach directly for the content-side questions.

We will support you with reasonable assistance in fulfilling your responsibilities under this Section.

15. Security measures (Article 32)

We use technical and organizational measures appropriate to the risk, including:

  • TLS 1.3 where the client supports it, and TLS 1.2 minimum for all data in transit (web, app, API).
  • Encryption at rest for our managed Postgres database (provided by Supabase / AWS) and for sensitive credentials on the mobile device (AES-encrypted secure storage via Capacitor Preferences).
  • Role-based access control with least-privilege defaults.
  • Audit logs for administrative database access.
  • Login lockout and rate limits to deter credential-stuffing.
  • Salted password hashing (we never store your plaintext password).
  • Regular automated backups with the retention noted in Section 9.
  • Vendor due diligence on every sub-processor, including a signed Data Processing Agreement.
  • Annual review of our security posture.

We do not claim to be invulnerable. No internet service is. We commit to telling you promptly if something does go wrong — see Section 16.

16. Personal data breach notification (Articles 33–34)

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the competent supervisory authority within 72 hours of becoming aware, in line with Art. 33.
  • Notify affected users directly and in clear language, without undue delay, where the breach is likely to result in a high risk (Art. 34), describing what happened, what data was affected, the likely consequences, and the measures we are taking.

We document every incident, including those we did not have to report.

17. Law enforcement and government requests

We comply with the law, but we do not give blanket access to user data. When we receive a request from a public authority we:

  1. Confirm the request is properly addressed to us and is legally valid in the jurisdiction it comes from.
  2. Challenge requests that are over-broad, vague, or appear to lack legal basis.
  3. Notify the affected user where we are legally allowed to do so.
  4. Disclose only the data the request specifies.
  5. Keep an internal log of every request.

18. California residents — CCPA / CPRA addendum

If you are a resident of California, the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), gives you the following rights, in addition to those above:

  • Right to know what personal information we have collected about you, the sources, the purposes, and the categories of third parties we shared it with.
  • Right to delete personal information we hold about you, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt-out of sale or sharing of personal information.
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising any of these rights.

We do not sell personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under California law.

You can exercise these rights by emailing support@rosteraid.com. We may need to verify your identity by matching the request against information already on your account. An authorized agent may submit a request on your behalf with proof of authorization.

19. Cookies and similar technologies (marketing site)

The marketing site at rosteraid.com uses a small number of cookies and similar technologies. We group them into three categories:

  1. Strictly necessary — required to deliver the site. These do not need consent.
  2. Analytics — Google Analytics 4. Used only to count and understand visits. Fires only after you grant consent through the cookie banner. If you reject or close the banner, no analytics cookies are set.
  3. Preferences — e.g., remembering your cookie choices, locale.

You can change or withdraw your consent at any time by clicking “Cookie preferences” in the site footer.

The mobile app does not use third-party cookies and does not include advertising or cross-app tracking SDKs.

20. Changes to this Privacy Policy

We will update this policy as our practices, the law, or our sub-processor list change.

  • For material changes (new categories of data, new purposes, new sub-processors with significant effect), we will give you at least 30 days' notice by email and/or prominent in-app notice, and where consent was the basis for processing, ask you to re-consent.
  • For minor clarifications (typos, formatting, contact details), we will update the version number and effective date without separate notice.

Each published version is identified by an effective date and version number at the top of this document. Prior versions are available on request at support@rosteraid.com.

21. How to contact us

For any privacy question, request, or complaint:

  • Email: support@rosteraid.com
  • Postal: TGS Enterprise — San Diego, California, USA
  • EU Representative: see Section 3
  • UK Information Commissioner's Office: ico.org.uk
  • European Data Protection Board (directory of EU DPAs): edpb.europa.eu

We aim to respond within 7 days for general questions, and within the statutory window of one month for formal data-subject requests.