Skip to content

Privacy & GDPR

Last updated: 14 July 2026

This notice explains what personal data EvacRoster processes, why, and the rights people have under the EU/UK General Data Protection Regulation (GDPR) and similar laws. It is a working template — adapt it with your own legal counsel before production use.

Who is the controller

The property management company operating a building is the data controller for its residents' data. EvacRoster acts as a data processor, processing that data only on the controller's documented instructions. A Data Processing Agreement (DPA) is available to controllers on request.

What we collect

  • Managers: name, email, and login credentials (passwords are hashed by our auth provider).
  • Residents: name, unit, phone, email, languages spoken, mobility needs and notes, medical-training and resource flags, and an emergency contact — all self-provided through the intake form.
  • Operational: drill logs and SMS broadcast records used for compliance evidence.

Mobility and medical information may be special-category data. We collect it only with the resident's explicit consent, captured at intake.

Why we process it (legal basis)

  • Explicit consent— for residents' special-category (health/mobility) data.
  • Legitimate interests / legal obligation — building safety, emergency preparedness, and meeting fire-safety recordkeeping duties.
  • Contract — providing the service to the managing company.

Who we share it with (sub-processors)

  • Supabase — database, authentication, and hosting (encryption at rest and in transit).
  • Twilio — sending emergency SMS, only when a manager triggers a broadcast.
  • Stripe — subscription billing; residents' personal data is never sent to Stripe.

We do not sell personal data or use it for advertising.

Retention

Resident data is kept while the building maintains an active readiness roster and is deleted or anonymised when a manager removes a resident, deletes a building, or closes the account. Drill and broadcast logs may be retained longer where needed as compliance evidence.

Your rights

Under GDPR, data subjects can request to:

  • Access the personal data held about them
  • Rectify inaccurate data
  • Erase their data ("right to be forgotten")
  • Restrict or object to processing
  • Withdraw consent at any time
  • Receive their data in a portable format

Residents should contact their building manager (the controller) to exercise these rights; managers can action them directly in the dashboard or ask us for assistance.

Cookies

We use only strictly-necessary cookies to keep managers logged in. No advertising or third-party tracking cookies are set, so no cookie-consent banner is required.

Contact

Privacy questions or data-subject requests: privacy@evacroster.example. Replace this with your real DPO/contact before launch.