Last updated: June 2026
Your rota holds real people's contact details and working patterns. We treat that as data worth protecting. Here is how we do it, in plain terms.
All traffic runs over HTTPS (TLS). Data is encrypted in transit and at rest in our database. Card details are handled entirely by Stripe and never touch our servers.
Accounts are protected by authenticated sessions. Within a venue, owners and managers see what their role allows, and each business’s data is isolated from every other.
We build on Supabase and Vercel, hosted in UK and EU regions. We do not run our own servers, which removes a large class of patching and configuration risk.
The database is backed up automatically by our hosting provider, with point-in-time recovery available, so your rotas and team data can be restored if something goes wrong.
We collect only what the Service needs and never sell personal data. A short list of vetted subprocessors is published openly.
Found a security issue? Email us and we will investigate promptly. We welcome good-faith reports and will not pursue researchers who act responsibly.
Core data is hosted in UK and EU regions. Some subprocessors operate outside the UK; where that happens we rely on UK GDPR transfer safeguards such as Standard Contractual Clauses. The full list is on our Subprocessors page.
Please email hello@batchstaff.com with details and steps to reproduce. We aim to acknowledge reports within two working days.
See also our Privacy Policy, DPA, and Trust centre.
Batch is a product of TeZe Ltd · company number 17137231 · 66 Paul Street, London, EC2A 4NA · ICO registration ZC134108 · VAT GB 517 9808 54. Cyber Essentials certification in progress.