RosterElf Pty Ltd privacy policy

1. introduction

Roster Elf Pty Ltd ("Roster Elf", "our", "we" or "us") regards customer privacy as an important part of our relationship with our customers. The following privacy policy applies to the collection of personal information by Roster Elf from its customers and users.

Roster Elf is committed to protecting customer's personal information in accordance with the Australian Privacy Principles ("APPs") contained in the Privacy Act 1988 (Cth) ("Privacy Act").

We make this policy available on our website at Roster Elf Privacy Policy. To request a hard copy, contact us.

---

2. collection of personal information

The personal information we collect about you depends on your dealings with Roster Elf. It may include:

• your name;
• contact details;
• banking / credit-card details;
• age or date of birth;
• employment history and pay rate;
• tax-file number and superannuation information;
• education qualifications;
• current occupation; and
• any other information you provide while interacting with us.

---

3. how we collect personal information

We collect information by lawful and fair means when it is reasonably necessary for our functions (staff management, rostering, payroll integration, shift swapping, time & attendance).

Information is collected when:

• you correspond with us (phone, email, mail or otherwise);
• you update your details;
• you supply documents or correspondence;
• you submit data via our website or create an account;
• you use Roster Elf HR Hub features;
• third parties lawfully disclose information to us; or
• cookies recognise repeat website users and remember preferences.

If you purchase a product or service, we may request contact details (name, email, postal address) and financial details (credit-card number, expiry date). These are used for billing and order fulfilment; if an order can't be processed we'll contact you.

All correspondence (sales, support, accounts) may be collected and stored.

Subject to Privacy-Act exceptions, we collect sensitive information only with your consent when reasonably necessary for Roster Elf's activities. Voluntary provision of sensitive information constitutes consent.

---

4. collection of unsolicited personal information

If we receive unsolicited personal information, we assess whether it could have been lawfully collected. If not, we destroy or de-identify it as soon as practicable (where lawful and reasonable).

---

5. use of collected personal information

We may use or disclose personal information to:

• provide, operate and maintain our services (including RosterElf);
• contact you when necessary;
• address enquiries, complaints or feedback;
• send useful information and event updates; and
• comply with legal obligations.

---

6. elf AI

"Elf AI" is our AI chatbot powered by "Alhena AI". We discourage including personal or confidential information in prompts because that data is collected and handled by "Alhena AI", not by us.

For more information, see our Elf AI Terms of Use.

---

7. chat feature

The optional chat function ("Chat Feature") is powered by Stream.io, Inc ("Getstream"). Any information you disclose there is handled under Getstream's privacy policy; we cannot view it.

For more information, see our Chat Feature Terms and Conditions.

---

8. direct marketing

We may use your information to send news, updates and promotional material unless you opt out. To opt out, contact us.

---

9. storage of collected information

Sensitive data (e.g., credit-card numbers) is encrypted with SSL and complete card details are never permanently stored. Industry-standard practices protect personal information in transit and at rest.

---

10. retention of personal information

Activity-feed data is retained for up to two years, then destroyed or de-identified unless retention is required by law. For security questions, contact us.

---

11. access to collected information

You may request access to or correction of your personal information. Proof of identity may be required. We aim to respond within 30 days.

---

12. cross border disclosure

Roster Elf may disclose personal information overseas (e.g., United States, European Union) and takes reasonable steps to ensure it is protected unless you consent or an exemption applies.

---

13. interactions with us by electronic means

Internet transmission is not entirely secure. Links to external sites are provided for convenience; their privacy practices are outside our control.

---

14. UK GDPR & UK data protection rights

If you are located in the United Kingdom, or if we process personal data of individuals located in the United Kingdom, the following additional provisions apply in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

Our role

Depending on the circumstances:

• We act as a Data Controller where we determine the purposes and means of processing personal data (including account registration, billing, marketing and website analytics).
• We act as a Data Processor where we process employee or workforce data on behalf of our business customers.

Lawful bases for processing

We process personal data under one or more of the following lawful bases:

• Performance of a contract
• Compliance with legal obligations
• Legitimate interests (including service improvement, fraud prevention and security)
• Consent (where required, including for marketing communications)

Your UK data protection rights

Under UK GDPR, individuals have the right to:

• Access their personal data
• Request correction of inaccurate data
• Request erasure of personal data
• Request restriction of processing
• Object to processing based on legitimate interests
• Request data portability
• Withdraw consent at any time (where processing is based on consent)
• Not be subject to solely automated decision-making producing legal or similarly significant effects

To exercise your UK data protection rights, you may contact our support team at customersupport@rosterelf.com with the subject line "UK GDPR Request", or submit a request via our UK privacy portal at RosterElf UK privacy portal.

We may request verification of your identity before processing your request.

We will respond within one month unless an extension is permitted under applicable law.

International transfers (UK)

Where personal data of UK individuals is transferred to Australia, such transfer is made in reliance on the United Kingdom's adequacy regulations in respect of Australia (where applicable).

Where personal data is transferred to jurisdictions that do not benefit from a UK adequacy decision (including where AI or chat functionality involves service providers in the United States), we implement appropriate safeguards including the UK Addendum to the EU Standard Contractual Clauses or the UK International Data Transfer Agreement (IDTA), as applicable.

UK representative (Article 27)

As we are established outside the United Kingdom, we have appointed a UK representative under Article 27 of UK GDPR. UK individuals and the Information Commissioner's Office (ICO) may contact our representative directly in relation to any matter concerning RosterElf's processing of personal data:

GDPRLocal Ltd
Attn: Adam Brogden
1st Floor Front Suite, 27–29 North Street
Brighton, England BN1 1EB
Email: contact@gdprlocal.com
Web: www.gdprlocal.com

You may also submit a UK privacy request directly via our dedicated portal: https://rosterelfptyltd.gdprlocal.com/uk.

Data breach notification

Where required under UK GDPR, we will notify the relevant supervisory authority and affected individuals of a personal data breach in accordance with our legal obligations.

---

15. Complaints, questions or further information

To complain about a privacy breach, contact us first.

If dissatisfied, contact the Office of the Australian Information Commissioner:

• Website: Privacy Complaints
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

---

16. changes to privacy policy

We review and update this policy periodically. Updates are posted on our website and elsewhere as appropriate.