Security & GDPR

Your clients trust you. We help you keep it.

You hold real, sensitive data — names, contact details and payments. Rosta is built to protect it from the database up, and deliberately gives you nowhere to store health or medical information in the first place.

UK/EU hosting

Your workspace is stored on infrastructure built by Supabase, with data isolation between every coach's account.

Encrypted, everywhere

TLS/HTTPS protects every connection, data is encrypted at rest with automated backups, and secrets never ship to the browser.

Row-level security

Access rules are enforced in the database itself — not just the app — so you only ever see your own clients and sessions.

Card data never touches us

Payments run through Stripe's hosted checkout, so card numbers go straight to Stripe and never pass through Rosta's systems.

Hosted authentication

Sign-in, password hashing and resets are handled by Supabase Auth — battle-tested infrastructure, not home-rolled login code.

Your data, exportable

Export your sessions and finances as CSV whenever you want — your data isn't locked in.

A clean historical record

Every session and payment is timestamped and kept in your history — nothing silently disappears or gets rewritten.

Tested & reviewed

Automated tests and a documented security review protect every release before it reaches your workspace.

No health data, by design

Rosta has no notes field for medical or health information about you or your clients — the safest data is data we never give you a place to store.

GDPR

A clear data relationship

Under UK & EU GDPR, you are the data controller for your clients' data and Rosta is your data processor. We only ever process it on your instructions.

Data Processing Agreement (DPA) available to sign
Transparent list of sub-processors (hosting, email, payments)
Right to export or delete client data on request
Data minimisation — we only collect what running your sessions needs
Incident plan in place — reportable breaches notified within 72 hours

Want the detail?

Happy to share our DPA and walk through our security posture before you commit — just email rosta@trndsttr.co.uk.