Privacy Policy

Effective date: 1 May 2026 · Last updated: 18 May 2026

1. Who we are

RosterMate is an independent web service that helps Brussels Airlines crew members arrange shift swaps. It is not affiliated with, endorsed by, or operated by Brussels Airlines SA/NV or the Lufthansa Group.

Under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the joint data controllers are:

Ben Leys & David Van Humbeeck
Vogelstraat 1
2580 Putte
Belgium
Privacy contact: [email protected]
General contact: [email protected]

We have not appointed a Data Protection Officer (the legal threshold under GDPR Art. 37 is not met), but you can reach us directly for any privacy matter at the address above.

2. What personal data we collect

2.1 Account data

Name and email address (account login & transactional notifications).
Brussels Airlines A-number (employee identifier) and an optional 3- or 4-letter personal code — used to address you correctly in colleague-facing notifications and confirmed-swap emails.
Brussels Airlines company email (used to send you your own confirmation email when a swap is confirmed, if you provide it).
Password — stored only as a salted hash (never in plain text).
Account state: email confirmation tokens, confirmation timestamps, allowed/activated flags, role (crew/admin), creation date, last login date.
Preferences: notification frequency (immediate / daily), roster-history retention preference (see §6), language preference.
Future legality inputs (currently nullable, not used in v1): employment percentage, hire date, sector affiliation (MH / LH_MIX), home base. These columns exist so future Belgian CLA rules can be added without an additional migration; they are only populated if you fill them in yourself.

2.2 Roster data

When you link your Brussels Airlines iCal feed we fetch and store, for as long as you keep the link active:

The iCal URL itself (treated as a secret — it grants read access to your roster).
Assignments: flights (number, departure/arrival station, sign-in, STD, STA), duty periods, simulator/training duties, and leave codes (WR, AL, ILL_NC, ILL_WC, T80, …).
Pairings — flights grouped into BRU-bounded trips, with the minimum rest at each boundary.
Sync metadata: last sync timestamp, last sync status and error, and a SHA-256 roster fingerprint we recompute on sync to detect material changes that should expire open offers.

2.3 Qualifications

Aircraft types and positions (e.g. SCCM on A320, PUM on A330) you hold, plus a flag indicating whether each row was auto-granted by a chained-qualification rule. Used solely to filter mutually compatible swap matches.

2.4 Swap activity

Swap offers you post: date range, position, aircraft type, optional note, optional filters (e.g. departure-time windows, destinations), status, expiry timestamp.
Swap proposals (requests) you send or receive: counter-date range, position, status, optional note to the counterparty.
Hidden offers: a record per offer you dismiss from the marketplace, so we don't re-show it.
Confirmed swaps: an immutable audit record linking both crew members, both positions, and the agreed date range (see §6 for retention).

2.5 Email and notification logs

We store the notifications we generate for you (event type, compact JSON context, recipient, channel preferences, sent timestamp, attempt count, last error) in an internal notification_events table. We also keep compact delivery audit rows in notification_deliveries with channel, recipient, subject/title, grouped notification ids, status, timestamp, and small error metadata. Full rendered notification email HTML and push bodies are not stored in that audit table. Outbound email payloads (recipient, subject, HTML body, cc, send status) may also be stored in email_outbox when that table acts as a retry queue after Amazon SES delivery fails. These records are kept for deliverability, debugging, statistics, and audit; they are not used for marketing.

2.6 Technical data (server access logs)

Our hosting provider keeps standard web-server access logs containing your IP address, user-agent string, request path, response code, and timestamp. These are used for security, abuse detection, and debugging, and are retained for approximately 30 days.

2.7 What we do not collect

We do not collect or store any payment card data. Optional donations are handled entirely off-platform by Buy Me a Coffee (see §4).
We do not use any advertising or marketing-tracking cookies or pixels.
We do not collect special categories of personal data (health, religion, etc.). Sick-leave codes that may appear in your iCal feed (e.g. ILL_NC, ILL_WC) are stored as opaque duty codes so the legality engine can count duty-free days correctly — they are not used for any other purpose and are visible only to you.

3. Legal bases for processing (GDPR Art. 6)

Performance of a contract (Art. 6(1)(b)) — account creation, authentication, roster sync, qualification matching, swap matching, and the transactional notifications that follow from your own swap activity.
Legitimate interests (Art. 6(1)(f)) — security logging, abuse prevention (rate limits, bot protection), and operating the service reliably. You may object to this processing under §8.
Consent (Art. 6(1)(a)) — extended roster history retention beyond the default 30-day rolling window (see §6) and analytics cookies, which load only after you accept them in our cookie banner (see §5). Consent can be withdrawn at any time.
Legal obligation (Art. 6(1)(c)) — where we must retain or disclose data to comply with applicable Belgian or EU law (e.g. responding to a valid request from a competent authority).

4. Who we share your data with (sub-processors & recipients)

Your data is not sold, rented, or shared with third parties for marketing. The following processors and providers may process limited personal data on our behalf to deliver the service:

Provider	Purpose	Data & location
Railway Corp.	Application hosting & PostgreSQL database	All application data; servers in Amsterdam, the Netherlands (EU).
Amazon Web Services (SES)	Sending transactional emails	Recipient email, subject, body; EU region.
Cloudflare, Inc.	DNS resolution and (on the Contact page only) Turnstile bot challenge	IP address, user-agent, challenge token; global infrastructure (data processed under SCCs).
Google LLC — Google Analytics 4 (G-9BT4KBTSWP)	Aggregate usage statistics; loaded only after you accept analytics cookies in our cookie banner	IP address (truncated), cookie identifiers, page paths; may be transferred to the United States under Standard Contractual Clauses.
jsDelivr (Prospect One)	Serving the flatpickr date-picker library (only on the swap browse page)	IP address & user-agent (HTTP request only).
Buy Me a Coffee / Stripe	Optional donations (only if you choose to donate via the linked page)	Your donation flow happens entirely on Buy Me a Coffee's site; we never see your card details. Their own privacy notices apply.

Where processors transfer data outside the European Economic Area (notably Google in the United States), we rely on the European Commission's Standard Contractual Clauses as the transfer safeguard.

5. Cookies, local storage, and similar technologies

5.1 Strictly necessary (no consent required)

Name	Type	Purpose & lifetime
`session`	HTTP cookie	Keeps you signed in. Expires when your browser session ends, or sooner.
`remember_token`	HTTP cookie	Set only if you tick "remember me" on login; lets you stay signed in across browser sessions.
CSRF token (`meta name="csrf-token"`)	Per-page token	Protects form submissions against cross-site request forgery. Not persisted in a cookie.
`rm.lang`	localStorage	Remembers your language choice (EN/FR/NL) for FAQ & UI labels. Stays until you clear browser data.
`rosterSyncGreeted`, `rosterDismissed.v2`	sessionStorage	Prevents the roster-sync banner from re-flashing on every page within one browsing session. Cleared automatically when you close the tab.

5.2 Analytics (consent required)

We use Google Analytics 4 to understand how the site is used (page views, navigation patterns, browser/device mix). Analytics cookies and the Google tag are loaded only after you accept them in our cookie banner. Until you accept, no analytics identifiers are set. You can change or withdraw your choice at any time via the cookie-preferences link in the footer.

5.3 Bot protection on the contact form

The public Contact page loads Cloudflare Turnstile to verify that the form is submitted by a human. Turnstile uses local state and sends a non-tracking challenge token to Cloudflare. It does not profile you across sites.

6. How long we keep your data

Data category	Retention
Account record (name, email, A-number, hashed password, preferences)	Until you delete your account (see §9).
iCal URL & sync metadata (`crew_rosters`)	Until you unlink it or delete your account.
Roster assignments & pairings — history-on (default)	Kept while your account is active so you can view past months.
Roster assignments & pairings — history-off (opt-out in profile)	Automatically purged daily: anything older than 30 days is deleted. You can re-enable history at any time, but data already purged cannot be recovered.
Active swap offers & pending proposals	Until expired, cancelled, or accepted.
Confirmed swap records (`confirmed_swaps`)	Kept as an audit record linking both crew members. On account deletion, your personal data is removed but the swap record itself may be retained in reduced/pseudonymised form (see §9), because it also concerns another crew member's history.
Notification & email delivery logs	Kept for deliverability and debugging while your account is active; removed on account deletion together with the rest of your data.
Server access logs (IP, user-agent, request path)	Approximately 30 days, then deleted by the hosting provider.

7. Who can see your data inside RosterMate

Marketplace browsing: other crew members see the offer's date range, position, aircraft type, expiry, and an indication that they qualify to swap. All of this stays fully anonymous — your name is not shown on the marketplace.
Proposal phase: a proposer sees the slice of your roster that overlaps the proposed swap window so they can check compatibility. They do not see the rest of your roster, and your identity remains private.
Confirmed swap: only once a swap is confirmed do both crew members see each other — and even then only the name and 3-letter code needed to process the swap via the airline's official channel. The confirmation email is sent to each crew member's own company email address (if on file); nothing is ever sent to the airline directly.
Roster legality page & roster counter: visible only to you. No one else can see your full roster.
Administrators: a small number of operators (the controllers listed in §1) may access account and swap data when strictly necessary for support, abuse investigation, or technical maintenance.

8. Your rights under the GDPR

You have the right to:

Access (Art. 15) — receive a copy of the personal data we hold about you.
Rectification (Art. 16) — have inaccurate data corrected.
Erasure (Art. 17, "right to be forgotten") — see §9.
Restriction of processing (Art. 18).
Data portability (Art. 20) — receive your data in a structured, commonly-used, machine-readable format.
Object (Art. 21) — to processing based on our legitimate interests.
Withdraw consent (Art. 7(3)) — at any time, for processing based on consent (analytics cookies, extended history retention). Withdrawal does not affect the lawfulness of processing carried out beforehand.
Lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données) at dataprotectionauthority.be if you believe your rights have been violated.

To exercise any of these rights, email [email protected]. We will respond within 30 days (extendable by two further months for complex requests, in line with Art. 12(3) GDPR). We may need to verify your identity by asking you to send the request from your registered email address.

9. Deleting your account

You can request account deletion at any time by emailing [email protected] from your registered address. On receipt:

Your account is deactivated immediately — you can no longer sign in, your active swap offers and pending proposals are cancelled, and your roster stops syncing.
Your personal data is permanently deleted within 30 days. This grace period lets you reverse the deletion if you change your mind.
Confirmed-swap records that involve another crew member may be retained in reduced or pseudonymised form (your identifier replaced with an opaque placeholder) so the other party's audit trail remains intact, as permitted by Art. 17(3)(e) GDPR.

10. Security

Passwords are stored as salted hashes using industry-standard algorithms. All traffic between your browser and our servers is encrypted via HTTPS (TLS). Access controls ensure that roster data is visible only to the account holder (and, in the narrow circumstances described in §7, to a matched swap counterparty). We apply rate-limiting on sensitive endpoints (login, contact form, profile changes) and use bot protection on the public Contact form. Background jobs (cron tasks) are guarded by a shared secret and PostgreSQL advisory locks.

If we ever become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours and, where the risk is high, notify affected users without undue delay (Art. 33 & 34 GDPR).

11. Children

RosterMate is intended exclusively for active Brussels Airlines crew members and is not directed at children under 16. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this policy as the service evolves. Material changes will be announced by email to registered users and the "Last updated" date at the top of the page will be revised. Continued use of the service after the effective date of a change constitutes acceptance of the updated policy.

13. Contact

Privacy questions and data-subject requests: [email protected]
General enquiries and account deletion: [email protected]
Postal address: see §1.