Privacy Policy

Effective date: 17 January 2026

1) Who we are

NJROSTER ("we", "us", "our") operates the website at njroster.com (the "Service"). We are the data controller for personal data processed via the Service.

Contact: sachwarah@gmail.com

2) Who can use the Service

The Service is intended for adult employees with an eligible work email domain. We do not knowingly process children's data.

3) What data we collect

  • Identity and contact data: name and work email address.
  • Roster details: fleet/aircraft type and roster data contained in your email.
  • Account and usage data: login activity, timestamps, and service usage logs.
  • Technical data: IP address, browser/device details, and essential cookies.
  • Sharing data: information you choose to share with other users.

4) How we use your data

  • Create and provide your iCal feed.
  • Authenticate you and secure your account.
  • Provide support and troubleshoot issues.
  • Maintain and improve the Service.
  • Comply with legal obligations.

5) Legal bases (UK/EU GDPR)

  • Contract: to provide the Service you request.
  • Legitimate interests: to secure, maintain, and improve the Service and prevent abuse.
  • Legal obligation: where required by law.
  • Consent: where you choose to share your roster with other users (optional, off by default).

6) Sharing and disclosures

We do not sell your data. We may share data:

  • With service providers who host or operate the Service, under GDPR-aligned contracts.
  • With other users, only if you choose to share your roster details.
  • If required by law or to protect our rights and users.

When you share your roster, other users may only see that you are off, not the specific absence reason (e.g. sickness, family assistance, or other absence categories).

7) Service providers

  • Hosting: Heroku
  • Database: Heroku Postgres
  • Email: Mailgun
  • Error monitoring: Sentry
  • Logging: Papertrail

8) International transfers

We host data in the EU and do not intentionally transfer personal data outside the UK/EEA.

9) Data retention

We retain roster data for up to 12 months for troubleshooting and service quality, then delete it via a daily scheduled process. Inactive accounts are deleted after 12 months via a daily scheduled process unless we need to retain data for legal reasons.

10) Your rights

If you are in the UK/EEA, you have rights to access, correct, delete, restrict, or object to processing, and to data portability. You may withdraw consent for sharing at any time. To exercise these rights, contact us at sachwarah@gmail.com.

You can also download a copy of your data from the My Data page in your account after signing in.

You can control roster sharing from your profile settings.

11) Cookies

We only use essential Django cookies required for authentication and security. We do not use analytics or advertising cookies.

12) Security

We use reasonable technical and organisational measures to protect your data. No system is 100% secure, but we work to safeguard your information.

Calendar subscriptions are accessed via a unique link. Treat this link as sensitive and do not share it publicly. We are transitioning away from legacy, guessable URLs; if you are still using one, update your link in your account settings.

13) Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

14) Changes to this policy

We may update this policy from time to time. We will post the updated policy on the site and update the effective date. If changes are material, we will provide additional notice.

15) Contact and complaints

For questions, contact sachwarah@gmail.com. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) or your local EU supervisory authority.