How Rooca collects, uses, and protects your information. Why our VPC-native architecture means your production data never leaves your environment.
This Privacy Policy describes how Rooca Inc. (“Rooca,” “we,” “us,” or “our”) collects, uses, and shares information when you visit our website, request a demo, engage with our content, or use our software products and services (collectively, the “Services”).
Rooca is an enterprise software company headquartered in Canada. Our flagship product, the Rooca Tribunal Engine, is a VPC-native AI incident investigation platform deployed inside our customers' own virtual private cloud infrastructure. This architecture has material implications for how we handle your data. See Section 3.
This Privacy Policy applies to information we collect through:
This policy does not apply to:
When you submit a demo request, contact form, or similar enquiry, we collect the information you give us, which typically includes your name, work email address, company name, job title, industry, company size, and any message you choose to include.
When you apply for an open role at Rooca, we collect the information you provide in the application form, which typically includes your name, contact details, work authorization status, CV or resume, and your written responses to our application questions. This information is used solely to evaluate your application and, where applicable, to communicate with you about the role.
When you visit our website, we and our service providers may automatically collect limited technical information including your IP address, browser type and version, device type, operating system, referring URL, the pages you visit, and the approximate geographic region derived from your IP address. This information is used to operate the website, maintain security, and understand aggregate visitor patterns.
Our website uses a small number of strictly necessary cookies for session management and security. We may also use analytics tools (such as privacy-respecting alternatives to Google Analytics) that set first-party cookies to help us understand how visitors use the site in aggregate. We do not use advertising cookies or cross-site tracking. See Section 12 for details.
When Rooca personnel engage with you for sales, support, or partnership discussions, we may record basic CRM-style information about those interactions (for example: meeting dates, discussion topics at a high level, and professional contact details).
The Rooca Tribunal Engine runs as software inside our customers' own VPC. Our customers' logs, metrics, traces, deployment data, incident details, and deliberation outputs remain within their environment. Rooca does not ingest, transmit, store, or train models on this data.
We use the information we collect for the following purposes:
We do not use your personal information to train artificial intelligence models. We do not sell your personal information.
If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and the UK GDPR require us to identify a lawful basis for each processing activity. We rely on the following:
For job applications received from candidates in the EEA, UK, or Switzerland, our legal basis is steps taken at your request prior to entering into a contract under Article 6(1)(b) of the GDPR. Where we retain application materials beyond an active hiring decision (for example, to consider you for future roles), we rely on legitimate interests, balanced against your right to request deletion at any time as described in Section 08.
You can request more detail about the specific legitimate-interests assessment we apply to any processing activity by contacting us at the address in Section 15.
We share information only in the limited circumstances described below.
We use a small set of carefully selected service providers to operate our business, including hosting, email delivery, CRM, and analytics tooling. These providers are contractually bound to process data only on our instructions and to maintain security standards appropriate to their role. Where required, we have executed Data Processing Agreements (DPAs) with them.
We may share information with our lawyers, accountants, auditors, and insurers where necessary for them to advise us or meet their professional obligations.
If Rooca is involved in a merger, acquisition, financing, or sale of assets, information may be transferred to the counterparties and their advisors as part of the transaction, subject to appropriate confidentiality protections.
We may disclose information where required by law, regulation, legal process, or enforceable governmental request. Where we are legally permitted to do so, we will notify the affected individual before disclosure.
We do not sell personal information as defined under the California Consumer Privacy Act or equivalent laws. We do not share personal information for targeted cross-context advertising.
Rooca is headquartered in Canada, which is recognised by the European Commission as providing an adequate level of data protection. Some of our service providers are based in other jurisdictions, including the United States and the European Union.
Where we transfer personal information from the EEA, UK, or Switzerland to a country not benefiting from an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by appropriate technical and organisational safeguards. We have completed transfer impact assessments for each such transfer.
For customers whose data-residency requirements preclude transfer outside a specific jurisdiction, the Rooca Tribunal Engine's VPC-native architecture means no customer production data leaves that jurisdiction by design.
We retain personal information for only as long as reasonably necessary for the purposes described in this policy, or as required by law. Specific retention periods depend on the type of information:
Depending on where you live, you may have the following rights with respect to your personal information:
To exercise any of these rights, contact us at the address in Section 15. We will respond within the timeframes required by applicable law (typically 30 days, extendable in limited circumstances). We will verify your identity before fulfilling the request.
We take the security of personal information seriously and apply technical and organisational safeguards appropriate to the risks and the nature of the information. These include:
No system is perfectly secure. If you believe your personal information has been compromised, please contact us immediately at the address in Section 15.
This section merits its own heading because it is central to Rooca's privacy posture.
The Rooca Tribunal Engine is deployed via Kubernetes Helm chart inside the customer's own virtual private cloud. The software analyses production telemetry, logs, metrics, and incidents within that environment. It does not transmit production data to Rooca-operated systems. It does not call external APIs with customer data. It does not train models on customer telemetry.
Practical consequences:
Where a customer engages Rooca for implementation, support, or managed-service work that does involve access to their production environment, that arrangement is governed by a specific contract and a Data Processing Agreement that spells out the scope, purposes, and controls applicable to that engagement.
Our website uses cookies and similar technologies in the categories below. Where required by applicable law, we obtain your consent before setting non-essential cookies.
You can control cookies through your browser settings and through our consent banner where applicable.
The Services are directed exclusively at businesses and their authorised representatives. We do not knowingly collect personal information from anyone under 16 years of age. If you believe a child has provided us with personal information, please contact us and we will delete it.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The date at the top of this page reflects the most recent version. For material changes, we will provide additional notice by posting a prominent notice on our website or by emailing you directly where appropriate.
We encourage you to review this policy periodically.
If you have questions about this Privacy Policy, wish to exercise any of your rights, or want to raise a concern, please contact us using the details below.
For residents of the European Economic Area, the United Kingdom, or Switzerland, you may also lodge a complaint with your local data protection supervisory authority. A list of EEA authorities is maintained by the European Data Protection Board.