Privacy Policy

1. Introduction

EasyRoster ("we", "us", or "our") operates the EasyRoster workforce scheduling platform available at easyrosterai.com. We are committed to protecting personal information in accordance with the Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs) (as amended by the Privacy Amendment Act 2025 (NZ), including IPP 3A effective 1 May 2026), and, where applicable, the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) (as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth)).

This Privacy Policy explains how we collect, hold, use, and disclose personal information in connection with the EasyRoster service. By using EasyRoster, you agree to the practices described in this policy.

For questions or concerns, contact us at innoweb.it@gmail.com.

2. Information We Collect

We collect three categories of personal information:

A. Customer Account Data

Information provided by a business owner, company admin, or staff user when creating and managing an EasyRoster account or company relationship:

• Name and email address
• Business (company) name
• Subscription plan and billing information
• Account preferences, company context, and settings
• Browser push notification subscription tokens (endpoint URL and encryption keys) — stored when you opt in to push notifications. Used solely to deliver shift and roster alerts to your browser or device. You can withdraw consent at any time by disabling notifications in your browser or device settings, which will automatically remove your subscription token from our systems.
• Availability preferences you set (per day: available, unavailable, or preferred) — used solely to assist roster planning.

B. Employee Data

Information entered by the Customer (business) about their employees, or generated through employees' use of the Service. EasyRoster processes this data solely on the instructions of the Customer and does not use it for any independent purpose:

• Employee names and email addresses
• Phone numbers (optional)
• Hourly rates and employment start dates (optional)
• Job titles or positions (optional)
• Work schedules and shift times
• Leave requests and shift swap requests
• Shift history and notes
• Time clock records — clock-in and clock-out timestamps, break duration, and timesheet status (pending or approved), when the Time Clock feature is enabled by the Customer. Approval actions and edits are recorded in an audit trail.
• Availability preferences submitted by employees (per day: available, unavailable, or preferred).
• Feedback and bug reports submitted through the in-app feedback widget — text content only. These are forwarded to our internal management system for triage. No scheduling data or employee records are included in feedback reports.

C. Automatically Collected Data

• Session and authentication data (cookies, tokens)
• Server logs (IP addresses, browser type, pages accessed)
• Action audit logs — records of significant actions taken within the platform (e.g., timesheet approvals, edits, delegation changes), associated with the user account that performed the action. Retained for up to 12 months.
• Usage and measurement data for product improvement and website analytics (aggregated where practicable)

3. How We Collect Personal Information

• Directly from you — when you register an account, update your profile, or contact support.
• From the Customer (Owner or Admin)— when a business adds employees or managers to the platform, it provides employee details on behalf of those workers. Customers are solely responsible for obtaining any necessary consents and for the lawfulness of disclosing their workers' personal information to EasyRoster. EasyRoster processes this information on the Customer's instructions only and assumes no responsibility for the Customer's compliance with its obligations to workers.
• From employees directly — when workers accept invitations, set their passwords, switch company context, view their schedules, or submit leave or swap requests through the platform.
• Via third-party sign-in — if you choose to sign in using Google OAuth, we receive your name and email address from Google as part of the authentication process. We do not receive your Google password.
• Automatically — through session cookies, authentication tokens, and server logs when you interact with the platform.

4. How We Use Your Information

We use personal information for the following purposes:

• To provide, operate, and maintain the EasyRoster service
• To authenticate users and manage account access
• To send transactional emails via Resend (e.g., roster and shift notifications, invite emails, leave and swap request outcomes, password resets, email verification)
• To deliver browser and device push notifications (shift alerts, roster updates, and request outcomes) where you have opted in. Push notifications are sent using your stored subscription token and do not share your personal information with the push delivery service beyond what is technically required.
• To process subscription billing and payments
• To provide customer support and respond to inquiries
• To record and display time clock entries (clock-in/out, break duration, and approval status) for workforce management and payroll preparation purposes
• To measure website usage and improve the platform using aggregated analytics
• To analyse user-submitted feedback reports using AI (Google Gemini) in order to triage and prioritise product issues — feedback content may be sent to the Gemini API for this purpose (see Section 5)
• To comply with legal obligations
• To send product updates and service communications (you may opt out at any time)

Employee Data is processed exclusively to provide the scheduling and time tracking service to the Customer. We do not use Employee Data for marketing or any purpose independent of the Customer's instructions.

5. Disclosure to Third Parties

We do not sell personal information to third parties. We only disclose personal information to the following sub-processors as necessary to provide the EasyRoster service:

We may also disclose personal information if required to do so by law, court order, or government authority.

6. Overseas Disclosure (NZ IPP 12 / AU APP 8)

EasyRoster is hosted on infrastructure located in Australia (Sydney). Application servers and the primary database (Vercel and Neon) are deployed in the Sydney region (AWS ap-southeast-2). Other sub-processors such as Resend, Stripe, and Google are based in the United States. Our internal management system (Innoweb) is operated in Australia (Sydney).

Legal Grounds for Cross-Border Transfers

We rely on the following grounds under NZ Privacy Act 2020 IPP 12 and AU Privacy Act 1988 APP 8.2:

• Comparable safeguards (IPP 12(a) / APP 8.2(a)): Our US-based sub-processors (Stripe, Resend, Sentry, Google Analytics, Google Gemini, Google OAuth, web push providers) are bound by contractual data-protection obligations that are equivalent to NZ/AU privacy law, and maintain industry-recognised certifications including SOC 2 Type II (Vercel, Neon, Stripe, Sentry) and ISO 27001 (Stripe, Google services). Stripe additionally maintains PCI DSS Level 1 certification for payment data.
• Informed consent (IPP 12(b) / APP 8.2(b)): By creating an account and using EasyRoster, you provide informed consent to your personal information being processed by the sub-processors listed in Section 5, including those located in the United States.
• No cross-border for AU customers' primary data: Application data and database storage remain within Australia (Sydney) for AU customers. Cross-border applies only to the specific functions described above (email delivery, payment processing, error monitoring, analytics, AI feedback triage, OAuth, and push notifications).

We take reasonable steps to ensure that all overseas recipients handle personal information in a manner consistent with the Australian Privacy Principles and the New Zealand Information Privacy Principles. EasyRoster remains accountable for our sub-processors' acts in respect of your personal information (APP 8.1 accountability).

7. Data Security

We implement reasonable technical and organisational measures to protect personal information, including:

• Encryption of all data in transit using TLS/HTTPS
• Encryption of data at rest in our database
• Role-based access controls (employees can only see their own data)
• Password hashing using bcrypt
• Secure invite token generation and expiry
• Infrastructure hosted on SOC 2 certified providers

In the event of a data breach likely to result in serious harm, we will notify the relevant authority and affected individuals as required by applicable law:

• New Zealand: the Office of the Privacy Commissioner (OPC) under the Privacy Act 2020 (s. 116)
• Australia: the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breach (NDB) scheme (Part IIIC of the Privacy Act 1988)

Important: While we implement reasonable security measures — including technical and organisational measures as required under the Privacy and Other Legislation Amendment Act 2024 (Cth) — no internet-based service can guarantee absolute security. You acknowledge that you transmit personal information to EasyRoster at your own risk. EasyRoster is not liable for any unauthorised access, disclosure, or loss of personal information that occurs despite our reasonable precautions.

Breach Response Commitments (NZ + AU)

In the event of a notifiable privacy breach we commit to the following timelines:

• Initial assessment — completed within 30 days of detection (AU APP 11.3 / NZ Privacy Act 2020 s 115).
• Regulator notification — within 72 hours of confirming the breach is likely to cause serious harm. We notify both the NZ Office of the Privacy Commissioner (s 117) and the AU Office of the Australian Information Commissioner (Notifiable Data Breaches Scheme, Part IIIC of the Privacy Act 1988).
• Affected-individual notification — as soon as practicable after regulator notification, with concrete steps you can take to protect yourself.

AU Statutory Tort for Serious Invasions of Privacy: We acknowledge that the Privacy and Other Legislation Amendment Act 2024 (Cth) introduced a statutory tort for serious invasions of privacy (commenced 10 June 2025), actionable without proof of damage. Nothing in this policy or our Terms of Service excludes, limits, or modifies any right or remedy you may have under that Act, the Privacy Act 1988 (Cth), or the Privacy Act 2020 (NZ). Our breach response commitments above are designed to comply with these obligations and to mitigate harm if a breach occurs.

8. Data Retention

• Active account data — retained for the duration of the active subscription.
• Deleted account-only records — may be retained for up to 12 months before purge where no longer employment-related records are involved, subject to legal holds and operational safeguards.
• Audit logs and system logs — retained for up to 12 months.
• Billing records — retained as required by applicable tax law (NZ and/or Australia).
• Employment record retention — employers are required by law to retain employment records for specified periods: in New Zealand under the Employment Relations Act 2000 and Wages Protection Act 1983; in Australia under the Fair Work Act 2009 (s. 535) (7 years). Employment-related records and company membership history may therefore be retained for up to 7 years or longer where another law, audit requirement, or legal hold applies. Customers (as the employing business) are solely responsible for meeting these obligations. EasyRoster assumes no responsibility for ensuring Customer compliance with any record retention requirement. We strongly recommend exporting your data before cancellation.

9. Your Rights

Under applicable privacy law (NZ Privacy Act 2020 IPPs; AU Privacy Act 1988 APPs 12 & 13), you have the right to:

• Access the personal information we hold about you (APP 12)
• Correct inaccurate or out-of-date personal information (APP 13)
• Request deletion of your personal information (subject to legal retention obligations)

Admins can update most account and employee data directly within the platform. For other requests, email us at innoweb.it@gmail.com. We will respond within 30 days. If we refuse a request, we will provide written reasons as required by applicable law. In limited circumstances, we may charge a reasonable fee to cover the cost of providing access (AU: APP 12.3; NZ: Privacy Act 2020 s. 39).

Note: Requests relating to employee data held by a business using EasyRoster may be best directed first to the employing business, as they are the primary data controller for that information. EasyRoster will respond to employee access requests consistent with our obligations under applicable privacy law.

10. EEA / UK Users (GDPR & UK GDPR)

EasyRoster is offered exclusively to businesses in New Zealand and Australia (see Terms of Service §1). Account registration is restricted to these jurisdictions, and we do not target the European Economic Area or the United Kingdom under GDPR Article 3(2) (territorial scope). EasyRoster is not designed to provide a full GDPR compliance regime.

If you nevertheless interact with EasyRoster from the EEA or UK (for example, an NZ/AU business's employee who travels), you may exercise the following rights to the extent they apply by contacting our Privacy Officer at privacy@easyrosterai.com:

• Right to access, correct, and erase your personal information
• Right to data portability
• Right to restrict or object to processing
• Right to withdraw consent for analytics cookies

For the purposes of any applicable GDPR / UK GDPR obligation, EasyRoster acts as a Data Processor and the Customer (the business) is the Data Controller for employee data.

11. Cookies

EasyRoster uses the following cookies and similar technologies:

• Session cookies — to maintain your authenticated session while using the platform.
• Authentication tokens — to securely identify your account.
• Analytics cookies — to measure website usage, navigation patterns, and product engagement through Google Analytics.

We do not use advertising or third-party marketing cookies. We do use analytics measurement technologies to understand product usage and improve the service. You can manage cookies through your browser settings; however, disabling session cookies will prevent you from logging in and may affect analytics measurement.

12. Children's Privacy

EasyRoster is intended for use by businesses and individuals aged 18 or over. We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected such information, please contact us at innoweb.it@gmail.com so we can delete it promptly.

13. Complaints

If you have a complaint about how we have handled your personal information, please contact our Privacy Officer at privacy@easyrosterai.com. We will acknowledge your complaint within 5 business days and respond within 20 working days for NZ-based requests (Privacy Act 2020 s 40) or 30 calendar days for other jurisdictions (AU APP 12.4).

If you are not satisfied with our response, you may escalate to the relevant authority:

EU users may also escalate to their local Data Protection Authority (DPA).

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or via an in-app notification at least 30 days before the changes take effect. The "Last Updated" date at the top of this page indicates when the policy was last revised. Continued use of EasyRoster after the effective date of any changes constitutes your acceptance of the updated policy.

15. Contact Us

For any questions, requests, or complaints regarding this Privacy Policy or our handling of personal information, please contact our designated Privacy Officer: