Privacy Policy

Scope & who we are
Our role: controller vs processor
What information we collect
How we use information
Legal bases (GDPR / UK GDPR)
Sub-processors
When we share information
International transfers
How long we keep data
Security
Cookies & tracking
AI & automated processing
Your rights
Client rights & coach obligations
Breach notification
Children
Changes to this Policy
Contact & complaints

Also: Google API Services User Data Policy.

1. Scope & who we are

Rovly ("we", "us", "our") is operated by Jack Van Hooft, an Australian sole trader. We can be contacted at hello@rovly.io.

This Policy covers information collected through the Rovly website at rovly.io, the Rovly application and dashboard, and emails or messages we send as part of the service. It also covers data we retrieve from the third-party coaching platforms you connect to Rovly.

2. Our role: controller vs processor

Rovly handles personal information in two distinct roles, and it matters which one applies:

As controller: for information about you, the coach, your name, email, billing details, login credentials, support correspondence, and how you use Rovly. We decide what that data is used for, and this Policy describes that use.
As processor: for information about your clients, the data Rovly retrieves from your coaching platform (Kahunas, EverFit, Trainerize, HubFit and similar) and uses to generate reports. You, the coach, are the controller of that data; we process it on your instructions to deliver Rovly to you.

Where laws like GDPR (EU / UK), the Privacy Act 1988 (Australia), or the California Consumer Privacy Act (CCPA) apply, our obligations differ depending on the role. In practical terms, this means: your clients' privacy questions should be directed to you, their coach, first. You're their primary point of contact and you control their record.

3. What information we collect

3.1 Information you give us (coach)

Account details: name, email, phone number, business name, country.
Platform credentials: the login email and password (and any tenant URL, API token or similar) for the coaching platform you've asked Rovly to connect to.
Billing details: processed and stored by Stripe; we receive the last four digits of your card, card brand, expiry, billing country, and a customer ID.
Onboarding answers: the responses you give in our onboarding flow, including business tone preferences and the name you want clients to see on their reports.
Support correspondence: if you email us or message via the in-app chat.

3.2 Information we collect automatically (coach)

Usage data: pages visited on rovly.io, actions taken in the dashboard, timestamps and IP address.
Device data: browser type, operating system, referring URL.
Cookies: see section 11.

3.3 Information we retrieve from your coaching platform (client data, processed on your behalf)

When you connect a coaching platform, Rovly retrieves the data needed to generate progress reports. Depending on the platform, this can include each client's:

Name and email;
Weight history and body measurements;
Check-in submissions, including subjective scores (sleep, stress, fatigue, hunger, recovery, energy, etc.) and free-text comments;
Progress photos uploaded by the client;
Habit and goal tracking data;
Workout completion data;
Activity timestamps (last active, last check-in date).

We deliberately do not retrieve, request or store: client phone numbers, payment details, addresses, or any data unrelated to producing progress reports. We only ingest what we need.

4. How we use information

4.1 Coach data (controller)

To provide, run and improve Rovly;
To process subscription payments via Stripe;
To verify your identity and protect your account;
To send service emails (receipts, security notices, important changes);
To send marketing emails about new features (you can unsubscribe at any time, see section 13);
To respond to support requests;
To detect and prevent fraud or abuse;
To comply with legal and accounting obligations.

4.2 Client data (processor, on your behalf)

To retrieve client data from the coaching platform you've connected;
To generate and store progress reports;
To deliver those reports through your Rovly dashboard and by email to your clients;
To support you with any data anomalies or sync issues, on request;
To produce aggregated, fully de-identified analytics about service performance (e.g. average number of reports generated per coach) that cannot be linked back to a specific client.

We don't sell client data, and we don't use client data to train our own models. AI-assisted features (see section 12) operate per-report, on a single client's record, for the specific purpose of generating that report.

5. Legal bases (GDPR / UK GDPR)

Where GDPR applies, we rely on the following legal bases:

Contract (Art. 6(1)(b)): to provide Rovly to you under our Terms of Service.
Legitimate interests (Art. 6(1)(f)): to operate and secure the service, prevent fraud, and send transactional service messages.
Consent (Art. 6(1)(a)): for non-essential cookies and for marketing emails to non-customers.
Legal obligation (Art. 6(1)(c)): tax records, accounting records, and complying with lawful regulatory requests.

For client data we process on your behalf, you (the coach) are the controller and must have an appropriate legal basis under Art. 6 (and Art. 9 for any special-category data like health) before sharing it with us.

6. Sub-processors

Rovly uses the following sub-processors to operate. They each process personal information on our behalf, under contract, only to the extent needed to deliver their function.

Sub-processor	Purpose	Region
Vercel	Website & application hosting	USA / global edge
Supabase	Database, authentication, file storage	EU / USA (region per project)
Cloudinary	Progress-photo storage & image delivery (CDN)	USA / global edge
Anthropic	AI text generation for report tone & coach-note summaries	USA
GoHighLevel	CRM, transactional email & SMS delivery to coaches	USA
Stripe	Subscription billing & payment processing	USA / AU / global

We'll update this list when sub-processors change, and we'll give existing customers notice (via email or a clear in-app notice) before introducing a new one that materially affects the way personal information is processed.

Google API Services User Data Policy

Rovly's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We share personal information only:

With the sub-processors listed in section 6, for the purposes listed there;
With the coaching platform you've authorised us to connect to (we send your credentials to log in on your behalf);
With your clients, when we deliver reports you've configured them to receive;
If we're required to by law, by a court, or by a lawful regulator request;
To protect Rovly, our users, or the public from imminent harm or fraud;
If Rovly is sold or transferred, we'd tell you and any successor would have to honour this Policy or give you a meaningful chance to delete your account first.

We don't sell personal information. We don't share it with advertisers or data brokers.

8. International transfers

Rovly is operated from Australia, and our sub-processors are based in Australia, the EU and the United States. If you're located in the EU, UK or another jurisdiction with cross-border transfer rules, your data may be transferred to and processed in countries that do not have the same data-protection regime as your home jurisdiction.

Where required by law, we put appropriate safeguards in place. For example, the European Commission's Standard Contractual Clauses with our sub-processors that operate from outside the EU/UK. You can request a copy of those safeguards at hello@rovly.io.

9. How long we keep data

Data type	Retention
Coach account, billing & subscription records	For the life of the account, plus 7 years after closure for tax / accounting compliance.
Coaching platform credentials	For the life of the account. Deleted within 30 days of cancellation.
Client data (names, weights, photos, check-ins)	For the life of the coach's account. Deleted or de-identified within 30 days of the coach's cancellation, except where the coach has explicitly requested earlier deletion.
Generated reports	Same retention as the client data they were generated from.
Support correspondence	3 years from the date of the last exchange.
Website usage logs & cookies	Up to 13 months.
Marketing email lists	Until you unsubscribe, then a suppression record only.

We may keep information for longer if we're legally required to, or if we genuinely need it to defend a legal claim. When we no longer need information, we delete it or de-identify it so it can no longer be linked to a person.

10. Security

We take security seriously. Measures we use include:

HTTPS / TLS encryption for all traffic to and from Rovly;
Encryption-at-rest on managed databases and file storage;
Access controls and least-privilege roles for the operator (Jack Van Hooft) and any contractor who needs access;
Industry-standard secrets handling for coaching-platform credentials (not stored in plain text in version control);
Logging and monitoring for unusual activity;
Periodic review of sub-processors' security postures.

No service can guarantee perfect security. If something does go wrong, see section 15.

11. Cookies & tracking

Rovly uses a small number of cookies and similar technologies. They fall into these categories:

Strictly necessary cookies: needed to keep you logged in, secure your session, and remember your preferences. These can't be turned off without breaking the service.
Functional cookies: remember UI choices like which view you last used.
Analytics cookies: privacy-friendly analytics to count visits and understand which pages are most useful.
Advertising & measurement pixels: Rovly's public marketing pages load the Meta (Facebook) Pixel. It records page views and a small number of actions (such as opening the demo request form, submitting it, or clicking a pricing-tier button) so we can measure the performance of our ads on Meta platforms and understand which pages and CTAs visitors interact with. The pixel is provided by Meta Platforms, Inc.; see section 6 for sub-processor details.

Where required by law (for example, in the EU / UK), we ask for consent before setting non-essential cookies and loading advertising pixels. You can change your choices at any time by clearing cookies in your browser, and you can manage Meta's ad-related data through your Facebook / Instagram account settings.

12. AI & automated processing

Rovly uses Anthropic's Claude models to generate the short coach-note text and tone-matched language inside reports. When we do this:

Each request contains only the data needed to generate that single report. For example, a single client's recent weight, check-ins and tone preferences. We do not send your entire database.
We use Anthropic's API tier, which means inputs and outputs are not used to train Anthropic's models.
The reports Rovly produces are not medical, nutritional or psychological advice. A human coach (you) remains in the loop and is responsible for what is sent to clients.
You can disable AI-assisted features for your account by emailing hello@rovly.io.

We don't make solely-automated decisions that produce legal or similarly significant effects about your clients.

13. Your rights

Depending on where you live, you may have the right to:

Access the personal information we hold about you;
Correct inaccurate or incomplete information;
Delete information, subject to legal retention rules;
Object to or restrict certain processing;
Port your data to another service;
Withdraw consent at any time, where we rely on consent;
Unsubscribe from marketing emails (use the link in any marketing email, or email us).

You can exercise these rights by emailing hello@rovly.io. We may need to verify your identity before we can act. We respond to verifiable requests within 30 days. If your request involves data we process on a coach's behalf, we may need to route it through that coach.

14. Client rights & coach obligations

If you're a coach using Rovly, you're responsible for:

Telling your clients, in advance and in plain English, that you use Rovly to generate their reports;
Obtaining any consent your local law requires before sharing their data with us, particularly for health data and progress photos;
Responding to your clients' privacy requests (access, correction, deletion) in the first instance, and asking us for help when needed;
Telling your clients how to opt out of receiving reports.

If a client contacts us directly with a privacy request, we'll route it through their coach where appropriate and keep the client informed.

15. Breach notification

If we become aware of a personal-data breach that is likely to result in a risk to the rights or freedoms of affected people, we will:

Notify our supervisory authority where legally required (for example, the OAIC in Australia under the Notifiable Data Breaches scheme, the relevant DPA in the EU, or the ICO in the UK) within the deadlines that law requires;
Notify the affected coaches without undue delay so they can in turn notify any affected clients where their law requires;
Tell you what happened, what data was affected, what we're doing about it, and what (if anything) you should do.

You can report a suspected security issue at hello@rovly.io. We take responsible disclosure seriously.

16. Children

Rovly is not directed to children under 16, and we don't knowingly collect personal information from anyone under 16 to act as a Rovly account holder. If you're a coach whose clients include minors, you must have appropriate parental or guardian consent before sharing their data with us. That's part of your responsibilities under section 14.

17. Changes to this Policy

We may update this Policy from time to time. If we make a material change, we'll notify you by email or by a clear notice on the website at least 14 days before it takes effect, except where a shorter notice is required by law. The "Last updated" date at the top reflects the most recent revision.

18. Contact & complaints

For any privacy question or request, contact us at hello@rovly.io.

If you're not satisfied with how we've handled your information, you can complain to a privacy regulator:

Australia: Office of the Australian Information Commissioner (OAIC), oaic.gov.au.
United Kingdom: Information Commissioner's Office (ICO), ico.org.uk.
EU / EEA: your local data-protection authority.
California: California Privacy Protection Agency, cppa.ca.gov.

We'd appreciate the chance to put things right first, so please email us before going to a regulator if you can.

Rovly — operated by Jack Van Hooft (Australian sole trader)
Website: rovly.io
Email: hello@rovly.io