Skip to main content

Legal

Privacy Policy

This page mirrors the current privacy policy source used across Darouta so public links from emails and the site resolve to one canonical document.

Last Updated: 2026-04-13

1. Introduction

Darouta ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share your personal information when you use our rota management application. We are compliant with the UK Data Protection Act 2018 and GDPR.

2. Information We Collect

We collect the following types of information:

A. Account Information

  • Email address (Required for authentication)
  • Full name
  • Company details
  • Subscription plan details

B. Employee Data (Inputs by You)

You may input data about your employees ("Employee Data") to manage rotas.

  • Full name (Required)
  • Contact details: Email, Phone
  • Department
  • Shift preferences and availability

C. Usage Data

  • Rota schedules and shift patterns
  • Metadata (creation and update timestamps)

D. Live Schedule Sharing Data

When you enable Live Schedule for a venue, Darouta can publish a read-only staff-facing schedule view for published rotas.

  • Visible to viewers: employee display names (or full-name fallback), section labels, shift dates and times, break durations, and shift tags from the published rota snapshot.
  • Not exposed on public Live Schedule pages: employee email addresses, phone numbers, availability/preferences, private notes, and draft-only rota data.
  • Access-protection data: venue access codes are stored only as hashes, and verification attempts are logged using hashed IP data rather than raw IP addresses.

E. Collaboration And Invite Data

When you invite collaborators into a workspace, Darouta stores the minimum data needed to deliver and enforce that access flow.

  • Invited collaborator email address.
  • Inviter name and email address.
  • Permission level and scoped collaboration rules for the invite.
  • Invite timestamps, acceptance status, and any removal state needed to stop showing revoked invitations.

We use this information to send collaboration emails, show pending invite state in the app, and verify that only the invited address can accept workspace access.

F. Billing And Checkout Data

When you start a paid Team checkout or Business trial/checkout, Darouta and Stripe process billing-specific data needed to calculate tax, present the correct legal disclosures, and reconcile the resulting subscription.

  • Billing email address.
  • Billing country and, where required, state or province.
  • Payer name and business or trading name.
  • Selected plan, checkout timestamps, legal acknowledgement records, and billing-policy version references.
  • Business trial eligibility and lifecycle records when Business is selected, including trial policy version, trial reservation/consumption status, trial period dates, and related Stripe customer, checkout session, and subscription identifiers. Team subscriptions do not use Business trial records.
  • Limited tax information such as tax ID type, validation outcome, and hashed or reference-based identifiers used for reconciliation. Darouta prefers not to store raw tax ID numbers locally whenever Stripe can hold them instead.
  • Stripe customer, checkout session, subscription, and invoice identifiers needed to support billing, recovery, and customer support.
  • If a paid workspace is created or later claimed from a successful guest checkout, the declared billing country and subdivision may also be used once to seed the workspace working-time warning jurisdiction while that workspace default is still unset. After that initial seed, working-time location is stored as ordinary owner-managed workspace or venue settings inside the app.

3. How We Use Your Data

We use your data strictly to:

  • Provide the rota management service.
  • Process subscription payments (via Stripe).
  • Start, reconcile, and prevent repeated use of the Business trial. Stripe stores payment details for the Business trial up front, and Darouta stores only the trial ledger and Stripe identifiers needed to reconcile that trial.
  • Determine the correct billing tax treatment and maintain billing, tax, and legal checkout records.
  • Seed the initial workspace working-time warning jurisdiction from successful guest-checkout geography when available, then store later working-time location changes as app-managed workspace settings.
  • Authenticate your access.
  • Comply with legal obligations.

We do NOT sell your data to third parties.

4. Data Retention

  • Active Data: Retained as long as your account is active.
  • Deleted Data: When you delete a record (e.g., an employee or rota), it is "soft deleted" initially.
  • Anonymization: Soft-deleted records are anonymized after 30 days in compliance with GDPR data minimization principles. This means we scrub all personally identifiable information (PII) like names and emails, but keep non-identifiable statistics.
  • Live Schedule access attempts: Hashed-IP verification-attempt rows are retained only for short-lived abuse prevention and operational monitoring.
  • Billing, Tax, Trial, And Checkout Evidence: Some billing, Business trial, and checkout records may be retained longer than ordinary app content where needed for accounting, tax, fraud-prevention, dispute handling, repeat-trial prevention, or legal compliance. Stripe retains payment details and raw tax IDs under Stripe's own compliance and retention controls.

5. Your Rights (GDPR)

Under GDPR users impacted by this policy have the following rights:

  1. Right to Access: You can request a copy of all data we hold about you. (Use our "Export Data" feature).
  2. Right to Rectification: Update incorrect data via your profile.
  3. Right to Erasure ("Right to be Forgotten"): You can delete your account or specific records. Data will be anonymized to protect your privacy after the verification period.
  4. Right to Restriction of Processing: You may have the right to request that we restrict the processing of your personal data under certain circumstances (e.g., if you contest the accuracy of the data). Please contact us to exercise this right.

If a venue uses Live Schedule sharing, these rights still apply to the employee and rota data included in published schedule snapshots.

6. How to Contact Us

For any privacy-related questions or data export requests, please contact: privacy@darouta.com