PRIVACY
Employers see patterns. Workers see their own data. Nobody else sees anything.
HOW IT WORKS
Privacy by architecture, not by policy
RosterWise was designed from the ground up around a simple principle: fatigue intelligence should protect workers, not monitor them. We built the privacy architecture before we built the product, not the other way around.
01
What employers see
Aggregate risk data for teams of 5 or more workers. Heatmaps, trend lines, ghost shift counts, compliance dashboards. No individual names. No individual scores. No ability to drill down to a single person.
02
What workers see
Their own personal fatigue forecast and coaching recommendations, through a confidential mobile app. Their employer cannot access this data. Their line manager cannot request it. Their HR department cannot view it.
03
The minimum group rule
If a team has fewer than 5 workers, the aggregate data is suppressed entirely. The dashboard shows a “group too small for anonymity” message. This prevents the deductive identification that makes aggregate data meaningless in small teams.
TECHNICAL ARCHITECTURE
Three pillars enforced in code, not in promises
Per-worker Cloud KMS encryption
Each worker's data is encrypted with a unique key managed by Google Cloud Key Management Service. If a worker leaves or withdraws consent, their key is destroyed — permanently and irreversibly deleting their data (crypto-shredding).
PostgreSQL row-level security
Database-level access controls ensure queries can only return data the authenticated user is authorised to see. Enforced at the database layer, not the application layer — a stronger guarantee than application-level filtering.
Aggregate-only employer exports
Compliance reports, aggregate dashboards, and API responses never contain individual worker identifiers or scores. Enforced architecturally, not by policy.
GDPR
Lawful basis, documented and defensible
RosterWise processes roster data (schedule timing, shift patterns) and, with worker consent, self-reported wellbeing data. Under GDPR, roster timing data processed for safety compliance falls under the legitimate interest lawful basis. Worker-reported health data is special category data processed under explicit consent (Article 9(2)(a)).
We provide a pre-completed Data Protection Impact Assessment (DPIA) template for your DPO, a standard Data Processing Agreement (DPA), and full transparency on data flows, retention, and deletion.
MHRA CLASSIFICATION
Occupational wellness tool, not a medical device
RosterWise provides population-level fatigue risk intelligence and general wellbeing coaching. It does not diagnose sleep disorders, prescribe treatments, or make individual fitness-for-duty determinations. This classification is maintained through careful product design: RosterWise outputs are indicative and informational, never diagnostic.
UNION ENGAGEMENT
Designed to address ASLEF, RMT, UNISON, and TUC concerns
Union support can make or break technology adoption in safety-critical workplaces. RosterWise's architecture was designed to address the specific concerns raised in the TUC's “Technology Managing People” report.
- No individual monitoring or performance tracking
- Aggregate-only employer access with minimum group thresholds
- Worker-controlled personal data with full deletion rights
- No connection to disciplinary processes (contractually committed)
- Transparent methodology — workers can see how their risk score is calculated