EasyRoster← Back to sign in

Privacy Policy

Effective Date: 1 March 2026  ·  Last Updated: 13 April 2026

1. Introduction

EasyRoster ("we", "us", or "our") operates the EasyRoster workforce scheduling platform available at easyrosterai.com. We are committed to protecting personal information in accordance with the Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs) (as amended by the Privacy Amendment Act 2025 (NZ), including IPP 3A effective 1 May 2026), and, where applicable, the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) (as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth)).

This Privacy Policy explains how we collect, hold, use, and disclose personal information in connection with the EasyRoster service. By using EasyRoster, you agree to the practices described in this policy.

For questions or concerns, contact us at innoweb.it@gmail.com.

2. Information We Collect

We collect three categories of personal information:

A. Customer Account Data

Information provided by a business owner, company admin, or staff user when creating and managing an EasyRoster account or company relationship:

  • Name and email address
  • Business (company) name
  • Subscription plan and billing information
  • Account preferences, company context, and settings
  • Browser push notification subscription tokens (endpoint URL and encryption keys) — stored when you opt in to push notifications. Used solely to deliver shift and roster alerts to your browser or device. You can withdraw consent at any time by disabling notifications in your browser or device settings, which will automatically remove your subscription token from our systems.
  • Availability preferences you set (per day: available, unavailable, or preferred) — used solely to assist roster planning.

B. Employee Data

Information entered by the Customer (business) about their employees, or generated through employees' use of the Service. EasyRoster processes this data solely on the instructions of the Customer and does not use it for any independent purpose:

  • Employee names and email addresses
  • Phone numbers (optional)
  • Hourly rates and employment start dates (optional)
  • Job titles or positions (optional)
  • Work schedules and shift times
  • Leave requests and shift swap requests
  • Shift history and notes
  • Time clock records — clock-in and clock-out timestamps, break duration, and timesheet status (pending or approved), when the Time Clock feature is enabled by the Customer. Approval actions and edits are recorded in an audit trail.
  • Availability preferences submitted by employees (per day: available, unavailable, or preferred).
  • Feedback and bug reports submitted through the in-app feedback widget — text content only. These are forwarded to our internal management system for triage. No scheduling data or employee records are included in feedback reports.

C. Automatically Collected Data

  • Session and authentication data (cookies, tokens)
  • Server logs (IP addresses, browser type, pages accessed)
  • Action audit logs — records of significant actions taken within the platform (e.g., timesheet approvals, edits, delegation changes), associated with the user account that performed the action. Retained for up to 12 months.
  • Usage and measurement data for product improvement and website analytics (aggregated where practicable)

3. How We Collect Personal Information

  • Directly from you — when you register an account, update your profile, or contact support.
  • From the Customer (Owner or Admin)— when a business adds employees or managers to the platform, it provides employee details on behalf of those workers. Customers are solely responsible for obtaining any necessary consents and for the lawfulness of disclosing their workers' personal information to EasyRoster. EasyRoster processes this information on the Customer's instructions only and assumes no responsibility for the Customer's compliance with its obligations to workers.
  • From employees directly — when workers accept invitations, set their passwords, switch company context, view their schedules, or submit leave or swap requests through the platform.
  • Via third-party sign-in — if you choose to sign in using Google OAuth, we receive your name and email address from Google as part of the authentication process. We do not receive your Google password.
  • Automatically — through session cookies, authentication tokens, and server logs when you interact with the platform.

Notice to Employees — Indirect Collection (NZ IPP 3A, effective 1 May 2026)

If you are an employee whose personal information has been entered into EasyRoster by your employer, we are providing this notice under Information Privacy Principle 3A (Privacy Amendment Act 2025 (NZ)), effective 1 May 2026.

  • Who collected your information: EasyRoster (operating at easyrosterai.com). Your employer (the Customer) provided your information to EasyRoster to set up and manage your work schedule.
  • Purpose of collection: To provide your employer with a workforce scheduling platform, and to allow you to view your schedule, submit leave and swap requests, and manage other scheduling functions enabled by your employer.
  • Who holds the information: EasyRoster holds your information on behalf of your employer. Your employer remains the primary data controller.
  • Intended recipients: Your employer and their authorised administrators within EasyRoster. Sub-processors are listed in Section 5 of this policy. We do not sell or share your information for marketing purposes.
  • Your rights: You have the right to access and correct personal information we hold about you — see Section 9 of this policy.

4. How We Use Your Information

We use personal information for the following purposes:

  • To provide, operate, and maintain the EasyRoster service
  • To authenticate users and manage account access
  • To send transactional emails via Resend (e.g., roster and shift notifications, invite emails, leave and swap request outcomes, password resets, email verification)
  • To deliver browser and device push notifications (shift alerts, roster updates, and request outcomes) where you have opted in. Push notifications are sent using your stored subscription token and do not share your personal information with the push delivery service beyond what is technically required.
  • To process subscription billing and payments
  • To provide customer support and respond to inquiries
  • To record and display time clock entries (clock-in/out, break duration, and approval status) for workforce management and payroll preparation purposes
  • To measure website usage and improve the platform using aggregated analytics
  • To analyse user-submitted feedback reports using AI (Google Gemini) in order to triage and prioritise product issues — feedback content may be sent to the Gemini API for this purpose (see Section 5)
  • To comply with legal obligations
  • To send product updates and service communications (you may opt out at any time)

Employee Data is processed exclusively to provide the scheduling and time tracking service to the Customer. We do not use Employee Data for marketing or any purpose independent of the Customer's instructions.

Automated Processing

EasyRoster uses Google Gemini(AI) to analyse the text content of user-submitted feedback reports for the purpose of triaging and prioritising product issues. Feedback content may be sent to the Gemini API for this purpose. No scheduling data, employee data, or billing data is sent to Gemini. This processing does not constitute automated decision-making that significantly affects individuals' rights or interests within the meaning of the Privacy and Other Legislation Amendment Act 2024 (Cth) (APP 1 automated decision-making transparency requirements, commencing 10 December 2026). We will update this policy before that date if our use of automated decision-making changes.

5. Disclosure to Third Parties

We do not sell personal information to third parties. We only disclose personal information to the following sub-processors as necessary to provide the EasyRoster service:

Sub-processorPurposeCountry
VercelPlatform hosting and deploymentAustralia (Sydney)
Neon (PostgreSQL)Database storageAustralia (Sydney)
ResendTransactional email deliveryUnited States
Google AnalyticsWebsite analytics and usage measurement (aggregated, no employee data)United States
SentryError and exception monitoring for production reliability. Receives error stack traces and technical context only — no customer data, employee records, or scheduling data is included in error reports.United States
Google (OAuth)Optional third-party sign-in authenticationUnited States
StripePayment processing and subscription billing management. Stripe handles billing name, email address, and payment card details (stored under PCI-DSS by Stripe). Stripe may also use this data for fraud detection and loss prevention.United States
Google GeminiAI analysis of user-submitted feedback reports (content only, no account data)United States
Web Push (browser push notifications)Delivery of browser and device push notifications to opted-in users. Push subscription tokens (endpoint URL and encryption keys) are stored in our database and transmitted to your browser's push service provider (e.g., Google FCM for Chrome, Mozilla for Firefox) solely to deliver notifications. We do not have access to the content of communications between your device and its push provider.United States (provider-dependent)
Innoweb (internal management system)Internal customer support and operations platform operated by the EasyRoster team. Receives the text content of user-submitted feedback reports for triage and support purposes. No employee scheduling data or billing data is shared. This is a first-party system operated by the same team as EasyRoster.Australia (Sydney)

We may also disclose personal information if required to do so by law, court order, or government authority.

6. Overseas Disclosure (APP 8)

EasyRoster is hosted on infrastructure located in Australia (Sydney). Application servers and the primary database (Vercel and Neon) are deployed in the Sydney region (AWS ap-southeast-2). Other sub-processors such as Resend, Stripe, and Google are based in the United States.

We take reasonable steps to ensure that all overseas recipients handle personal information in a manner consistent with the Australian Privacy Principles. Our sub-processors are bound by contractual obligations and maintain industry-standard security certifications (including SOC 2 Type II for Vercel and Neon).

By using EasyRoster, you acknowledge and consent to your personal information being processed by our sub-processors, including those based outside Australia and New Zealand.

7. Data Security

We implement reasonable technical and organisational measures to protect personal information, including:

  • Encryption of all data in transit using TLS/HTTPS
  • Encryption of data at rest in our database
  • Role-based access controls (employees can only see their own data)
  • Password hashing using bcrypt
  • Secure invite token generation and expiry
  • Infrastructure hosted on SOC 2 certified providers

In the event of a data breach likely to result in serious harm, we will notify the relevant authority and affected individuals as required by applicable law:

  • New Zealand: the Office of the Privacy Commissioner (OPC) under the Privacy Act 2020 (s. 116)
  • Australia: the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breach (NDB) scheme (Part IIIC of the Privacy Act 1988)

Important: While we implement reasonable security measures — including technical and organisational measures as required under the Privacy and Other Legislation Amendment Act 2024 (Cth) — no internet-based service can guarantee absolute security. You acknowledge that you transmit personal information to EasyRoster at your own risk. EasyRoster is not liable for any unauthorised access, disclosure, or loss of personal information that occurs despite our reasonable precautions.

8. Data Retention

  • Active account data — retained for the duration of the active subscription.
  • Deleted account-only records — may be retained for up to 12 months before purge where no longer employment-related records are involved, subject to legal holds and operational safeguards.
  • Audit logs and system logs — retained for up to 12 months.
  • Billing records — retained as required by applicable tax law (NZ and/or Australia).
  • Employment record retention — employers are required by law to retain employment records for specified periods: in New Zealand under the Employment Relations Act 2000 and Wages Protection Act 1983; in Australia under the Fair Work Act 2009 (s. 535) (7 years). Employment-related records and company membership history may therefore be retained for up to 7 years or longer where another law, audit requirement, or legal hold applies. Customers (as the employing business) are solely responsible for meeting these obligations. EasyRoster assumes no responsibility for ensuring Customer compliance with any record retention requirement. We strongly recommend exporting your data before cancellation.

9. Your Rights

Under applicable privacy law (NZ Privacy Act 2020 IPPs; AU Privacy Act 1988 APPs 12 & 13), you have the right to:

  • Access the personal information we hold about you (APP 12)
  • Correct inaccurate or out-of-date personal information (APP 13)
  • Request deletion of your personal information (subject to legal retention obligations)

Admins can update most account and employee data directly within the platform. For other requests, email us at innoweb.it@gmail.com. We will respond within 30 days. If we refuse a request, we will provide written reasons as required by applicable law. In limited circumstances, we may charge a reasonable fee to cover the cost of providing access (AU: APP 12.3; NZ: Privacy Act 2020 s. 39).

Note: Requests relating to employee data held by a business using EasyRoster may be best directed first to the employing business, as they are the primary data controller for that information. EasyRoster will respond to employee access requests consistent with our obligations under applicable privacy law.

10. GDPR Rights (EU Users)

If you are located in the European Economic Area, you may have additional rights under the General Data Protection Regulation (GDPR):

  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Right to withdraw consent

For the purposes of GDPR, EasyRoster acts as a Data Processor and the Customer (the business) is the Data Controller for employee data. To exercise your rights, contact us at innoweb.it@gmail.com.

11. Cookies

EasyRoster uses the following cookies and similar technologies:

  • Session cookies — to maintain your authenticated session while using the platform.
  • Authentication tokens — to securely identify your account.
  • Analytics cookies — to measure website usage, navigation patterns, and product engagement through Google Analytics.

We do not use advertising or third-party marketing cookies. We do use analytics measurement technologies to understand product usage and improve the service. You can manage cookies through your browser settings; however, disabling session cookies will prevent you from logging in and may affect analytics measurement.

12. Children's Privacy

EasyRoster is intended for use by businesses and individuals aged 18 or over. We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected such information, please contact us at innoweb.it@gmail.com so we can delete it promptly.

13. Complaints

If you have a complaint about how we have handled your personal information, please contact us first at innoweb.it@gmail.com. We will acknowledge your complaint within 5 business days and respond within 30 days.

If you are not satisfied with our response, you may escalate to the relevant authority:

New Zealand — Office of the Privacy Commissioner (OPC)

Australia — Office of the Australian Information Commissioner (OAIC)

EU users may also escalate to their local Data Protection Authority (DPA).

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or via an in-app notification at least 30 days before the changes take effect. The "Last Updated" date at the top of this page indicates when the policy was last revised. Continued use of EasyRoster after the effective date of any changes constitutes your acceptance of the updated policy.

15. Contact Us

For any questions, requests, or complaints regarding this Privacy Policy or our handling of personal information, please contact us:

EasyRoster

Operated by: Innoweb Limited (New Zealand)

Email: innoweb.it@gmail.com

Website: easyrosterai.com

© 2026 EasyRoster. All rights reserved.

Terms of ServiceSign in