Privacy Policy

Introduction

At RotationGenius ("we," "us," or "our"), we respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our rotation scheduling platform (the "Service"). By using RotationGenius, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide

We collect information that you directly provide when using our Service:

• Account Information: Name, email address, password (encrypted), and profile details
• Organization Data: Organization name, team member details, and workspace information
• Rotation Data: Rotation schedules, user assignments, overrides, and calendar events
• Payment Information: Billing details processed securely through our payment processor (Stripe). We do not store complete credit card numbers.
• Communication Data: Messages, support tickets, and feedback you send to us

1.2 Automatically Collected Information

When you use our Service, we automatically collect certain information:

• Usage Data: Features used, pages visited, actions taken, and time spent on the Service
• Device Information: IP address, browser type, operating system, device identifiers, and general location (city/country level)
• Log Data: Server logs, error reports, API calls, and performance metrics
• Cookies and Similar Technologies: Session cookies, preferences, and analytics data (see Section 6)

1.3 Information from Third Parties

We may receive information from third-party services you connect to RotationGenius:

• OAuth Providers: Google, GitHub, or other authentication services (name, email, profile picture)
• Integrations: Slack workspace data, calendar sync information, and webhook payloads
• Payment Processors: Transaction confirmations and subscription status from Stripe

2. How We Use Your Information

We use the collected information for the following purposes:

• Service Provision: Create and manage your account, process rotations, send notifications, and provide customer support
• Service Improvement: Analyze usage patterns, develop new features, fix bugs, and optimize performance
• Communication: Send transactional emails, product updates, security alerts, and respond to inquiries
• Billing and Payments: Process subscriptions, issue invoices, and handle payment-related matters
• Security: Detect fraud, prevent abuse, enforce our Terms of Service, and protect user accounts
• Legal Compliance: Comply with legal obligations, respond to lawful requests, and protect our rights
• Marketing: Send promotional emails (you can opt out at any time), conduct surveys, and share product announcements

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your personal data based on the following legal grounds:

• Contractual Necessity: Processing is necessary to provide the Service under our Terms of Service
• Legitimate Interests: We have legitimate business interests (e.g., improving our Service, preventing fraud) that do not override your rights
• Consent: You have given explicit consent for specific processing activities (e.g., marketing emails)
• Legal Obligations: We must process data to comply with applicable laws and regulations

4. How We Share Your Information

We do not sell your personal information. We may share your data in the following circumstances:

• Service Providers: Third-party vendors who assist with hosting, analytics, email delivery, payment processing, and customer support (e.g., AWS, Stripe, SendGrid)
• Integrations You Enable: Services you connect to RotationGenius (Slack, Google Calendar, etc.) receive data necessary for integration functionality
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity
• Legal Requirements: When required by law, court order, or governmental authority, or to protect our rights and safety
• With Your Consent: When you explicitly authorize us to share your information

All third-party service providers are contractually obligated to protect your data and use it only for the purposes we specify.

5. Data Retention

We retain your personal data only as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy:

• Active Accounts: Data is retained while your account is active
• Closed Accounts: We may retain certain data for up to 90 days after account closure for backup, fraud prevention, and legal compliance purposes
• Legal Requirements: Some data may be retained longer to comply with tax, accounting, or legal obligations
• Anonymized Data: We may retain aggregated, anonymized data indefinitely for analytics and research

You can request deletion of your data at any time by contacting us (see Section 12).

6. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience:

• Essential Cookies: Required for authentication, security, and core functionality
• Analytics Cookies: Help us understand usage patterns via Google Analytics and similar tools
• Preference Cookies: Remember your settings (e.g., dark mode, language preferences)

You can control cookies through your browser settings. Disabling essential cookies may affect Service functionality. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

7. Your Data Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal data (subject to legal obligations)
• Data Portability: Receive your data in a structured, machine-readable format
• Objection: Object to certain types of processing (e.g., direct marketing)
• Restriction: Request that we limit how we use your data
• Withdraw Consent: Withdraw previously given consent at any time

To exercise these rights, please contact us at [email protected]. We will respond to your request within 30 days.

8. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: Data in transit is encrypted using TLS/SSL. Passwords are hashed using bcrypt.
• Access Controls: Role-based permissions and multi-factor authentication options
• Infrastructure Security: Hosted on secure cloud platforms with regular security audits
• Monitoring: Continuous monitoring for suspicious activity and security threats
• Incident Response: Procedures in place to respond to data breaches and security incidents

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

9. International Data Transfers

RotationGenius operates globally, and your data may be transferred to and processed in countries other than your own. If you are located in the EEA, UK, or Switzerland, we ensure that international transfers comply with applicable laws through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions recognizing equivalent data protection levels
• Other lawful transfer mechanisms as required by GDPR

10. Children's Privacy

RotationGenius is not intended for individuals under the age of 16 (or the age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us immediately.

11. Third-Party Links and Services

Our Service may contain links to third-party websites, integrations, or services (e.g., Slack, Google Calendar). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information. This Privacy Policy applies solely to information collected by RotationGenius.

12. Marketing and Communications

We may send you marketing emails about new features, promotions, and updates. You can opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your email preferences in your account settings
• Contacting us at [email protected]

Please note that you cannot opt out of transactional emails (e.g., account notifications, password resets, billing statements) as they are necessary for the operation of the Service.

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about the categories and specific pieces of personal data we have collected
• Right to Delete: Request deletion of your personal data
• Right to Opt-Out: We do not sell personal information, so there is no need to opt out of sales
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your CCPA rights

To exercise your CCPA rights, please contact us at [email protected].

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. Material changes will be communicated via:

• Email notification to your registered email address
• Prominent notice on our website or within the Service
• Updated "Last Updated" date at the top of this policy

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer

For GDPR-related inquiries, you may contact our Data Protection Officer at [email protected].

Supervisory Authority

If you are located in the EEA, UK, or Switzerland and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.