Privacy Policy
Last updated 30 June 2026
1. Who we are
Rovva ("we", "us", "our") operates the Rovva platform at rovva.app. We are committed to protecting your personal data and processing it in accordance with applicable data protection law, including the UK GDPR and the Data Protection Act 2018.
2. Data we collect
We collect the following types of personal data:
- Account data: name, email address, and hashed password when you register.
- Organisation data: name, slug, contact email, and organisation type.
- Usage data: rota events, duty assignments, availability, and cover requests you create within your organisation.
- Log data: IP address, browser type, and pages visited, collected automatically for security and analytics.
- Communications: email notifications sent by the platform on your behalf.
3. How we use your data
We use your data to:
- Provide, maintain, and improve the Rovva platform.
- Send transactional emails (invitations, password resets, duty reminders).
- Respond to support requests and resolve disputes.
- Detect and prevent fraud, abuse, or security incidents.
- Comply with legal obligations.
We do not sell your personal data to third parties, and we do not use it for advertising.
4. Legal basis for processing
We process personal data on the following bases:
- Contract: to provide the Service you have signed up for.
- Legitimate interests: to improve the platform, maintain security, and communicate service updates.
- Legal obligation: where required by law.
5. Data retention
We retain your personal data for as long as your account is active. If you delete your account, data is retained for 30 days to allow for recovery, after which it is permanently deleted. Audit logs may be retained for up to 12 months for security purposes.
6. Third-party services
We use the following sub-processors:
- Vercel — hosting and infrastructure
- Neon — PostgreSQL database hosting
- Resend — transactional email delivery
- Stripe — payment processing (for paid plans)
Each sub-processor is bound by data processing agreements consistent with UK GDPR requirements.
If you choose to connect an external calendar via iCal sync, Rovva will periodically fetch the calendar URL you provide in order to import your availability. This URL and its contents are processed solely to populate your availability within your organisation and are not shared with third parties.
7. Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion of your data ("right to be forgotten").
- Object to or restrict certain processing.
- Data portability (receive your data in a machine-readable format).
To exercise any of these rights, contact us at privacy@rovva.co.uk.
8. Cookies
Rovva uses strictly necessary session cookies to authenticate users. With your consent, we also use Google Analytics cookies (_ga, _gid, _ga_WFFENVK6YG) to understand how visitors use the platform. IP addresses are anonymised. Analytics cookies are only set after you accept via the consent banner.
For a full list of cookies and how to manage your preferences, see our Cookie Policy.
9. Changes to this policy
We may update this Privacy Policy periodically. We will notify you of material changes by email. Continued use of the Service after changes constitutes acceptance.
10. Contact
For privacy enquiries, contact our data controller at privacy@rovva.co.uk.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.