Privacy Policy

How Staff Rota & Payroll collects, uses and protects the personal data you and your team put into the service.

Last updated: June 2026

Who we are (data controller)

Staff Rota & Payroll is a service operated by Bridport Operator Ltd (company number 12565935), 13 Nelson Avenue, Plymouth, Devon, PL1 5RL, United Kingdom. For the personal data we hold about our own customers — the people who hold an account with us — Bridport Operator Ltd is the data controller. Our ICO registration reference is [to be added].

For the staff records a business puts into the service, that business is the controller and we act as its processor on its instructions — the details are in our Data Processing Terms.

Information we collect

We collect the information needed to run a staff rota, payroll and leave system on your behalf:

  • Account & business details — the business name, your admin contact details and login credentials.
  • Staff records — names, roles, pay rates, contracted hours, login details and any optional clock-in PINs you add for your team.
  • Rota, payroll & leave data — scheduled shifts, worked and clocked hours, calculated pay, timesheet adjustments, leave requests and holiday balances.
  • Technical data — limited information such as the session cookie and basic device/browser information needed to keep you signed in and the service secure.

How we use it

We use this information to:

  • Provide the rota, payroll-timesheet, leave and attendance features.
  • Calculate hours and gross pay, and produce timesheets for your pay periods.
  • Send notifications by email and mobile push about shifts, leave and publishing.
  • Keep your account secure and diagnose technical problems.

Lawful basis (UK GDPR)

Where UK data protection law applies, we process personal data on the basis of contract (to provide the service you have signed up for) and our legitimate interests in operating, securing and improving the service. For the businesses that use Staff Rota & Payroll, your business is the data controller for your staff records and we act as a processor on your instructions.

Data sharing

We do not sell your data. We share it only where needed to run the service:

  • Your nominated accountant — when you use “Send to accountant”, the relevant timesheet (PDF and Excel) and a leave summary are emailed to the address you specify.
  • Infrastructure & email providers — trusted suppliers who host the service and deliver notifications on our behalf, under appropriate agreements.
  • Legal requirements — where we are required to disclose information by law.

Sub-processors

We use a small number of trusted suppliers (sub-processors) to run the service. Each processes data only on our instructions and under a contract:

  • Stripe — secure card payments and subscription billing.
  • Resend — transactional email (sign-in, verification, shift and leave notifications, accountant exports).
  • Railway — hosting the application and database.

International transfers

Where a sub-processor processes personal data outside the United Kingdom, we rely on appropriate safeguards for that transfer — such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision where one applies.

Data retention

We keep personal data for as long as your account is active and for a reasonable period afterwards to meet legal, accounting and payroll record-keeping obligations. When data is no longer required, it is deleted or anonymised.

Security

Access to the service is protected by individual logins and role-based access (admin and staff). Data is transmitted over encrypted connections, and we apply organisational and technical measures appropriate to the sensitivity of payroll and staff data. No system can be guaranteed perfectly secure, so we encourage strong, unique passwords for every account.

Your rights

Subject to applicable law, individuals have rights to access, correct, delete or restrict the use of their personal data, and to object to certain processing or request a copy of their data.

  • Staff should contact their employer (the business using the app) in the first instance.
  • Businesses can contact us to exercise rights on behalf of, or to assist, their staff.

Complaints

You have the right to complain to the UK Information Commissioner's Office (ICO) about how your personal data is handled. You can find out more and raise a concern at ico.org.uk. We'd welcome the chance to resolve any concern first, so please do contact us before approaching the ICO.

Contact

For any privacy or data-protection question, or to exercise your rights, email privacy@staffrota.online or use our contact page. Staff should contact the business that operates their account in the first instance; that business can also contact us to assist its team.

This document is a template provided to help you get started. It should be reviewed and adapted by the business — and, where appropriate, a qualified legal adviser — before it is relied upon.