Privacy Policy
Last updated: December 2024
Data Controller
For the purposes of GDPR and other applicable data protection laws, the data controller is:
Data Protection Contact: For any privacy-related inquiries or to exercise your data protection rights, please contact us at privacy@rowan.app. We aim to respond to all requests within 30 days.
Note: As a small-scale data processor that does not engage in large-scale systematic monitoring or process special category data at scale, we are not required to appoint a formal Data Protection Officer (DPO) under GDPR Article 37. However, our privacy contact handles all data protection matters with the same diligence.
Our Commitment to Your Privacy
At Rowan, we understand that your personal information and family data are deeply private. We're committed to protecting your privacy and being transparent about how we collect, use, and safeguard your information.
We follow a data minimization approach: We only collect data that is necessary to provide our service. We don't collect data for advertising, profiling, or sale to third parties.
Legal Basis for Processing (GDPR)
Under GDPR and similar data protection laws, we must have a valid legal basis to process your personal data. We rely on the following legal bases:
Contract Performance (Article 6(1)(b) GDPR)
Processing necessary to provide you with our service:
- Account creation and authentication (email, password)
- Storing your tasks, calendar events, reminders, and other content
- Enabling collaboration within your family/couple space
- Processing subscription payments
- Providing customer support
Legitimate Interests (Article 6(1)(f) GDPR)
Processing necessary for our legitimate business interests, balanced against your rights:
- Analytics to improve service quality and user experience
- Security monitoring and fraud prevention
- Debugging and error tracking
- Service performance optimization
You have the right to object to processing based on legitimate interests. Contact us at privacy@rowan.app.
Consent (Article 6(1)(a) GDPR)
Processing based on your explicit consent:
- Marketing emails and promotional communications (opt-in only)
- Non-essential cookies and analytics (via cookie consent)
- Optional AI-powered features that process your content
You can withdraw consent at any time through your account settings or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.
Legal Obligation (Article 6(1)(c) GDPR)
Processing required to comply with legal obligations, such as tax records for paid subscriptions, responding to valid legal requests, and maintaining security logs as required by law.
Information We Collect
Account Information
- Name and email address
- Profile picture (optional)
- Password (encrypted and never stored in plain text)
- Space/family name and member information
Content You Create
- Tasks, projects, and to-do items
- Calendar events and appointments
- Messages sent within your space
- Shopping lists and meal plans
- Household tasks and goals
- Notes and reminders
Usage Data
- Device type and operating system
- Browser type and version
- IP address and general location (city/country level only)
- Pages visited and features used
- Time and date of access
AI and Automated Processing
Rowan uses artificial intelligence to enhance certain features. We believe in transparency about how AI processes your data:
Recipe Import (Google Gemini AI)
When you import a recipe from a URL, the webpage content is sent to Google's Gemini AI service to extract recipe information (ingredients, instructions, cooking times). This processing is:
- Only triggered when you explicitly request a recipe import
- Limited to the specific URL content you provide
- Not stored by Google for training purposes (per our API agreement)
Receipt Scanning (Google Gemini AI)
When you scan a receipt, the image is sent to Google's Gemini AI service to extract expense information (merchant, amount, date, items). This processing is:
- Only triggered when you explicitly upload a receipt
- Limited to the specific image you provide
- Processed in real-time and not retained by Google
Your Choice: AI features are optional. You can always manually enter recipes and expenses without using AI processing.
How We Use Your Information
- Provide the Service: To deliver Rowan's features and functionality to you and your family
- Improve Experience: To understand how you use Rowan and make improvements
- Communication: To send important updates, security alerts, and feature announcements
- Support: To respond to your questions and provide customer support
- Security: To detect and prevent fraud, abuse, and security incidents
- Legal Compliance: To comply with applicable laws and regulations
Third-Party Service Providers (Data Processors)
We use trusted third-party service providers to help deliver our service. These providers process data on our behalf under strict contractual obligations (Data Processing Agreements) that require them to:
- Only process data according to our instructions
- Implement appropriate security measures
- Not use data for their own purposes
- Delete data when the relationship ends
| Provider | Purpose | Location | Data Processed |
|---|---|---|---|
| Supabase | Database & Authentication | United States | All user data, content, auth tokens |
| Vercel | Web Hosting & CDN | Global (US primary) | Request logs, IP addresses |
| Stripe | Payment Processing | United States | Payment info, billing address |
| Resend | Transactional Emails | United States | Email address, name |
| Google (Gemini AI) | AI Features (Recipe/Receipt) | United States | Content sent for AI processing only |
| Upstash | Rate Limiting & Caching | United States | IP addresses, request counts |
International Data Transfers
Rowan is operated from the United States. If you are accessing our service from the European Economic Area (EEA), United Kingdom, or other regions with data protection laws, please note that your data will be transferred to and processed in the United States.
For transfers of personal data from the EEA/UK to the US, we rely on:
- EU-US Data Privacy Framework: Our key service providers (Stripe, Google, Vercel) are certified under the EU-US Data Privacy Framework
- Standard Contractual Clauses (SCCs): Where the Data Privacy Framework doesn't apply, we ensure our processors have SCCs in place
- Supplementary Measures: We implement additional technical and organizational measures including encryption in transit and at rest
You can request a copy of the relevant transfer mechanisms by contacting us at privacy@rowan.app.
Data Sharing
We DO NOT Sell Your Data
Your personal information and family data will never be sold to third parties. Period.
When We Share Information
- Within Your Space: Information you create is shared with other members of your family/couple space
- Service Providers: As described in the Third-Party Service Providers section above
- Legal Requirements: We may disclose information if required by law, court order, or government request
- Safety: To protect the rights, property, or safety of Rowan, our users, or others
- Business Transfers: In the event of a merger, acquisition, or sale of assets, your data would be transferred under the same privacy commitments
Data Security
We implement industry-standard security measures to protect your information:
- Encryption in transit (TLS/HTTPS) for all data transmission
- Encryption at rest for database storage
- Regular security audits and vulnerability assessments
- Access controls and authentication mechanisms
- Row-level security (RLS) policies for data isolation
- Regular automated backups with encryption
- Rate limiting to prevent abuse
For more details about our security practices, visit our Security page.
Data Retention
We retain your data only as long as necessary for the purposes described in this policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account & Profile Data | Until account deletion + 30 days | Service provision, recovery period |
| User Content (tasks, events, etc.) | Until account deletion + 30 days | Service provision, recovery period |
| Payment Records | 7 years after transaction | Tax and legal compliance |
| Security/Audit Logs | 90 days | Security monitoring, incident response |
| Analytics Data | 30 days (aggregated indefinitely) | Service improvement |
| Support Communications | 2 years after resolution | Quality assurance, dispute resolution |
| Marketing Consent Records | Until withdrawal + 3 years | Compliance proof |
When you delete your account:
- Immediate: Access to your data is removed
- Within 30 days: Personal data is permanently deleted from active systems
- Within 90 days: Data is removed from backups
- Exception: Data required for legal compliance is retained as specified above
Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
Right of Access
Request a copy of the personal data we hold about you
Right to Rectification
Request correction of inaccurate or incomplete data
Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data
Right to Data Portability
Receive your data in a structured, machine-readable format (JSON, CSV)
Right to Object
Object to processing based on legitimate interests or for direct marketing
Right to Restrict Processing
Request that we limit how we use your data
Right to Withdraw Consent
Where processing is based on consent, you can withdraw it at any time through your account settings or by contacting us. This does not affect the lawfulness of processing before withdrawal.
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. For EU residents, you can find your local authority at edpb.europa.eu.
How to Exercise Your Rights:
- Email us at privacy@rowan.app
- Use the data export feature in Settings > Privacy
- Use the account deletion feature in Settings > Privacy
We will respond to your request within 30 days. We may ask for verification of your identity before processing requests.
Cookies and Tracking
We use cookies and similar technologies. You can manage your preferences through our cookie consent banner.
Essential Cookies (Required)
These cookies are necessary for the website to function and cannot be disabled:
- Authentication session cookies
- Security tokens (CSRF protection)
- Cookie consent preferences
Analytics Cookies (Optional)
With your consent, we use analytics to understand how you use Rowan:
- Page views and feature usage
- Performance monitoring
- Error tracking
You can control cookies through our consent banner or your browser settings.
Children's Privacy
Rowan is designed for adults (18+) managing household and family activities. We do not knowingly collect information from children under 13 (or 16 in the EEA). If you are a parent and believe your child has provided us with information, please contact us immediately at privacy@rowan.app.
California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: What personal information we collect and how we use it
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: We do not sell personal information, so this right does not apply
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
To exercise your CCPA rights, contact us at privacy@rowan.app.
Changes to This Policy
We may update this Privacy Policy from time to time. We'll notify you of significant changes via:
- Email notification to your registered address
- Prominent notice within the application
- Updated "Last modified" date at the top of this page
Your continued use of Rowan after changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:
- Privacy Inquiries: privacy@rowan.app
- General Support: support@rowan.app
- Security Issues: security@rowan.app
We aim to respond to all privacy-related inquiries within 30 days.