roster
ProductPricingSecurityFor artists
EN
FRFrançaisENEnglish✓ESEspañolDEDeutschITItalianoNLNederlands
Sign inJoin early access

Privacy policy.

Last updated: 10 July 2026 · version 1.0

This translation is provided for convenience. In case of any discrepancy, the French version prevails.

01 · Who we are02 · Two distinct roles: controller and processor03 · Data processed as controller, purposes and legal bases04 · Retention periods05 · Sub-processors and recipients06 · Location and transfers outside the EU07 · Security08 · Your rights09 · Cookies and trackers10 · Audience11 · Changes to this policy

01Who we are

The ROSTER service (roster.ag and app.roster.ag) is published by NYWAL, a French SAS with a share capital of €100, RCS Nanterre 990 053 654, 6 Square de l’Hippodrome, 92210 Saint-Cloud, France. For any question about personal data: [email protected].

This policy describes the processing of personal data carried out in connection with the marketing site and the service, and your rights.

02Two distinct roles: controller and processor

NYWAL is the controller for the data it decides to process for its own purposes: user accounts, customer relationship and billing, waitlist, support, security and technical logs of the service.

NYWAL is a processor (Article 28 GDPR) for the data each customer organisation (agency or independent artist) imports and manages in its workspace: artist records, promoter and producer contacts, dates, contracts, invoices, financial and logistics data, documents. For that data, the customer is the controller: data subjects should exercise their rights first with the organisation concerned; we promptly forward any request received directly.

03Data processed as controller, purposes and legal bases

No data is sold. No targeted advertising or advertising profiling is carried out. No decision producing legal effects is taken in an exclusively automated manner.

  • Account and authentication — identity (first and last name), email, password (hashed), preferences (language, theme), devices and sessions, sign-in logs (IP address, timestamp, user agent). Purposes: provision of the service, account security, fraud prevention. Legal bases: performance of the contract; legitimate interest (security).
  • Billing and subscription — billing identity, subscription and payment history (via Stripe; we do not store full card numbers). Purposes: invoicing, accounting, legal obligations. Bases: performance of the contract; legal obligation.
  • Waitlist and contact — email, declared role, language, support exchanges. Purposes: information about the service opening, responding to enquiries. Bases: consent (waitlist); legitimate interest or pre-contractual measures (support).
  • Technical logs — application and security events. Purpose: continuity and security of the service. Basis: legitimate interest.

04Retention periods

  • Account data: duration of the contract, then deletion or anonymisation within 30 days of the effective end of the contract (see Terms of Service), subject to legal obligations.
  • Accounting records and invoices: 10 years (French Commercial Code).
  • Sign-in and security logs: 12 months maximum.
  • Waitlist: until consent is withdrawn or 3 years after the last contact.
  • Encrypted backups: short rotation cycle; deleted data disappears from backups at the end of the cycle.

05Sub-processors and recipients

Association LibraHost (FR)Hosting of servers and application data — France (EU).
Cloudflare, Inc. (US)Content delivery network, attack protection (DNS/CDN/WAF) — governed by the Data Privacy Framework and standard contractual clauses.
Stripe Payments Europe, Ltd. (IE)Payment processing and subscription management — any transfers governed by DPF/SCCs.
Brevo (Sendinblue SAS, FR)Transactional email delivery (account verification, invitations, notifications) — France (EU).
ScrapeCreators (US)Collection of publicly accessible statistics from social platforms for the statistics module; only the public identifiers of tracked profiles are transmitted — governed by standard contractual clauses.

We use the following providers, within the limits of the purposes indicated. This list is kept up to date on this page; any addition or replacement is announced to customers at least 30 days in advance.

06Location and transfers outside the EU

Application data is hosted in France (European Union). Some providers (Cloudflare, Stripe, ScrapeCreators) may involve transfers to third countries, in particular the United States; such transfers are governed by an adequacy decision (EU-US Data Privacy Framework for certified entities) and/or by the European Commission’s standard contractual clauses, supplemented where appropriate by additional measures.

07Security

Main measures implemented: strict per-organisation data isolation enforced down to the database (forced row-level security); TLS encryption of all connections; encryption at rest of sensitive secrets (IBAN, integration tokens) with a dedicated, versioned key; automatic encrypted backups kept in the EU; two-factor authentication and passkeys; in-app PIN lock; revocable sessions and sign-in history; append-only logging of sensitive actions; least-privilege production access; blocking automated isolation tests on every production deployment.

Any data breach likely to result in a risk is notified to the CNIL within 72 hours and to the customers concerned without undue delay.

08Your rights

You have the rights of access, rectification, erasure, restriction, portability and objection, as well as the right to set post-mortem directives. To exercise them: [email protected]. We respond within one month (extendable by two months for complex requests). You may lodge a complaint with the CNIL (cnil.fr), the French supervisory authority.

Reminder: for data managed by a customer organisation in its ROSTER workspace (for example your record in an agency’s address book), please contact that organisation first, as controller.

Customers additionally have, on a self-service basis in the application, a full export of their data and restorable backups.

09Cookies and trackers

The marketing site and the application use no advertising cookies and no third-party analytics trackers. Only the following are used: cookies and tokens strictly necessary for authentication and session security in the application; local storage of display preferences (theme, language); and the technical cookies of our delivery provider (Cloudflare) necessary to protect the service. These strictly necessary elements are exempt from consent — which is why no banner is displayed.

10Audience

The service is intended exclusively for professionals. It is not directed at children under 15, and we do not knowingly collect data concerning them.

11Changes to this policy

This policy may be updated, in particular as the service or regulations evolve; the date at the top of the page is authoritative. Substantial changes are notified to customers. In case of discrepancy between language versions, the French version prevails.

roster

Booking management for artist agencies.

Hosted in Europe · Data isolated per agency · Up to 14 days free trial, no card

ProductFeaturesPricingFor artistsSecurity
ResourcesContactSign inJoin early access
LegalLegal noticePrivacyTermsCookies
© 2026 ROSTER. All rights reserved.
FRENESDEITNL