Privacy Policy

## 1. Introduction
Rook (“we,” “our,” or “us”) operates the training and activity tracking platform available at Rook.so (the “Service”). This Privacy Policy describes how we collect, use, disclose, and protect your information when you use the Service.
This policy applies to your use of the Rook website (rook.so) and our mobile applications (e.g., Rook for iOS and iPadOS). When you use our apps from the App Store, the same data practices described here apply, and we may ask for your permission to track for advertising and measurement where required by the platform (see Section 6).
By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.
---
## 2. Information We Collect
We collect information you provide, information from your use of the Service, and information from third-party services we use to run the Service.
### 2.1 Account and Profile Information
-**Account data:** Email address, username, and authentication identifier (from our identity provider).-**Profile data:** Display name, profile picture (avatar URL), and preferences such as unit system (e.g., metric or imperial).
### 2.2 Training and Usage Data
-**Sessions:** Sessions you create or log (e.g., training or activity sessions), including dates, notes, and related metadata.-**Movements and executions:** Exercises, sets, reps, loads, and other performance data you record.-**Documents:** Any documents you create or upload in connection with your training.-**Planned sessions:** Prescriptions and planned training you save.-**Calendar and feed:** How you use the calendar, feed, and other product features.-**Connected devices and integrations:** When you connect third-party devices or services (e.g., wearables like Garmin or Whoop, or other training tech), we may receive and store data from those integrations in association with your sessions or exercises, in line with the permissions you grant.
### 2.3 Payment and Billing Information
-**Subscription data:** Plan type, billing cycle, trial status, and current period dates.-**Payment processing:** We use one or more third-party payment providers (e.g., Stripe, Apple for in-app purchases). We store subscription status and customer/subscription identifiers; we do not store full payment card numbers. Payment details are handled by the relevant provider in accordance with their privacy policy.
### 2.4 Technical and Device Data
-**Log and usage data:** IP address, browser type, device information, and general usage of the Service (e.g., requests, errors) for operation and security.-**Analytics:** We use analytics (see Section 6) to understand how the Service is used (e.g., page views on certain routes). We do not use this to track your detailed activity inside your dashboard.-**Advertising and conversion:** We use Meta (Facebook) Pixel and Google Tag Manager to measure and improve our marketing (e.g., page views, conversion events). These may collect or receive identifiers and usage data; see Section 5.1 and Section 6.-**Browser storage:** We may use local or session storage for technical purposes (e.g., redirect URLs during sign-in).
---
## 3. How We Use Your Information
We use the information we collect to:
-**Provide the Service:** Create and manage your account, store and sync your training and activity data, and deliver features such as sessions, movements, documents, calendar, and planned sessions.-**Process payments:** Manage subscriptions, trials, and billing through our payment provider.-**Support and communicate:** Respond to your requests, send important service-related messages, and (where you have agreed) marketing or product updates.-**Security and integrity:** Protect the Service, detect and prevent abuse, and enforce our terms.-**Analytics and improvement:** Understand usage patterns and improve the product (e.g., via aggregated analytics).-**Legal and compliance:** Comply with applicable laws, respond to lawful requests, and protect our rights and the rights of others.
We do not use your training, activity, or health-related data for advertising. We do not sell your personal information.
---
## 4. Legal Basis for Processing (GDPR)
If you are in the European Economic Area or the UK, we process your personal data based on:
-**Contract:** Processing necessary to provide the Service and perform our contract with you (account, training and activity data, billing).-**Legitimate interests:** Operating and securing the Service, analytics, and improving our product, where balanced against your rights.-**Consent:** Where we rely on consent (e.g., optional marketing), you may withdraw it at any time.-**Legal obligation:** Where we must process data to comply with law.
---
## 5. Sharing and Third-Party Services
We do **not** sell your personal information. We share data only as follows:
### 5.1 Service Providers
We use trusted providers to run the Service. They process data on our instructions and are bound by contracts that protect your data:
-**WorkOS:** Authentication (sign-up, sign-in, account linking). They receive identifiers and email as needed for auth. See [WorkOS Privacy](https://workos.com/legal/privacy-policy).-**Convex:** Database and backend infrastructure. Your account, profile, and training and activity data are stored and processed by Convex. See [Convex Privacy](https://www.convex.dev/legal/privacy-policy).-**Stripe and/or Apple:** Payment processing and subscription management (e.g., Stripe for web, Apple for in-app purchases where offered). Billing-related data is shared with the provider you use. See [Stripe Privacy](https://stripe.com/privacy) and [Apple Privacy](https://www.apple.com/legal/privacy/).-**PostHog:** Analytics (e.g., page views on selected routes) to improve the product. See [PostHog Privacy](https://posthog.com/privacy).-**Meta (Facebook):** Conversion and advertising measurement via Meta Pixel (and related tools). Meta may receive page views and conversion-related events and use cookies and similar technologies. See [Meta Privacy](https://www.facebook.com/privacy/policy/).-**Google:** Google Tag Manager loads and manages tags (e.g., analytics or advertising) on our site. Google may collect or receive data via those tags. See [Google Privacy](https://policies.google.com/privacy).-**Sanity:** Content management for static content such as this Privacy Policy. See [Sanity Privacy](https://www.sanity.io/legal/privacy-policy).-**Hosting and infrastructure:** Our hosting and infrastructure providers process requests and may log technical data (e.g., IP address, user agent) to deliver and secure the Service.
Each provider has its own privacy policy governing their use of data.
### 5.2 Other Disclosures
We may disclose your information if required by law, to protect our rights or safety, in connection with a merger or sale of assets, or with your consent.
---
## 6. Cookies and Similar Technologies
We use cookies and similar technologies for:
-**Essential operation:** Session and authentication so the Service works correctly.-**Functionality and preferences:** To remember your preferences, such as sidebar state or panel layout, so the Service behaves the way you left it.-**Analytics:** To understand usage (e.g., via PostHog). You can opt out of analytics; see your rights below and PostHog’s documentation for how to disable their cookies.-**Advertising and conversion:** Meta Pixel and Google Tag Manager (and tags it loads) may set cookies or use similar technologies for measurement and advertising. You can control or opt out via your browser settings, Meta’s ad settings, and Google’s ad settings. **On Apple devices (iOS, iPadOS):** We may request your permission to allow tracking for advertising and measurement. You can decline in the system prompt or at any time in **Settings > Privacy & Security > Tracking**.
We may also use browser local or session storage for technical purposes (e.g., storing a redirect URL during sign-in). You can clear this via your browser settings.
You can control cookies through your browser settings. Blocking essential cookies may affect how the Service works.
---
## 7. Data Retention
-**Account and profile:** Retained while your account is active and for a reasonable period after you request deletion, as needed for support or legal obligations.-**Training and usage data:** Retained while your account exists. When you delete your account (or request deletion), we delete or anonymize this data within a reasonable time, except where we must retain it for law or legitimate business needs.-**Billing records:** Retained as required for tax, accounting, and legal compliance (often several years).-**Logs and analytics:** Retained for a limited period for security and product improvement, then deleted or aggregated.
---
## 8. Security
We use reasonable technical and organizational measures to protect your data, including encryption in transit and access controls. No system is completely secure; we cannot guarantee absolute security. You are responsible for keeping your login credentials secure and for activity under your account.
---
## 9. Your Rights
### 9.1 General Rights
You may have the right to:
-**Access:** Request a copy of the personal data we hold about you.-**Correction:** Request correction of inaccurate or incomplete data (you can also update much of this in your account settings).-**Deletion:** Request deletion of your personal data, subject to legal or legitimate retention needs.-**Portability:** Request a copy of your data in a structured, machine-readable format where applicable.-**Restrict or object:** In certain jurisdictions, restrict or object to certain processing.-**Withdraw consent:** Where we rely on consent, withdraw it at any time.
### 9.2 California (CCPA/CPRA)
If you are a California resident:
- You have the right to know what personal information we collect, use, and disclose.- You have the right to request deletion of your personal information, subject to exceptions.- We do **not** sell or share your personal information for cross-context behavioral advertising; you have the right to opt out of “sale” and “sharing,” and we do not sell or share your data in that sense.- You have the right to non-discrimination for exercising your privacy rights.
### 9.3 How to Exercise Your Rights
- Use in-app account settings where available (e.g., profile, correction of account data).- To request access, correction, deletion, or portability of your data (including account deletion), contact us at the email in the Contact section below. We will process requests within the time required by applicable law (e.g., 30 days under CCPA, one month under GDPR, subject to extension where allowed).- For analytics: you can opt out of PostHog (e.g., via their opt-out mechanism or browser/device settings).- On Apple devices: To limit tracking for advertising, decline the tracking prompt when shown or go to **Settings > Privacy & Security > Tracking** and turn off tracking for Rook.
If you are in the EEA or UK and believe we have not handled your data properly, you have the right to lodge a complaint with your local data protection authority.
---
## 10. International Transfers
We and our service providers may process your data in the United States or other countries where data protection laws may differ from your country. When we transfer data from the EEA or UK, we use appropriate safeguards such as standard contractual clauses or other mechanisms approved by regulators. You may request details of these safeguards by contacting us.
---
## 11. Children
The Service is not intended for anyone under 16 (or under 13 where applicable). We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us and we will delete it.
---
## 12. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the “Last updated” date. For material changes, we may notify you by email or through the Service. Your continued use of the Service after the updated policy is posted constitutes acceptance of the changes.
---
## 13. Contact
For privacy-related requests, questions, or complaints:
-**Email:** support@rook.so
Include “Privacy” in the subject line and enough detail so we can identify your account and respond. We will respond in accordance with applicable law.
If you need a Data Protection Officer contact for GDPR purposes, you may use the same email and we will route your request appropriately.