Legal

Privacy Policy

This policy explains how RosterIQ collects, uses, stores and protects your personal information in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

Last updated: 1 January 2025
Compliant with Privacy Act 1988 (Cth)
Version 1.0
01

Overview

RosterIQ ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy describes how we handle personal information collected through our workforce management platform, including the RosterIQ web portal, mobile application, and any related services (collectively, the "Services").

By accessing or using the Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our Services and contact us to request deletion of your data.

ℹ️
Who this policy covers

This policy applies to business customers (tenants), their employees and managers who use RosterIQ, and any visitors to our website. Different data practices may apply depending on your role.

02

Who we are

RosterIQ is operated by RosterIQ Pty Ltd, an Australian company. We are the data controller for information collected through our Services. Our businesses customers (tenants) are data processors with respect to their employees' personal data and carry their own obligations under the Privacy Act 1988.

Where your employer has provided your information to RosterIQ as part of setting up your account, your employer is responsible for ensuring it has the legal basis to share that information with us.

03

What we collect

We collect the following categories of personal information depending on your role and how you interact with our Services:

3.1 Employee information (collected by your employer)

CategoryExamplesPurpose
Identity dataFull name, employee ID, job titleAccount creation, roster management
Contact dataEmail address, mobile numberNotifications, account access
Employment dataHourly rate, employment type, departmentPayroll calculations, scheduling
Time & attendancePunch in/out times, shift records, GPS coordinatesTimesheet generation, payroll
Biometric dataFacial embeddings (see Section 4)Identity verification at punch in/out
Device dataDevice ID, app version, platformOffline sync, kiosk management
Location dataGPS coordinates at punch eventsGeofencing, fraud prevention
Photo dataPunch-time photos (kiosk mode)Buddy-punch prevention, audit log

3.2 Business customer (tenant) information

CategoryExamplesPurpose
Account dataCompany name, ABN, billing addressAccount management, invoicing
Admin user dataName, email, rolePortal access, notifications
Billing dataPayment method details (via Stripe)Subscription management
Configuration dataCompliance region, geofence zones, alert settingsPlatform personalisation

3.3 Automatically collected data

  • Log data (IP address, browser type, pages visited, timestamps)
  • Usage analytics (feature interactions, session duration)
  • Device identifiers for the mobile application
  • Cookies and similar tracking technologies (see Section 11)
04

Biometric & facial recognition data

🤳
Special category data — enhanced protections apply

Biometric data, including facial recognition data, is a sensitive category of personal information under the Australian Privacy Act. We apply the highest level of protection to this data and collect it only with your explicit consent.

4.1 How facial data is collected

When an employee is enrolled for facial recognition, a photograph is captured via the RosterIQ mobile application. This image is processed by Google ML Kit (on-device) and/or Microsoft Azure Face API to generate a mathematical representation called a face embedding — a numerical vector of 128 floating-point values. The original photograph used for enrollment is not retained after the embedding is generated.

4.2 How facial data is stored

Face embeddings are stored as encrypted binary data (VARBINARY) in our SQL Server database, associated with the employee's record. Embeddings are never shared with third parties, never used for any purpose other than identity verification within your employer's RosterIQ account, and are never used to train machine learning models.

4.3 How facial data is used at punch time

When an employee presents their face at a punch station, the device captures a live image and generates a new embedding. This is compared against the stored embedding using a similarity threshold. The comparison result (match/no-match and confidence score) is logged. The live punch-time image is discarded after comparison unless kiosk photo capture is enabled by the employer, in which case a photo is retained in the audit log.

4.4 Liveness detection

RosterIQ employs anti-spoofing liveness detection to prevent the use of photographs or screens to impersonate an employee. This analysis is performed locally on the device and no liveness data is transmitted externally.

4.5 Consent and withdrawal

Enrollment in facial recognition is subject to explicit consent obtained by your employer prior to enrollment. If you withdraw consent, your facial embedding will be deleted within 14 days of the request being submitted to your employer or directly to us at privacy@myrosteriq.com. Withdrawal of consent may mean you need to use an alternative punch method (QR card or PIN).

4.6 Retention of biometric data

Facial embeddings are retained for the duration of the employee's active account. Upon termination of employment or account closure, embeddings are deleted within 30 days. Employers may request immediate deletion at any time.

⚠️
Employer obligations

Employers using RosterIQ's facial recognition feature are responsible for obtaining valid consent from employees before enrollment, maintaining a biometric data policy, and complying with any applicable state or territory workplace surveillance laws.

05

How we use your data

We use personal information only for the purposes for which it was collected or as required by law. These include:

  • Providing the Services — processing time & attendance records, generating timesheets, managing rosters and leave, sending notifications
  • Payroll processing — calculating hours, applying award rates, generating payroll exports (Xero, MYOB, STP Phase 2)
  • Identity verification — matching facial embeddings at punch events to prevent buddy punching
  • Geofencing & location verification — confirming punches occur within approved work sites
  • Compliance — maintaining records required under the Fair Work Act 1994, applicable Modern Awards, and other employment laws
  • Security & fraud prevention — monitoring for suspicious punch patterns, unauthorised access attempts
  • Customer support — responding to queries and resolving disputes
  • Platform improvement — analysing usage patterns (in aggregated, de-identified form) to improve features
  • Billing — processing subscription payments via Stripe

We do not sell personal information to third parties. We do not use personal information for targeted advertising.

06

Disclosure to third parties

We may share personal information with the following categories of third parties, solely to support the delivery of our Services:

RecipientPurposeData shared
Microsoft AzureFace API — facial enrollment verificationFacial images (enrollment only, not retained by Azure)
Google (Firebase)FCM push notificationsDevice push tokens
StripePayment processingBilling contact details, payment method tokens
SendGridTransactional email deliveryEmail address, notification content
Xero / MYOB / Employment HeroPayroll export (on employer instruction)Timesheet and payroll data as configured
Cloud hosting providerInfrastructure hostingAll data (encrypted at rest and in transit)
Seq / SerilogApplication logging and monitoringAnonymised log data, error traces

All third-party processors are bound by contractual obligations to protect personal information and use it only for the specified purpose. We do not authorise third parties to use personal data for their own purposes.

We may also disclose information where required by law, court order, or to respond to a valid request from a government or regulatory authority (including the Office of the Australian Information Commissioner).

07

Overseas transfers

Some of our third-party service providers process data outside Australia, including in the United States (Microsoft Azure, Google, Stripe, SendGrid). When we transfer personal information overseas, we take reasonable steps to ensure the overseas recipient handles it in a way consistent with the Australian Privacy Principles under APP 8.

By using RosterIQ, you consent to your information being transferred to and processed in countries that may not have privacy laws equivalent to Australia's. In all such cases, we require contractual protections to be in place.

ℹ️
Biometric data — no overseas transfer

Face embeddings stored in our database are held within Australian-based infrastructure. Facial images sent to Azure Face API for enrollment verification are processed momentarily and are not retained by Microsoft after the API call completes.

08

Data retention

We retain personal information for as long as necessary to provide the Services and comply with our legal obligations, including the Fair Work Act requirement to keep employment records for 7 years.

Data typeRetention period
Time & attendance records7 years (Fair Work Act 1994)
Payroll calculation records7 years (Fair Work Act 1994)
Facial embeddingsDuration of employment + 30 days
Punch-time photos (kiosk)2 years or as configured by employer
GPS location logs2 years
Audit logs7 years
Application logs90 days
Billing records7 years (tax obligations)
Closed tenant accounts30 days post-closure (then deleted)

Upon expiry of the relevant retention period, data is securely deleted or de-identified. Employers may request early deletion of data not subject to a statutory retention requirement.

09

Security

We implement technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration, and destruction. These include:

  • Encryption in transit — all data transmitted between clients and our servers uses TLS 1.2 or higher
  • Encryption at rest — database contents including facial embeddings are encrypted at rest
  • Authentication — JWT tokens with short expiry, refresh token rotation, and API key management
  • Tenant isolation — multi-tenant architecture with row-level TenantId filtering prevents cross-tenant data access
  • Role-based access control — four access roles (Super Admin, Admin, Manager, Employee) restrict data access to what is necessary
  • Audit logging — all data access and modification events are logged with user, timestamp and IP address
  • Penetration testing — regular security audits conducted prior to major releases
  • Secure development — code reviews and automated vulnerability scanning in our CI/CD pipeline

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to security@myrosteriq.com and we will respond within 48 hours.

⚠️
Notifiable data breaches

RosterIQ complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. In the event of an eligible data breach, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law.

10

Your rights

Under the Australian Privacy Act and Australian Privacy Principles, you have the following rights regarding your personal information:

👁️

Access

Request a copy of the personal information we hold about you. We will respond within 30 days.

✏️

Correction

Request correction of inaccurate, incomplete or outdated information. Employees should contact their employer in the first instance.

🗑️

Deletion

Request deletion of personal data not subject to a statutory retention requirement (e.g. Fair Work records).

📦

Portability

Request your data in a machine-readable format. Business customers may export all tenant data via the admin portal.

🚫

Withdraw consent

Withdraw consent for biometric data collection at any time. This will require use of an alternative punch method.

📋

Complaint

Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe your privacy rights have been breached.

To exercise any of these rights, contact us at privacy@myrosteriq.com. We will verify your identity before processing any request. Employees should note that their employer may also be the appropriate first point of contact for access and correction requests, as they control your account data.

11

Cookies & tracking

Our web portal uses the following categories of cookies and similar technologies:

TypePurposeDuration
Strictly necessarySession management, authentication (JWT token storage), CSRF protectionSession / token expiry
FunctionalUser preferences (theme, language, timezone, remembered tenant subdomain)12 months
AnalyticsAggregated usage analytics for product improvement (no personal identification)12 months

We do not use advertising or tracking cookies. You can control cookie settings via your browser. Disabling strictly necessary cookies will prevent you from logging into the web portal.

The RosterIQ mobile application does not use cookies. It uses secure device storage (flutter_secure_storage) to hold authentication tokens locally on your device.

12

Children

RosterIQ is a business platform intended for use by adults in a workplace context. We do not knowingly collect personal information from persons under the age of 15.

If an employee is aged 15–17 (as permitted in some industries under Australian employment law), employers are responsible for ensuring appropriate consent is obtained from the employee's parent or guardian before enrolling them in facial recognition features.

If you believe we have inadvertently collected information from a minor without appropriate consent, please contact privacy@myrosteriq.com immediately.

13

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Send a notification email to all tenant administrators
  • Display an in-app banner for 30 days following the update
  • For changes affecting how biometric data is handled, obtain fresh consent before the new practices take effect

Continued use of the Services after the effective date of a revised policy constitutes acceptance of the changes. Previous versions of this policy are available on request.

14

Contact us

If you have any questions, concerns or requests regarding this Privacy Policy or how we handle your personal information, please contact our Privacy Officer:

Privacy Officer — RosterIQ

CompanyRosterIQ Pty Ltd
Subject linePrivacy Request — [your name]
Response timeWe aim to respond within 5 business days. Complex requests may take up to 30 days.
RegulatorOffice of the Australian Information Commissioner (OAIC)
www.oaic.gov.au · 1300 363 992