RosterSure

Privacy Policy

Last updated: November 5, 2025

Corporate disclosure: RosterSure is a trade name of Breniq Corp., a federally incorporated Canadian company. This Privacy Policy explains how we (“RosterSure”, “we”, “us”, “our”) collect, use, disclose, and protect information in connection with our web application and related services designed for General Contractors operating in Ontario. We align our practices with Canada’s PIPEDA and applicable provincial laws. This policy applies to account owners, internal users, auditors, and subcontractor portal users who access our services.

Key Takeaways (TL;DR)

Data Residency: Your data is hosted and remains in Canada (AWS ca‑central‑1).

Control & Deletion: We use a delete-on-termination model. When your account is closed, your content is deleted from active systems and expires from backups (currently ≤ 30 days). We retain limited non-content business records (e.g., invoices) for up to 7 years to meet legal and tax obligations.

Auditor Redaction: Auditor roles are granted read-only access in a privacy-redacted mode that hides sensitive PII and billing information.

Subcontractor Access: Subcontractors only view their own compliance records for the projects they are assigned to.

1) Information We Collect

Data Residency Notice: All Customer Data is stored, processed, and maintained in AWS Canada (ca‑central‑1).

1.1 Account & User Information

Names, emails, company details, roles and permissions (e.g., Owner, Admin, Project Manager, Auditor, Member, Billing Contact), and activity necessary to administer secure access and auditing. Some roles provide read‑only access; others are project‑scoped. These controls form part of our role‑based and attribute‑based access model. (See Business Requirements: roles, scoping, and auditor redaction.)

1.2 Subscription & Billing

We collect plan selection and subscription status. Payment details are handled by our payment processor Stripe; we store only limited billing metadata (such as plan and status).

1.3 Project & Subcontractor Data

For subcontractor compliance we process business contact details, COI metadata (policy number, coverage amount, expiry), WSIB status snapshots, audit history, project assignments, and checklists. Subcontractors invited to the portal can upload documents and view their own company’s information only. (See Functional Requirements for COI/WSIB handling and the subcontractor portal.)

1.4 Device & Usage Data

We may collect technical data such as device type, browser, IP address, timestamps, and in‑product actions to secure the service, detect abuse, and improve UX.

1.5 Cookies & Similar Technologies

We use strictly necessary cookies (for login/session), and, where enabled, privacy‑respecting analytics cookies to understand product usage. You can control cookies via your browser settings; blocking some cookies may affect functionality.

2) How We Use Information

  • Provide and operate the service, including user onboarding, project‑scoped workflows, and compliance validation.
  • Maintain security, prevent fraud, and enforce usage limits and feature gating per your plan.
  • Send service messages (e.g., expiry reminders, status changes) and, with your preferences, product updates.
  • Generate privacy‑respecting audit logs and reports for compliance needs.
  • Improve and troubleshoot the product (e.g., analytics, support).

3) Sharing & Disclosure

  • Service Providers / Sub‑processors. We use vetted providers (e.g., hosting, email delivery, identity, payment processing like Stripe). They process data under contractual confidentiality and security obligations and act on our instructions.
  • Auditor Access. When enabled, auditors may be granted read‑only access in a privacy‑redacted mode that hides sensitive PII and billing information, and their activity is logged.
    Key Control: Auditor roles cannot view user emails, billing data, or unrelated project information.
  • Legal. We may disclose information to comply with law, enforce terms, or protect rights, safety, and security.

4) Security

We protect data in transit (TLS 1.2+) and at rest, apply strict RBAC/ABAC controls to sensitive operations, scan uploaded files for malware, and maintain detailed audit logs of privileged actions. (See Security & Privacy and Audit requirements.)

5) Data Retention & Backups

Our database (AWS RDS) and file storage (AWS S3) run in AWS Canada (ca-central-1). We follow a delete-on-termination model for customer content.

  • Active accounts. We retain customer content (e.g., COIs, WSIB snapshots, project data) for as long as the account is active and needed to provide the service.
  • When an account is closed. Upon confirmed termination by the account owner, we delete customer content from active systems.
  • Backups. Backups are encrypted and retained only for disaster recovery. Deleted customer content will fall out of backups automatically within our rolling backup window (currently ≤ 30 days).
  • What we still keep (minimal vendor records). We may retain non‑content records we are legally required to keep for our own business (e.g., invoices, payment confirmations, tax records) for up to seven (7) years. These do not include customer‑uploaded content such as COIs.
  • Customer responsibility. Customers are responsible for exporting and retaining any data they need for their own compliance (e.g., historical COIs) before termination.

6) International Transfers

RosterSure does not intentionally transfer Customer Data outside of Canada except via service providers operating under comparable safeguards and contractual data protection terms. Core hosting is in Canada (AWS ca‑central‑1).

7) Your Choices & Rights

  • Access & Correction. You can request access to or correction of your personal information. Account owners can also manage user roles and project access.
  • Consent. You may withdraw consent to non‑essential processing (e.g., marketing). Certain service‑critical processing (security, auditing, billing) will continue where permitted by law.
  • Cookies. Manage cookies via browser settings. Some cookies are required for login and core functionality.

8) Communication Preferences

We send two types of email: Essential service emails (for example, password resets, security alerts, contractual or transactional notices) and non‑essential notifications (for example, credential‑expiry reminders, invitation reminders, and activity alerts). Essential service emails are required to operate your account and you cannot opt out of them.

You can change which non‑essential notifications you receive at any time by visiting your My Profile page to adjust your "Notification Preferences", or by using the one click "Stop these reminders" link included in our compliance emails. You can also contact us directly at support@rostersure.com.

9) Subcontractor Portal

Subcontractor users can access only their own company’s information and upload required documents for review. They cannot access a GC’s internal user list or unrelated projects. Invitations and activation status may be visible to GC admins to support workflows.

10) Children’s Privacy

Our service is intended for business use and is not directed to children under the age of 16.

11) Changes to this Policy

We may update this policy to reflect changes to our practices. We will post the new policy with an updated date and, where appropriate, provide additional notice.

11) Contact Us

If you have questions or requests about this policy or our data practices, contact us at legal@rostersure.com

This policy summarizes our product and security practices and does not constitute legal advice.