Data Processing Terms

Roles

For account, billing, website, support and service administration data, Rota Done is normally the data controller.

For staff rota data entered by a venue, the venue or manager is normally the data controller. Rota Done stores and processes that rota data for the venue.

Staff Rota Data Processed

• Staff names and venue membership.
• Roles, rates, target hours, full-time/part-time labels, and contract-hour settings.
• Weekly availability, one-off availability exceptions, absences, and holiday requests.
• Shift assignments, open shifts, locks, requirements, publish history, and rota state.

Processing Purpose

Rota Done uses staff rota data to run the service: saving rotas, solving schedules, editing shifts, publishing rotas, showing staff their shifts, providing support, keeping the service secure, and maintaining venue records.

Processor Commitments

• Process staff rota data only for providing and supporting Rota Done.
• Apply appropriate technical and organisational security measures.
• Limit production admin access to authorised support/admin users.
• Assist with access, export, correction, and deletion requests where reasonably possible.
• Delete or export venue data on valid customer request, subject to technical and legal limits.
• Notify affected customers of relevant personal data incidents where required.

Subprocessors

Current service providers are expected to include the VPS hosting provider, IONOS SMTP for email delivery, and Stripe if billing is enabled. This list should be finalised before launch with provider names and locations.

Customer Instructions

Customers instruct Rota Done to process staff rota data by using the service. Customers should not enter unnecessary sensitive information, especially medical detail, in absence or holiday notes.