Privacy Policy
    • Dark
      Light
    • PDF

    Privacy Policy

    • Dark
      Light
    • PDF

    Article summary

    Effective date: October 20th, 2023

    We have made some updates to our privacy policy which will come into effect on the effective date specified. These changes include modifications related to workspace tracking and statistics data, which have been implemented from Rocket.Chat v6.5. You can access the earlier version of this Privacy Policy here.


    Rocket.Chat Technologies Corp. ('us', 'we', or 'our') operates the Rocket.Chat website (), Rocket.Chat Services, including the Marketplace and associated Rocket.Chat Apps, Rocket.Chat´s Cloud Hosting Services, the Rocket.Chat open server, and the Rocket.Chat mobile applications (the 'Services').

    Please note that additional privacy policies may apply to Rocket.Chat's specific services. These policies can be visited here.

    At a glance

    This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Services and the choices you have associated with that data.

    We use your data to provide and improve the Services. By using the Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Customer Terms of Service.

    Administrators are responsible for users' privacy, and we help administrators

    • There are basically two ways of using Rocket. Chat: Self-hosted (also known as on-premises deployment) on your own or someone else's infrastructure or via our Cloud-hosted services. In both cases, the administrator of that instance - or the organization behind the administrator - is the person responsible for ensuring the privacy of Rocket.Chat users.

    • We aim to help by providing product and service features to make that job easier.

    • We also provide this policy to explain what we do as a "helping hand"/data processor for administrators in case we process users' personal data.

    Data handling on a self-hosted deployment

    • We cannot access Customer user-generated data in a Self-Hosted instance of Rocket.Chat.

    • Rocket.Chat code is open source; there are no back doors whatsoever.

    • Customers may desire to connect a self-hosted instance to other services, e.g., our marketplace or push notification gateway, where this privacy policy applies. You can also connect it to third-party services, such as external authentication services, in which case their privacy policy applies. It is Customer's choice, and Customers are not forced to do so.

    Data handling on a cloud hosting services


    Definitions

    Other definitions not found here shall have the same meaning as outlined in our customer terms of service.

    Services means the website (https://rocket.chat), Rocket.Chat Open Server (https://open.rocket.chat​), Rocket.Chat Sotfware and Marketplace, incl. associated Rocket.Chat Apps, the https://cloud.rocket.chat service offering, push notification gateways, and the Rocket.Chat mobile applications operated by Rocket.Chat Technologies Corp.

    Personal data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).

    Usage data means data collected automatically, either generated by using the Service or from the Service infrastructure itself (for example, the duration of a page visit).

    Cookies are small pieces of data stored on your device (computer or mobile device); they are files with a small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device.

    Data controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information is, or is to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your Personal Data.

    Data processors (or Service Providers) means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various service providers to process your data more effectively.

    Data subject (or User) Data Subject is any living individual who is using our Service and is the subject of Personal Data.

    Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service.

    The type of data we collect

    In connection with our operations and during the lifecycle of business relationships with our customers, we collect various types of personal data, meaning any information that identifies or allows us to identify you.

    Personal data

    While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you (personal data). Personally identifiable information may include but is not limited to

    • Email addresses

    • First name and last name

    • Cookies and usage data

    • Phone number and other contact details

    Account data

    Some services may allow or require that you register for a personalized account. Account data may include your account name, authentication information, registration date, contact information, payment information, and any other information associated with your account.

    Usage data

    We may also collect information that your browser sends whenever you visit our service or when you access the service, including by or through a mobile device (usage data).

    This usage data may include information such as your computer's internet protocol address (IP address), browser type, browser version, the pages of our service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

    When you access the services by or through a mobile device, this usage data may include information such as the type of mobile device you use, the IP address of your mobile device, your mobile operating system, the app version, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.

    Location data

    We may use and store information about your location if you give us permission to do so (location data). We use this data to provide features of our service (only to allow you to share your location with another user via Rocket.Chat if it was enabled by the administrator).

    You can enable or disable location services when you use our service at any time through your device settings.

    App data

    Apps provided By Rocket.Chat

    When you use the Marketplace, you may choose to install Apps provided by Rocket.Chat. These Apps process data from your instance of Rocket.Chat and, therefore, nonpersonal data, such as software version, amount of users, and similar. Depending on the purpose and your actual usage of the App (e.g., enabling certain features), personal data may be processed. For example, you enable an integration that processes your users' information. The description of the App will make the types of personal data sufficiently clear, as well as any potential deviations from this policy.

    Third-party apps

    For Third-party apps on the marketplace, the vendor will provide you with a specific privacy policy that governs their Third-party app.

    Tracking & cookies data

    We use cookies and similar tracking technologies to track the activity on our Service and hold certain information.

    • We DO NOT track activity in your self-hosted instances.

    • We regularly monitor aggregated activity data on our infrastructure, but it is not tracking individual users in the sense of this paragraph, which only occurs when we have a legitimate interest in doing so (e.g., for security and compliance purposes).

    • We do perform regular tracking on our open server.

    You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

    Examples of cookies we use:

    • Session cookies: We use session cookies to operate our service.

    • Preference cookies: We use preference cookies to remember your preferences and various settings.

    • Security cookies: We use security cookies for security purposes.

    Workspace tracking and statistics data

    Rocket.Chat workspaces are set up to send anonymous and non-personal usage tracking data to Rocket.Chat automatically. This is done to help us understand how customers use our services, ensure compliance with the terms of use limits, and for billing purposes if the customer's contract is based on consumption of our services.

    The information shared is the same data displayed on the administration panel's Workspace page.

    For example, the tracking statistics sharing will transmit the total number of channels, but not the actual channel names, to preserve your workspace's privacy. Disabling this tracking statistics collection may be possible depending on the services and plans purchased.

    Please refer to the how do we secure your data section for further details. Additionally, our Subprocessors section provides information about our Cloud Infrastructure and Subprocessors.

    How do we use the information?

    We collect and use your personal data to the extent necessary to carry out our operations, provide our services, and comply with any regulatory obligations in our activities.

    These purposes are defined in more detail below:

    • To provide and maintain our services

    • To notify you about changes to our services

    • To allow you to participate in interactive features of our service when you choose to do so

    • To provide customer support

    • To gather analysis or valuable information so that we can improve our service

    • To monitor the usage of our service

    • To detect, prevent, and address technical issues

    • To provide you with news, special offers, and general information about other goods, services, and events that we offer that are similar to those that you have already purchased or enquired about if you have provided consent to receive this information or the processing is in our legitimate interests and it's not overridden by your fundamental rights.

      • You may withdraw that consent at any time or object to receiving any or all of these communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us through our data request form.

    Legal Basis for Processing Personal Data

    In accordance with the applicable regulations, we may only use your personal data for at least one of the following reasons:

    To comply with legal and regulatory obligations

    We collect and use your personal data to comply with various legal and regulatory obligations, such as

    • Anti-money laundering regulations and counter-financing of terrorism regulations, including Know Your Customer (KYC) obligations.

    • Regulations relating to international financial sanctions and embargoes.

    To fulfill our legitimate interests

    We also use your personal data to fulfill our legitimate interests, which include the following:

    • Provision and delivery of our products and services.

    • Marketing and customer communication and development of our customer relationships.

    • Development of our products and services.

    • Security and safety of our IT and facilities.

    Based on your consent

    If certain personal data processing requires your consent (e.g., cookies), we will inform you of this, including details of the specific processing activity, and request your consent to such processing. You may request to revoke your consent at any time.

    Retention of Data

    Rocket.Chat will retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your personal data to the extent necessary to comply with our legal obligations for example, if we are required to retain your data to comply with applicable laws, resolve disputes, and enforce our legal agreements and policies.

    Rocket.Chat will also retain usage data for internal analysis purposes. Usage data is generally retained for a shorter period of time, except when it is used to strengthen the security or to improve the functionality of our Service or when we are legally obligated to retain it for longer time periods.

    When your personal data no longer needs to be retained for any of the purposes stipulated in this privacy policy, we may delete or anonymize your personal data. Anonymized data - i.e. data that can no longer be associated with you as an individual - may be further used for research and statistical purposes, in which case we may use this information indefinitely without further notice to you.

    Transfer of Data

    Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those from your jurisdiction.

    If you are located outside the United States and choose to provide information to us, please note that we transfer the data, including Personal Data, to the United States or other jurisdictions deemed not to have an adequate level of data protection deemed by the competent authorities of your residence. Rocket.Chat Technologies Corp. will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy, and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

    Disclosure and storage of personal data

    Disclosure of Data

    Business Transaction: If Rocket.Chat Technologies Corp. is involved in a merger, acquisition, or asset sale; your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

    Disclosure for Law Enforcement

    In rare circumstances, we may be required to disclose user-uploaded content and other personal data in response to a valid request from law enforcement authorities. We will only comply with such requests if they are made in accordance with applicable laws, regulations, and our internal guidelines for disclosure.

    For more information regarding Law Enforcement Disclosure, please refer to our guidelines for law enforcement.

    Legal Requirements for Disclosure

    Rocket.Chat Technologies Corp. may disclose your personal data in the good faith belief that such action is necessary to:

    • To comply with a legal obligation

    • To protect and defend the rights or property of Rocket.Chat Technologies Corp.

    • To prevent or investigate possible wrongdoing in connection with the Service

    • To protect the personal safety of users of the Service or the public

    • To protect against legal liability

    Sharing data with third-party service providers (subprocessors)

    We may employ third-party companies and individuals to facilitate our service (service providers), provide the service on our behalf, perform service-related services, or assist us in analyzing how our service is used.

    These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose

    The ways in which we share your personal data include the following:

    • For Information processing, payment processing, credit checks, fulfilling customer orders, delivering products to you, managing and enhancing customer data, providing customer service, assessing your interest in our products and services, and conducting customer research or satisfaction surveys.

    • Where appropriate, we may provide your personal data to Rocket.Chat partners in order to fulfill your request for service delivery.

    We execute contracts with our third parties to ensure they fulfill their data protection obligations.

    A list of our third-party processors may be found here.

    Analytics

    We may use third-party Service Providers to monitor and analyze the use of our Service.

    • Google Analytics

      • Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.

      • For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en

    Links to Other Sites

    Our service may contain links to other sites that we do not operate. If you click on a third-party link, you will be directed to that third-party's site. When using such third-party websites, we recommend that you read the terms and privacy policies of the relevant sites.

    We have no control over and assume no responsibility for any third-party sites or services' content, privacy policies, or practices. This privacy policy is valid only for Rocket.Chat branded domains, owned and managed by Rocket.Chat Technologies Corp., as the owner and operator of the Pexip service.

    Your Rights

    In accordance with applicable regulations and where applicable, you have the following rights:

    • To access: you can obtain information relating to the processing of your personal data and a copy of such personal data.

    • To rectify: If you consider your personal data inaccurate or incomplete, you can request that they be modified accordingly.

    • To erase: you can require deleting your personal data to the extent permitted by law.

    • To restrict: you can request the restriction of processing your personal data.

    • To object: you can object to processing of your personal data on grounds relating to your particular situation. You have the right to object to processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.

    • To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.

    • To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.

    If the processing is based on your consent, you may also withdraw your consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal). If you have previously consented to receive promotional email communications from us, you can use the unsubscribe function at the bottom of our emails to unsubscribe from our emails at any time (“withdraw your consent”).

    If you have an active Rocket.Chat account, you cannot opt out of basic emails since we need to communicate basic information, where relevant, to users in order to continue account delivery.

    How do you exercise your rights?

    To exercise any of the rights listed above, please use our Data Request Form, a simplified form that ensures efficient request management and security. Alternatively, you can email [email protected].

    The request will be processed and completed in compliance with our privacy policy, terms of service, business relationship, and any data privacy laws applicable to your country.

    We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA or other applicable jurisdictions, you have the right to lodge a complaint with the competent supervisory authority.

    How do we secure your data?

    Ensuring the security of the data you entrust to us is one of our most important responsibilities. We apply appropriate technical and organizational measures to keep your personal data secure. We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

    Your data can only be accessed by persons for whom it is necessary in relation to their work.

    We may outsource the processing of personal data to external service providers. In such events, we enter into appropriate agreements with the providers to ensure that your personal data is processed according to this Privacy Policy and any applicable laws. We have also received internationally recognized security certifications.

    Although we do our best, given the nature of communications and information processing technology, we cannot guarantee that Information transmitted through the Internet or stored on our systems or otherwise in our care will be absolutely safe from intrusion by others.

    For more information regarding our security practices, please refer to our comprehensive Security Policy and Security and Compliance Guides.

    Children's privacy at Rocket.Chat

    Our Services are only available to Users above the legal age of 13 years or any higher age required by the applicable regulations in your jurisdiction.

    Users under the legal age should discontinue using our services. If you are from a country subject to GDPR, you must be 16 years old or above unless your country has enacted a regulation specifying a lower minimum age.

    Individuals from LGDP-regulated countries must be 18 years of age or older unless parental consent has been obtained.

    We do not knowingly collect personally identifiable information from anyone under the legal age. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

    Please note that the customer is responsible for managing user-generated data and workspace control, including compliance with data handling for minors in their jurisdiction.

    Changes to This Privacy Policy

    As our business grows and our services and products evolve, this privacy notice may change, or other privacy notices may be written and posted specifically to address new offerings or to keep pace with data privacy laws.

    When changes are substantial, we will first ensure that you are aware of any forthcoming changes by attempting to contact you directly via email, via our user interfaces, or indirectly through your authorized partner, which is reselling the Rocket.Chat services or products. Changes to this Privacy Policy will become effective once they are posted on this page, and we will also update the "effective date" at the top of this Privacy Policy.

    The distinction of data collection between self-hosted workspaces and cloud hosting workspaces

    The following paragraph is intended to provide clarity on data processing in Rocket.Chat workspaces. Please note that there are differences in the data processing that occurs between self-hosted workspaces and workspaces hosted by us. Our Cloud Hosting service processes all data input into the workspace on our infrastructure.

    The table below explains the general distinction between the data processed in each case. It's important to remember that individual circumstances, such as apps installed on unregistered workspaces via workarounds, may vary.

    Data Type

    Self-Hosted

    Cloud Hosted at Rocket.Chat

    Account Data

    Yes. To register your workspace via an account,

    Yes. To register your workspace via an account

    Usage Data

    Yes. As per the service you are consuming via your registration, e.g., push notifications via our gateway,

    Yes. As part of using the hosted workspace on our infrastructure

    App Data

    Yes. If you install apps from the marketplace, and based on the app's use case, third-party apps have their own privacy policies.

    Yes, if you install apps from the marketplace based on their use case. Third-party apps have their own privacy policies.

    User Generated Content

    No. Content is not processed unless it falls under the aforementioned (e.g. the content of a push notification sent via our gateway).

    Yes. As part of using the hosted workspace on our infrastructure. End-to-end encrypted content is only stored in encrypted form.

    Tracking and Cookies

    Yes. We track your usage of services (usage data) on our end. We do not track inside the workspace.

    Tracking occurs to monitor the consumption of the services used.

    There are two classifications for Rocket.Chat self-hosted workspaces: registered and non-registered. Registered workspaces have access to a wide range of features and services and are eligible for our "starter" or paid plans (dependent on user counts and functionality requirements). Note that non-registered workspaces operate independently without formal registration and no data collection by Rocket.Chat. Non-registered workspaces are only available via the Free and Open Source Software (FOSS) self-build deployment path.

    Contact us

    If you have any questions about this Privacy Policy, please contact us:

    Data Protection Officer

    To communicate with our Data Protection Officer, please email [email protected].


    APPENDIX 1

    Privacy regulations framework

    Our Privacy Regulations Framework Appendix is an integral part of our Privacy Policy, which outlines the specific legal requirements that govern your privacy.

    As part of our commitment to privacy and transparency, we provide this appendix to explain how we handle your data according to relevant regulations. We encourage you to read these clauses carefully to understand how your data is managed in compliance with the law.

    If you have any questions or concerns, please do not hesitate to reach out to us.

    Specific provisions to California Consumer Privacy Act (CCPA)

    This section provides additional details about the personal information we collect about California consumers and the rights afforded to them under the California Consumer Privacy Act or “CCPA.”

    We do not provide services or other items of value in consideration for your or your end users’ personal information protected by the CCPA.

    You are responsible for ensuring your compliance with the CCPA requirements when using our services and processing personal information.

    Here are a few things that Rocket.Chat will NOT do with personal information in the scope of acting as a service provider, as defined by CCPA:

    • sell, rent, or otherwise disclose your personal information to third parties in exchange for money or something else of value;

    • use your information outside the scope of the agreement(s) for services that we have with you.

    Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of personal information we collect (including how we use and disclose this personal information), to delete their personal information, to opt out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights.

    California consumers can exercise their CCPA rights by completing a data subject request form, which can be found here. We will verify your request using the email associated with your account.

    Specific provisions to the California Online Privacy Protection Act (CalOPPA)

    We do not support Do Not Track (DNT) signals. Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.

    You can enable or disable Do Not Track by visiting your web browser's preferences or settings page.

    Specific provisions to Lei Geral de Proteção de Dados (LGPD)

    Rocket.Chat only processes, stores, and collects data according to this Privacy Policy, which covers the main LGPD requirements. For a dedicated section on the appointment letter for Data Protection Officer (DPO) and frequently asked questions about LGDP compliance at Rocket.Chat, please click here.

    Specific provisions to the General Data Protection Regulation (GDPR) and Other Applicable Regulations

    Where required, we provide the option to sign Standard Contractual Clauses approved by the European Commission to ensure sufficient data protection or other relevant mechanisms based on the Customer's requirements or applicable agreements in the customer's jurisdiction.


    Previous versions of this privacy policy

    Rocket.Chat is committed to transparency as part of its values. As such, we provide previous versions of our Agreements and Policies in our agreements and policies history.


    Was this article helpful?

    What's Next
    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence