ROTA
Demo talep et
← ROTA

Privacy Policy

Effective Date: March 2026 | Last Updated: March 17, 2026

Luminis Lojistik Teknoloji Ticaret Danışmanlık Hizmetleri Limited Şirketi (trading as "Rota") operates the Rota mobile application and the website https://rota-app.com (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Service.

We are committed to protecting your privacy and complying with applicable data protection laws, including the European Union General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law (KVKK, Law No. 6698), and other applicable legislation.

1. Data controller

The data controller responsible for your personal data is:

Luminis Lojistik Teknoloji Ticaret Danışmanlık Hizmetleri Limited Şirketi
Address: Küçükbakkalköy Mah. Yüksel Sk. No: 10 A Ataşehir/İstanbul, Türkiye
Tax ID: 6091389933
Data Protection Contact: privacy@rota-app.com
Representative: Mehmet Can Işıklarlı

EU/EEA Representative (GDPR Art. 27): An EU representative is in the process of being appointed. This section will be updated accordingly.

2. Data we collect

We collect personal data through the following methods: directly from you via the mobile application and web forms (e.g. registration, leave requests), automatically through the application (e.g. GPS coordinates during clock-in, device information), and via cookies and local storage on our website (rota-app.com). We collect the following categories of personal data:

2.1 Account information

  • Full name, email address, phone number
  • Employee ID or staff number (provided by employer)
  • Profile photograph (optional)
  • Password (stored in hashed form)
  • Emergency contact name and phone number (for workplace emergency purposes)

2.2 Location data

  • GPS coordinates during clock-in and clock-out events
  • Location data is collected only at the moment of attendance actions, not continuously tracked

2.3 Camera and biometric-adjacent data

  • Selfie photographs taken during clock-in for attendance verification
  • These images are used for employer verification purposes and are not processed for biometric identification

2.4 Employment and workforce data

  • Work schedules, shift assignments, and shift swap requests
  • Attendance records (clock-in/out times, early leave, overtime)
  • Leave requests, leave balances, and leave history
  • Change requests and approval workflows
  • Date of birth (used for statistical leave entitlement calculations)
  • Employment start date (used for shift scheduling and leave entitlement calculations)

2.5 Device and technical data

  • Device type, operating system, and app version
  • Push notification tokens
  • IP address and general connection information
  • Crash reports and performance analytics

2.6 Cookies and similar technologies

Our website and admin panel use the following cookies and local storage technologies:

  • Session cookies (essential): Supabase authentication session cookies are used to keep you logged in. These are strictly necessary for the Service to function and expire when you log out or after the session duration.
  • Preference cookies: The active organization selection (active_org_id) is stored as a cookie in the admin panel to remember your workspace context across sessions.
  • Local storage: Your language preference (rota-landing-language) is stored in your browser's local storage on our landing page to remember your chosen display language.

We do not use any advertising, tracking, or analytics cookies. You can manage cookies through your browser settings; however, disabling essential cookies may prevent you from using certain features of the Service.

3. How we use your data

We process your personal data for the following purposes:

  • Service delivery: To provide workforce management features including scheduling, attendance tracking, and leave management.
  • Attendance verification: To verify clock-in/out events using location and selfie data as requested by your employer.
  • Communication: To send you notifications about schedule changes, shift assignments, leave approvals, and other work-related updates.
  • Security: To protect against unauthorized access, fraud, and abuse of the Service.
  • Improvement: To analyze usage patterns and improve the Service (using aggregated, anonymized data where possible).
  • Legal compliance: To comply with applicable laws, regulations, and legal processes.

4. Legal basis for processing (GDPR)

Under the GDPR, we rely on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service under our agreement with your employer.
  • Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, and service improvement.
  • Legal obligation (Art. 6(1)(c)): Compliance with employment, tax, and data protection laws.
  • Consent (Art. 6(1)(a)): Where required, such as for push notifications and optional profile features. You may withdraw consent at any time.

5. Data sharing and third parties

We share your personal data with the following categories of recipients:

  • Your employer: Your employer (the organization that subscribes to Rota) has access to your attendance records, schedules, leave data, and clock-in/out verification data including selfie images and location.
  • Infrastructure providers: Supabase, Inc. (database hosting and authentication), Vercel, Inc. (web hosting), Expo / EAS (mobile app build and distribution). These providers act as data processors under written agreements.
  • Legal authorities: Where required by law, court order, or regulatory request.

We do not sell your personal data to any third party. We do not use your data for advertising purposes.

6. Cookies and similar technologies

Our web platforms and mobile application use cookies and similar local storage technologies for the following purposes:

  • Session and authentication cookies (rota-admin): Used to maintain your login session and store your active organization selection (active_org_id). These are strictly necessary for the Service to function and expire when your session ends or after a defined inactivity period.
  • Language preference (rota-open): localStorage is used to remember your language selection on our landing page. This data remains on your device and is not transmitted to our servers.
  • Mobile app local storage: The Rota mobile app uses on-device storage (AsyncStorage) to store authentication tokens and user preferences. This data does not leave your device except as part of authenticated API requests.

We do not use any third-party tracking, advertising, or analytics cookies. You can manage cookies through your browser settings. Disabling strictly necessary cookies may prevent you from using parts of the Service.

7. International data transfers

Your data may be transferred to and processed in countries outside of Turkey and the European Economic Area (EEA), including the United States, where our infrastructure providers operate. Such transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.

8. Data retention

We retain your personal data for as long as your employer maintains an active Rota subscription and your account remains active. After account deletion or employer subscription termination:

  • Account data is deleted within 30 days.
  • Attendance records and selfie images are retained for the period required by applicable employment law (typically 5 years in Turkey), after which they are permanently deleted. In the event of account deletion, selfie images are permanently deleted after the 30-day waiting period; attendance records are retained in anonymized form.
  • Anonymized, aggregated analytics data may be retained indefinitely.

Account deletion

  • You may request deletion of your account from within the app (Profile → Settings → Delete account).
  • After you request deletion, a 30-day waiting period applies during which you can cancel the request by contacting support@rota-app.com.
  • After 30 days, your personal data is anonymized and your authentication account is permanently deleted.
  • Attendance, leave and shift records are retained in anonymized form for the period required by applicable employment law (typically 5 years in Turkey).

9. Your rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

  • Access: Request a copy of your personal data.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data (subject to legal retention requirements).
  • Restriction: Request limitation of processing in certain circumstances.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw at any time.

To exercise any of these rights, contact us at privacy@rota-app.com. We will respond within 30 days (or sooner as required by applicable law).

You also have the right to lodge a complaint with your local data protection authority. In Turkey, this is the Personal Data Protection Authority (KVKK Kurumu). In the EU, contact your national Data Protection Authority.

10. Automated decision-making

We do not use automated decision-making or profiling (as defined in GDPR Article 22) that produces legal effects or similarly significant effects on you. All decisions related to your employment, scheduling, and attendance are made by your employer through the Service.

11. Data security

We implement appropriate technical and organizational security measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, regular security audits, and secure authentication mechanisms.

12. Children's privacy

The Service is designed for workforce management and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the app or by email. The updated policy will be effective as of the date posted.

14. Contact us

Luminis Lojistik Teknoloji Ticaret Danışmanlık Hizmetleri Limited Şirketi
Data Protection Contact: privacy@rota-app.com
Address: Küçükbakkalköy Mah. Yüksel Sk. No: 10 A Ataşehir/İstanbul, Türkiye
Representative: Mehmet Can Işıklarlı