Privacy Policy

Effective date: 24 May 2026

1) Who we are

NJROSTER ("we", "us", "our") operates the website at njroster.com (the "Service"). We are the data controller for personal data processed via the Service.

Contact: sachwarah@gmail.com

2) Who can use the Service

The Service is intended for adult employees with an eligible work email domain. We do not knowingly process children's data.

3) What data we collect

  • Identity and contact data: name and work email address.
  • Roster details: fleet/aircraft type, position, gateway, and roster schedule data contained in your email.
  • Account and usage data: login activity, timestamps, notification preferences, and service usage logs.
  • Technical data: IP address and essential cookies.
  • Group membership data: groups you create or join, your role (admin or member), and join date.
  • Sharing data: information you choose to share with other users via roster visibility settings or groups.

4) How we use your data

  • Parse your roster email and store your schedule.
  • Create and provide your iCal feed.
  • Authenticate you and secure your account.
  • Send you notifications about your roster uploads and group activity.
  • Provide support and troubleshoot issues.
  • Maintain and improve the Service.
  • Comply with legal obligations.

5) Legal bases (UK/EU GDPR)

  • Contract: to provide the Service you request (account, roster parsing, iCal feed, notifications).
  • Legitimate interests: to secure, maintain, and improve the Service; to keep an audit trail for accountability and abuse prevention.
  • Legal obligation: where required by law.
  • Consent: where you choose to share your roster with other users (optional, off by default).

6) Sharing and disclosures

We do not sell your data. We may share data:

  • With service providers who host or operate the Service, under GDPR-aligned contracts (see section 7).
  • With other users, only if you choose to share your roster (controlled by your visibility setting).
  • With other members of groups you join, to the extent of your membership and roster visibility settings.
  • If required by law or to protect our rights and users.

When you share your roster, other users may only see that you are off, not the specific absence reason (e.g. sickness, family assistance, or other absence categories).

7) Service providers

Provider Purpose Region
Heroku Application hosting and platform EU
Heroku Postgres Database EU
Mailgun Inbound and outbound email EU
Sentry Error and event monitoring (operational log metadata only — no email addresses or roster content) US (SCCs)
Papertrail Log retention and search (operational logs) US (SCCs)

8) International transfers

Our primary database and application servers are hosted in the EU (Heroku EU region). Operational log data — application events and errors — is processed by Sentry and Papertrail, both US-based processors, under Standard Contractual Clauses (SCCs). These logs contain operational identifiers (user IDs) but not email addresses or roster content.

9) Data retention

We retain personal data only as long as necessary for the purpose it was collected:

Data Retention period
Roster schedule lines 365 days, purged automatically by a daily scheduled process
User account Until you delete it, or automatically after 365 days of inactivity (no roster uploads)
In-app notifications Read notifications: 90 days. Unread notifications: 365 days
Group membership Until you leave the group or your account is deleted
Session data Expired sessions are deleted daily
Audit and security logs Standard events (group actions, settings changes): 2 years. Security events (account deletion, login failures, password resets): 5 years

10) Groups

You can create groups to share rosters with colleagues. When you join a group, your name and roster (subject to your visibility settings) may be visible to other active members.

If you delete your account and you are the sole admin of a group, the longest-standing active member is automatically promoted to admin so the group can continue. If you are the only member, the group is dissolved. You can review and manage your groups before deleting your account.

You can leave a group at any time from the group's page.

11) Your rights

If you are in the UK/EEA, you have rights to access, correct, delete, restrict, or object to processing, and to data portability. You may withdraw consent for sharing at any time by setting your roster visibility to Private. To exercise other rights, contact us at sachwarah@gmail.com.

You can also download a copy of your data or permanently delete your account from the My Data page in your account settings.

12) Cookies

We only use essential cookies required for the Service to function:

  • sessionid — keeps you logged in during your session.
  • csrftoken — protects forms against cross-site request forgery.
  • messages — displays one-time status messages.

These cookies are strictly necessary. We do not use analytics, advertising, or tracking cookies. No cookie consent banner is required.

13) Security

We use reasonable technical and organisational measures to protect your data. No system is 100% secure, but we work to safeguard your information.

Calendar subscriptions are accessed via a unique tokenised link. Treat this link as sensitive and do not share it publicly. If you believe your link has been compromised, you can regenerate it from your account settings.

14) Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

15) Changes to this policy

We may update this policy from time to time. We will post the updated policy on the site and update the effective date. If changes are material, we will notify registered users via in-app notification.

16) Contact and complaints

For questions, contact sachwarah@gmail.com. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or your local EU supervisory authority.