← RosterProject

Privacy Policy

How Kindleye Limited ("RosterProject", "we", "us") handles personal data collected from RosterProject account holders and visitors, in line with Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486, the "PDPO"). This page also serves as our Personal Information Collection Statement. Last updated 13 July 2026.

1. Who this policy covers

This policy covers the people whose data we decide how to use: managers and owners who create or join a RosterProject account, billing contacts, and visitors to this website.

It does not cover the staff records a company keeps inside its RosterProject workspace. For that data your employer is the data user and we only process it on their behalf, as described in the Data Processing Agreement. If you are a staff member with questions about your data in a roster, please speak to your employer first — we assist them with any access or correction request.

2. What we collect

Providing account data is necessary to use RosterProject — without an email address we cannot create your account.

3. What we use it for

We use this data to provide and secure the service, bill subscriptions, respond to support requests, and send service notices (such as changes to terms, security notices, or trial and billing reminders). We do not send marketing email without your consent, and we never sell personal data.

4. Who we share it with

Only the service providers that run RosterProject — currently Supabase (database and authentication), Vercel (hosting), Stripe (payments), and Resend (email), as listed on the Security page — each bound by written data-protection terms. Beyond that, we disclose personal data only if the law requires it. Workspace members can see your name and email inside your own workspace, which is how a shared roster tool works.

5. Where it is stored

Account and workspace data is stored on AWS in Singapore (via Supabase). Section 33 of the PDPO (cross-border transfer restrictions) is not yet in operation; we nonetheless contract with our providers so personal data receives protection substantially similar to the PDPO wherever it is processed.

6. How long we keep it

Account data is kept while your account exists. If you delete your account — or ask us to — we delete your personal data within 30 days, with residual copies removed as encrypted backups expire on their own schedule. Billing records are kept as long as Hong Kong tax and accounting law requires. Technical logs are kept briefly and rotate automatically. Consistent with DPP 2(3), we do not keep personal data longer than needed for these purposes.

7. Cookies

RosterProject uses only the cookies needed to keep you signed in (session cookies set by our authentication provider). We use no advertising, analytics, or tracking cookies, which is why you don't see a cookie banner.

8. How we protect it

With the measures described on our Security page: encryption in transit and at rest, database-level workspace isolation, access controls, and optional two-factor authentication on every account, consistent with DPP 4.

9. Your rights

Under ss.18–24 of the PDPO and DPP 6 you may request access to the personal data we hold about you and ask us to correct it. Most of it is directly visible and editable in your account settings. For anything else, email support@rosterproject.com — we respond within 40 days as the PDPO requires, and we don't charge for reasonable requests. You can also complain to the Office of the Privacy Commissioner for Personal Data (pcpd.org.hk).

10. Changes to this policy

If we materially change this policy we'll notify account holders by email or in the app before the change takes effect, and update the date at the top.

Questions about privacy: support@rosterproject.com