Privacy Policy
Effective date: October 23rd, 2020
Rocket.Chat Technologies Corp. ("us", "we", or "our") operates the https://rocket.chat website, the https://open.rocket.chat community server, the Marketplace, incl. associated Rocket.Chat Apps, Rocket.Chat´s Cloud Offering and the Rocket.Chat mobile applications (the "Service").
This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.
We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions.
- Administrators are responsible for user privacy, we help administratorsThere are basically two ways of using Rocket.Chat: self-managed (also known as on-premises deployment) on your own or someone else´s infrastructure or via our hosted offering. In both cases, the administrator of that instance - or the organization behind the administrator - is the person responsible to ensure privacy of Rocket.Chat users. We aim to help by providing features in our products and services to make that job easier. We also provide this policy to explain what we do as a "helping hand"/data processor for administrators in case we process personal data of users.
- You remain in control of your personal dataWe cannot access your personal data in a self-managed instance of Rocket.Chat. Our code is open source, there are no back doors whatsoever. You are however free to connect a self-managed instance to other services, e.g. our marketplace or push notification gateway, where this privacy policy applies. When you do not register your instance, these settings are turned off by default. You can also connect it to third party services, such as external authentication services, in which case their privacy policy applies. It is your choice and you are not forced to do so. In our hosted offering, we only process your data for the purposes of providing you the service in the name of the administrator. Administrators are still in full control over the configuration of their instance.
- We don´t sell your dataWe do not sell your personal data. Our business model is to provide you with a free edition and we charge you for extra services or features, according to the plan you choose. What you process within Rocket.Chat is yours and stays yours.
- Our community server is for testing purposesOur community server https://open.rocket.chat is a testing ground for our users and we use it to test and analyze new features. We track user activity in there with the trackers described below - including google analytics - to learn how our service is used and to improve our product.
- ServiceService means the https://rocket.chat website, the https://open.rocket.chat community server, the Rocket.Chat Marketplace, incl. associated Rocket.Chat Apps, the https://cloud.rocket.chat service offering, push notification gateways and the Rocket.Chat mobile applications operated by Rocket.Chat Technologies Corp.
- Personal DataPersonal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).
- Usage DataUsage Data is data collected automatically either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
- CookiesCookies are small pieces of data stored on your device (computer or mobile device).
- Data ControllerData Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.For the purpose of this Privacy Policy, we are a Data Controller of your Personal Data.
- Data Processors (or Service Providers)Data Processor (or Service Provider) means any natural or legal person who processes the data on behalf of the Data Controller.We may use the services of various Service Providers in order to process your data more effectively.
- Data Subject (or User)Data Subject is any living individual who is using our Service and is the subject of Personal Data.
In connection with our operations and during the lifecycle of business relationship with our customers, we collect various types of personal data, meaning any information that identifies or allows to identify you, including:
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you ("Personal Data"). Personally identifiable information may include, but is not limited to:
- Email address
- First name and last name
- Cookies and Usage Data
We may use your Personal Data to contact you with newsletters, marketing or promotional materials, and other information that may be of interest to you, if you have provided consent to this processing or if we can base this processing on a legitimate interest that is not overridden by your fundamental rights. You may in the future withdraw that consent or object to receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us.
Some Services may allow or require that you register for a personalized account. Account data may include in addition your account name, authentication information, registration date, contact information, payment information, and any other information associated with your account.
We may also collect information that your browser sends whenever you visit our Service or when you access the Service, incl. by or through a mobile device ("Usage Data").
This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When you access the Service by or through a mobile device, this Usage Data may include information such as the type of mobile device you use, the IP address of your mobile device, your mobile operating system, the app version, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.
As a byproduct of the usage data within a Rocket.Chat instance, Administrators may choose to share aggregated and therefore anonymous, non-personal data with us to help us learn more about how our product is being used. This setting is described here. The information shared is the same information as is shown on the "info"-page of the administration panel of an instance. E.g. this statistics sharing would transmit the total # of channels, but it would not transmit the actual channel names, and so on, preserving the privacy of your workspace. This is completely optional to use and can be activated and deactivated at any time.
We may use and store information about your location if you give us permission to do so (“Location Data”). We use this data to provide features of our Service (only to allow you to share your location to another user via Rocket.Chat, if it was enabled by the administrator).
You can enable or disable location services when you use our Service at any time, through your device settings.
When you use the Marketplace, you may choose to install Apps provided by Rocket.Chat. These Apps process data from your instance of Rocket.Chat and therefore nonpersonal data, such as software version, amount of users, and similar. Depending on the purpose and your actual usage of the App (e.g. enabling certain features), Personal Data may however be processed. E.g. you enable an integration, which processes your users' information. The description of the App will make the types of personal data sufficiently clear as well as any potential deviations from this policy.
For Third-Party Apps on the Marketplace, the Vendor will provide you with a specific privacy policy that governs his Third-Party App.
When you use our Services you may provide content into that service (e.g. upload file, send a message).
We use cookies and similar tracking technologies to track the activity on our Service and hold certain information. We DO NOT track activity in your self-managed instances. We regularly monitor aggregated activity data on our infrastructure, but it is not tracking of individual users in the sense of this paragraph, which only occurs when we have a legitimate interest to do so (e.g. for security and compliance purposes). We do perform regular tracking on our community server.
Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
Examples of Cookies we use:
- Session Cookies. We use Session Cookies to operate our Service.
- Preference Cookies. We use Preference Cookies to remember your preferences and various settings.
- Security Cookies. We use Security Cookies for security purposes.
The following paragraph applies to data processing in Rocket.Chat workspaces and is for clarification purposes only. Self Managed workspaces and workspaces hosted by us differ in the kind of data we are processing from you because, in the case of our hosted offering, all data put into the workspaces is technically processed on our infrastructure.
There is also a difference between registered, self-managed workspaces (which consume services from us) and unregistered, self-managed workspaces.
See the following table for a general distinction between the data that is processed in each case. Keep in mind that this can differ in individual circumstances, such as cases where apps are installed on unregistered workspaces via workarounds.
Data type | Self Managed (not registered) | Self Managed (registered) | Hosted |
|---|---|---|---|
Account Data | no | yes - to register your workspace via an account (optional) | yes - to register your workspace via an account |
Usage Data | no | yes - as per the service you are consuming via your registration, e.g. push notifications via our gateway | yes - as part of using the hosted workspace on our infrastructure |
App Data | no | yes - if you install apps from the marketplace and based on the use case of the app. Third party apps have their own privacy policy. | yes - if you install apps from the marketplace and based on the use case of the app. Third party apps have their own privacy policy. |
User content | no | no - content is not processed, unless it falls under the aforementioned (e.g. the content of a push notification sent via our gateway) | yes - as part of using the hosted workspace on our infrastructure. End-to-end encrypted content is only stored in encrypted form. |
Tracking and Cookies | no | yes - tracking occurs on our end to monitor the consumption of the services you use (Usage Data). We do not track inside the workspace. | yes - tracking occurs to monitor the consumption of the services used. |
We collect and use your personal data to the extent necessary to carry out our operations and provide our services as well as to comply with any regulatory obligations in our activities.
These purposes are defined in more detail below:
- To provide and maintain our Service
- To notify you about changes to our Service
- To allow you to participate in interactive features of our Service when you choose to do so
- To provide customer support
- To gather analysis or valuable information so that we can improve our Service
- To monitor the usage of our Service
- To detect, prevent and address technical issues
- To provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about if you have provided consent to receive this information or the processing is in our legitimate interests and it's not overridden by your rights.
In accordance with the applicable regulations, we may only use your personal data for at least one of the following reasons:
To comply with legal and regulatory obligations
We collect and use your personal data to comply various legal and regulatory obligations, such as:
- Anti-money laundering regulations and counter-financing of terrorism regulations, including Know Your Customer (KYC) obligations.
- Regulations relating to international financial sanctions and embargoes.
To fulfil our legitimate interest
We also use your personal data to fulfill our legitimate interests, which include the following:
- Provision and delivery of our products and services.
- Marketing and customer communication and development of our customer relationships.
- Development of our products and services.
- Security and safety of our IT and facilities.
Based on your consent
If processing of certain personal data requires your consent (e.g. cookies), we will inform you of this including details of the specific processing activity and request your consent to such processing. You may request to revoke your consent at any time.
Rocket.Chat Technologies Corp. will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
Rocket.Chat Technologies Corp. will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.
Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.
If you are located outside United States and choose to provide information to us, please note that we transfer the data, including Personal Data, to the United States or other jurisdictions deemed not not have an adequate level of data protection deemed by the competent authorities of your residence. Rocket.Chat Technologies Corp. will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.
If Rocket.Chat Technologies Corp. is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.
Under certain circumstances, Rocket.Chat Technologies Corp. may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Rocket.Chat Technologies Corp. may disclose your Personal Data in the good faith belief that such action is necessary to:
- To comply with a legal obligation
- To protect and defend the rights or property of Rocket.Chat Technologies Corp.
- To prevent or investigate possible wrongdoing in connection with the Service
- To protect the personal safety of users of the Service or the public
- To protect against legal liability
Ensuring the security of the data you entrust to us is one of our most important responsibilities. We apply appropriate technical and organizational measures to keep your personal data secure. We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.
Your data can only be accessed by persons for whom it is necessary in relation to their work.
We may outsource our processing of personal data to external service providers. In such events we enter into appropriate agreements with the providers in order to ensure that your personal data is processed in accordance with this Privacy Policy and any applicable laws. We also have received internationally recognised security certifications.
Although we do our best, given the nature of communications and information processing technology, we cannot guarantee that Information during transmission through the Internet or while stored on our systems or otherwise in our care will be absolutely safe from intrusion by others.
We do not support Do Not Track ("DNT"). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.
You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.
In accordance with applicable regulations and where applicable, you have the following rights:
- To access: you can obtain information relating to the processing of your personal data, and a copy of such personal data.
- To rectify: where you consider that your personal data are inaccurate or incomplete, you can request that such personal data be modified accordingly.
- To erase: you can require the deletion of your personal data, to the extent permitted by law.
- To restrict: you can request the restriction of the processing of your personal data.
- To object: you can object to the processing of your personal data, on grounds relating to your particular situation. You have the right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
- To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
- To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.
If you wish to exercise the rights listed above, please send your request to our Data Protection Office, the contact information of which is provided at the end of this Privacy Policy.
Please include a scan/copy of your proof of identity for identification purpose when required.
In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.
We may employ third party companies and individuals to facilitate our Service ("Service Providers"), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.
These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
We employ the subprocessors to process personal data. The current list of subprocessors can be found here.
We may use third-party Service Providers to monitor and analyze the use of our Service.
- Google AnalyticsGoogle Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en
- FirebaseFirebase is analytics service provided by Google Inc.You may opt-out of certain Firebase features through your mobile device settings, such as your device advertising settings or by following the instructions provided by Google in their Privacy Policy: https://policies.google.com/privacy?hl=enWe also encourage you to review the Google's policy for safeguarding your data: https://support.google.com/analytics/answer/6004245. For more information on what type of information Firebase collects, please visit please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en
Our Service may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
Our Service does not address anyone under the age of 18 ("Children").
We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.
For our Cloud Offerings, we act as a Data Processor for our Customers, who are the Data Controllers of the instances they have licensed and administer. You as a user generally will be bound by the Data Controller´s policies. For theses instances, please direct your data privacy questions to the Data Controller.
With regards to some of our Cloud Products, Customers have certain options to select the processing location of data and to configure the privacy-relevant settings of the instance. If you are the customer of one of these instances, you can contact us and get more information on where your instance is running.
We generally offer two regions:
- hosting in the United States
- hosting in the European Union
Other regions may be added over time.
Where required, we also offer to sign Standard Contractual Clauses approved by the European Commission to guarantee an adequate level of data protection or other mechanisms relevant for the Customer.
The amount of Personal Data we process with our Cloud Offerings is limited to what the Customer and his users enter into the Service. In the cloud offering, we will not process the personalized cookie or analytics data described above. The purposes of processing the data are strictly limited to providing and improving the Service and in accordance with the Data Controller´s instructions. We never access workspace data (i.e. the actual content the customer is entering in his instance), unless the customer asks us to in form of a support request, we are bound by a valid law enforcement request or to protect our own interests, such as investigating potential abuse of the service.
Once your usage of our cloud offering ceases, we will remove all your data, including backups, after a short grace period - or immediately, if you tell us to.
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.
We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "effective date" at the top of this Privacy Policy.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
If you have any questions about this Privacy Policy, please contact us: