Privacy Policy

Last updated: 16 June 2026

This policy explains how Rosterna collects, uses, and protects personal data, in line with the Saudi Personal Data Protection Law (PDPL).

Who we are

Rosterna is the data controller for account and organization data. A KSA-resident Data Protection Officer is being appointed; in the meantime, reach us at hello@rosterna.sa.

Data we collect

  • Account data: your name, work email, and phone number.
  • Organization data: company details, departments, shifts, and settings.
  • Staff data you enter: employee names, roles, contact details, and Iqama number / expiry where used for labor-law compliance.
  • Usage and log data needed to run and secure the service.

How we use it

We use personal data to provide scheduling and notifications, process billing, offer support, secure the service, and meet legal obligations. Our lawful bases include performance of our contract with you, our legitimate interests in running the service, legal obligations, and consent where required.

Service providers (sub-processors)

We rely on trusted providers to operate Rosterna — including our cloud hosting provider, our payment provider (Moyasar), and our email provider (Resend). Each processes data on our behalf under contract and only as needed to deliver the service.

International transfers

Rosterna is currently hosted on cloud infrastructure outside the Kingdom, and migration to in-Kingdom hosting (AWS me-central-1, Riyadh) is on our near-term roadmap. Where personal data is processed outside Saudi Arabia, we apply appropriate safeguards consistent with the PDPL.

Retention

We keep personal data for as long as your account is active and for a limited period afterwards, then delete or anonymize it, unless a longer period is required by law.

Your rights

Under the PDPL you may request access to, correction of, or deletion of your personal data, and object to certain processing. To exercise these rights, email hello@rosterna.sa with the subject “DSAR”.

Security

We protect data with encryption in transit and at rest, strict per-organization isolation at the database layer, and access controls. No system is perfectly secure, but we work to reduce risk and respond to incidents promptly.

Changes & contact

We will post any updates to this policy here. Questions? Email hello@rosterna.sa.