Comment on page
Effective date: October 20th, 2023
Rocket.Chat Technologies Corp. ('us', 'we', or 'our') operates the Rocket.Chat Website (https://rocket.chat), Rocket.Chat Services, including the Marketplace and associated Rocket.Chat Apps, Rocket.Chat´s Cloud Offering, the Rocket.Chat Open Server (https://open.rocket.chat), and the Rocket.Chat mobile applications (the 'Services').
Our policy includes three appendices, each addressing distinct aspects of our privacy framework:
- Appendix 1: Specific details about privacy in our cloud offerings.
- Appendix 2: Privacy regulations framework, including applicable legal requirements that may pertain to your company or jurisdiction.
- Appendix 3: Provisions related to the privacy of Rocket.Chat Open Server.
This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Services and the choices you have associated with that data.
Administrators are responsible for Users privacy, and we help administrators.
- There are basically two ways of using Rocket. Chat: Self-hosted (also known as on-premises deployment) on your own or someone else's infrastructure or via our Cloud-hosted offering. In both cases, the administrator of that instance - or the organization behind the administrator - is the person responsible for ensuring the privacy of Rocket.Chat users.
- We aim to help by providing features in our products and services to make that job easier.
- We also provide this policy to explain what we do as a "helping hand"/data processor for administrators in case we process users' personal data.
Data Handling on a Self-Hosted Deployment
- We cannot access Customer user-generated data in a Self-Hosted instance of Rocket.Chat.
- Rocket.Chat code is open source; there are no back doors whatsoever.
Data Handling on a Cloud Hosting Offering
- In the Rocket.Chat Cloud hosted offering; we only process Customer data for the purpose of providing Customers the service in the name of the administrator. Administrators are still in full control over the configuration of their instances.
Services means the website (https://rocket.chat), Rocket.Chat Open Server (https://open.rocket.chathttps://open.rocket.chat), Rocket.Chat Sotfware and Marketplace, incl. associated Rocket.Chat Apps, the https://cloud.rocket.chat service offering, push notification gateways, and the Rocket.Chat mobile applications operated by Rocket.Chat Technologies Corp. S
Personal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).
Usage Data means the data collected automatically either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Cookies are small pieces of data stored on your device (computer or mobile device), they are files with a small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device.
Data Processors (or Service Providers) means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your data more effectively.
Data Subject (or User) Data Subject is any living individual who is using our Service and is the subject of Personal Data.
Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service.
In connection with our operations and during the lifecycle of business relationships with our Customers, we collect various types of personal data, meaning any information that identifies or allows us to identify you.
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you ("Personal Data"). Personally identifiable information may include but is not limited to
- Email addresses.
- First name and last name
- Cookies and Usage Data
- Phone number and other contact details.
Some Services may allow or require that you register for a personalized account. Account data may include, in addition, your account name, authentication information, registration date, contact information, payment information, and any other information associated with your account.
We may also collect information that your browser sends whenever you visit our Service or when you access the Service, including by or through a mobile device ("Usage Data").
This Usage Data may include information such as your computer's Internet Protocol address (e.g., IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When you access the Services by or through a mobile device, this Usage Data may include information such as the type of mobile device you use, the IP address of your mobile device, your mobile operating system, the app version, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data
We may use and store information about your location if you give us permission to do so (“Location Data”). We use this data to provide features of our Service (only to allow you to share your location with another user via Rocket.Chat if it was enabled by the administrator).
You can enable or disable location services when you use our Service at any time through your device settings.
When you use the Marketplace, you may choose to install Apps provided by Rocket.Chat. These Apps process data from your instance of Rocket.Chat and, therefore, nonpersonal data, such as software version, amount of users, and similar. Depending on the purpose and your actual usage of the App (e.g., enabling certain features), Personal Data may however be processed. E.g., you enable an integration, which processes your users' information. The description of the App will make the types of personal data sufficiently clear, as well as any potential deviations from this policy.
- We DO NOT track activity in your self-hosted instances.
- We regularly monitor aggregated activity data on our infrastructure, but it is not tracking individual users in the sense of this paragraph, which only occurs when we have a legitimate interest in doing so (e.g., for security and compliance purposes).
- We do perform regular tracking on our Open Server.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
Examples of Cookies we use:
- Session Cookies. We use Session Cookies to operate our Service.
- Preference Cookies. We use Preference Cookies to remember your preferences and various settings.
- Security Cookies. We use Security Cookies for security purposes.
For example, the tracking statistics sharing will transmit the total number of channels, but not the actual channel names, to preserve your workspace's privacy. Depending on the services and plans purchased, disabling this tracking statistics collection may be possible.
We collect and use your personal data to the extent necessary to carry out our operations, provide our services, and comply with any regulatory obligations in our activities.
These purposes are defined in more detail below:
- To provide and maintain our Services
- To notify you about changes to our Services
- To allow you to participate in interactive features of our Service when you choose to do so
- To provide customer support
- To gather analysis or valuable information so that we can improve our Service
- To monitor the usage of our Service
- To detect, prevent, and address technical issues
- To provide you with news, special offers, and general information about other goods, services, and events that we offer that are similar to those that you have already purchased or enquired about if you have provided consent to receive this information or the processing is in our legitimate interests and it's not overridden by your fundamental rights.
- You may withdraw that consent at any time or object to receiving any or all of these communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us through our Data Request Form.
In accordance with the applicable regulations, we may only use your personal data for at least one of the following reasons:
We collect and use your personal data to comply with various legal and regulatory obligations, such as
- Anti-money laundering regulations and counter-financing of terrorism regulations, including Know Your Customer (KYC) obligations.
- Regulations relating to international financial sanctions and embargoes.
We also use your personal data to fulfill our legitimate interests, which include the following:
- Provision and delivery of our products and services.
- Marketing and customer communication and development of our customer relationships.
- Development of our products and services.
- Security and safety of our IT and facilities.
if certain personal data processing requires your consent (e.g., cookies), we will inform you of this, including details of the specific processing activity, and request your consent to such processing. You may request to revoke your consent at any time.
Rocket.Chat will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.
Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those from your jurisdiction.
In rare circumstances, we may be required to disclose user-uploaded content and other Personal Data in response to a valid request from law enforcement authorities. We will only comply with such requests if they are made in accordance with applicable laws, regulations, and our internal guidelines for disclosure.
Rocket.Chat Technologies Corp. may disclose your Personal Data in the good faith belief that such action is necessary to:
- To comply with a legal obligation
- To protect and defend the rights or property of Rocket.Chat Technologies Corp.
- To prevent or investigate possible wrongdoing in connection with the Service
- To protect the personal safety of users of the Service or the public
- To protect against legal liability.
We may employ third-party companies and individuals to facilitate our Service ("Service Providers"), to provide the Service on our behalf, to perform Service-related services, or to assist us in analyzing how our Service is used.
These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose
The ways in which we share your Personal Data include the following:
- For Information processing, payment processing, credit checks, fulfilling customer orders, delivering products to you, managing and enhancing customer data, providing customer service, assessing your interest in our products and services, and conducting customer research or satisfaction surveys.
- Where appropriate, we may provide your personal data to Rocket.Chat partners in order to fulfill your request for service delivery.
We execute contracts with our third parties to ensure they fulfill their data protection obligations.
We may use third-party Service Providers to monitor and analyze the use of our Service.
- Google Analytics
- Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.
- Firebase is an analytics service provided by Google Inc.
Our Service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third-party's site. When using such third-party websites, we recommend that you read the relevant sites' terms and privacy policies.
In accordance with applicable regulations and where applicable, you have the following rights:
- To access: you can obtain information relating to the processing of your personal data and a copy of such personal data.
- To rectify: you can request that your personal data be modified accordingly if you consider that your personal data are inaccurate or incomplete.
- To erase: you can require deleting your personal data to the extent permitted by law.
- To restrict: you can request the restriction of the processing of your personal data.
- To object: you can object to the processing of your personal data on grounds relating to your particular situation. You have the right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
- To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
- To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.
If the processing is based on your consent, you may also withdraw your consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal). If you have previously consented to receive promotional email communications from us, you can use the unsubscribe function at the bottom of our emails to unsubscribe from our emails at any time (“withdraw your consent”).
If you have an active Rocket.Chat account, it’s not possible to opt out of basic emails since we need to communicate basic information, where relevant, to users in order to continue delivery of the account.
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA or other applicable jurisdictions, you have the right to lodge a complaint with the competent supervisory authority.
Ensuring the security of the data you entrust to us is one of our most important responsibilities. We apply appropriate technical and organizational measures to keep your personal data secure. We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.
Your data can only be accessed by persons for whom it is necessary in relation to their work.
Although we do our best, given the nature of communications and information processing technology, we cannot guarantee that Information during transmission through the Internet or while stored on our systems or otherwise in our care will be absolutely safe from intrusion by others.
Our Services are only available to Users above the legal age of 13 years or any higher age required by the applicable regulations in your jurisdiction.
Users under the legal age should discontinue using our services. If you are from a country subject to GDPR, you must be 16 years old or above unless your country has enacted a regulation specifying a lower minimum age.
Individuals from LGDP-regulated countries must be 18 years of age or older unless parental consent has been obtained.
We do not knowingly collect personally identifiable information from anyone under the legal age. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.
Please note that the customer is responsible for managing user-generated data and workspace control, including compliance with data handling for minors in their jurisdiction.
As our business grows and our services and products evolve, this privacy notice may change, or other privacy notices may be written and posted specifically to address new offerings or to keep pace with data privacy laws.
The following paragraph is intended to provide clarity on data processing in Rocket.Chat workspaces. Please note that there are differences in the data processing that occurs between self-hosted workspaces and workspaces hosted by us. With our Cloud Hosting service, all data input into the workspace is processed on our infrastructure.
The table below explains the general distinction between the data that is processed in each case. It's important to remember that individual circumstances may vary, such as cases where apps are installed on unregistered workspaces via workarounds.
There are two classifications for Rocket.Chat self-hosted workspaces: registered and non-registered. Registered workspaces have access to a wide range of features and services, and registered workspaces are eligible for our "starter" or paid plans (dependent on user counts and functionality requirements). Note that non-registered workspaces operate independently without formal registration and no data collection by Rocket.Chat. Non-registered workspaces are only available via the Free and Open Source Software (FOSS) self-build deployment path;
For our Cloud Offerings, we act as a Data Processor for our Customers, who are the Data Controllers of the instances they have licensed and administer. As a User, you will be bound by the Data Controller´s policies. For these instances, please direct your data privacy questions to the Data Controller.
Regarding some of our Cloud Products, Customers have certain options to select the processing location of data and configure the instance's privacy-relevant settings. If you are the Customer of one of these instances, you can contact us and get more information on where your instance is running.
We generally offer two regions:
- hosting in the United States
- hosting in the European Union
Other regions may be added over time.
The amount of Personal Data we process with our Cloud Offerings is limited to what the Customer and his users enter into the Service. In the Cloud offering, we will not process the personalized cookie or analytics data described above. The purposes of processing the data are strictly limited to providing and improving the Service in accordance with the Data Controller´s instructions. We never access workspace data (i.e. the actual content the customer is entering in his instance) unless the customer asks us to in the form of a support request, we are bound by a valid law enforcement request or to protect our own interests, such as investigating potential abuse of the service.
Once your usage of our cloud offering ceases, we will remove all your data, including backups, after a short grace period - or immediately if you tell us to.
As part of our commitment to privacy and transparency, we provide this appendix to explain how we handle your data according to relevant regulations. We encourage you to read these clauses carefully to understand how your data is managed in compliance with the law.
This section provides additional details about the personal information we collect about California consumers and the rights afforded to them under the California Consumer Privacy Act or “CCPA.”
We do not provide services, or other items of value, as consideration for your, or your end users’, personal information protected by the CCPA.
You are responsible for ensuring your compliance with the requirements of the CCPA in your use of the Services we provide to you and your own processing of personal information.
Here are a few things that Rocket. Chat will NOT do with personal information in the scope of acting as a service provider, as defined by CCPA:
- sell, rent, or otherwise disclose your personal information to third parties in exchange for money or something else of value;
- use your information outside the scope of the agreement(s) for services that we have with you.
Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of personal information we collect (including how we use and disclose this personal information), to delete their personal information, to opt out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights.
We do not support Do Not Track ("DNT") signals. Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.
You can enable or disable Do Not Track by visiting your web browser's Preferences or Settings page.
Where required, we provide the option to sign Standard Contractual Clauses approved by the European Commission to ensure sufficient data protection or other relevant mechanisms based on the Customer's requirements or applicable agreements in the customer's jurisdiction. For additional details, please visit the Privacy Center.
- Our Open Server is for testing purposes.
Data Collected on the Open Server
Rest assured that we securely store all uploaded content in our cloud-hosted infrastructure.
Data Retention on the Open Server
Rocket.Chat reserves the right to delete inactive accounts, channels, discussions, and associated content on the Open Server. Rocket.Chat may deem an account, channel, or discussion inactive based on various criteria, including, but not limited to, the account creation date, the last time there was a valid log-in and the date of the last contribution. If we plan to delete your account, we will provide advance notice by sending a message to the email address registered to your account. Rocket.Chat encourages you to utilize your account on occasion to avoid the risk of being deemed inactive.
Account Deletion on the Open Server
If you wish to delete your account at Rocket.Chat Open Server, you can do so by logging in to your account, clicking on the account, then selecting 'profile', and finally clicking on 'excluding my account'. Please note that once you delete your account, this action cannot be undone.
Last modified 1mo ago