Rool Social Privacy Policy

Last updated: 19/03/2026

Rool Social Limited ("Rool", "we", "our", or "us") operates the Rool platform and the website located at roolsocial.com (the "Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use our website, software platform, and related services.

By using our Service, you acknowledge that your information will be handled in accordance with this Privacy Policy.

1. Who We Are

Rool Social Limited
298 Cashel St
Christchurch Central
Christchurch 8011
New Zealand

Privacy contact:
privacy@roolsocial.com

2. Scope of this Policy

This Privacy Policy applies to:

  • visitors to our website
  • individuals who contact us or subscribe to marketing communications
  • users of the Rool platform
  • organisations using Rool to manage social media accounts

This policy does not apply to the privacy practices of third-party platforms integrated with Rool (such as Meta, LinkedIn, Google, or X).

3. Our Role in Data Processing

Depending on the context, Rool may act as either a data controller or a data processor.

When Rool acts as a Data Controller

Rool determines how personal data is used when processing:

  • website visitor data
  • marketing subscriptions
  • platform user accounts
  • billing and invoicing data
  • platform analytics and usage metrics
  • aggregated benchmarking analytics

When Rool acts as a Data Processor

Rool processes data on behalf of customers when handling:

  • social media posts and content published through the platform
  • social media messages and comments retrieved from integrated platforms
  • engagement and follower analytics tied to a customer's social media accounts

Customers are responsible for ensuring they have appropriate rights to process data through the Rool platform.

A Data Processing Addendum (DPA) is included as Schedule 1 to Rool’s Customer Agreement and forms part of the agreement between Rool and each business customer. Where Rool processes personal data obtained via LinkedIn’s APIs, such processing is also governed by the LinkedIn Business Development Data Processing Agreement, which sets out both parties’ obligations with respect to that data.

4. Information We Collect

Information You Provide

We may collect personal information you provide directly to us, including:

  • name
  • email address
  • phone number
  • business or company name
  • expected number of branches or locations
  • account login credentials
  • billing and invoicing information

This information may be collected when you:

  • submit a contact form
  • create a Rool account
  • subscribe to marketing communications
  • communicate with our support or sales team

Platform Data

When you use the Rool platform we may process:

  • account profile information
  • platform usage data
  • activity logs and timestamps
  • IP addresses associated with account activity
  • engagement and follower analytics
  • content scheduled or published through connected social media platforms

Social Media Data

When customers connect social media accounts to the platform we may process data from those platforms including:

  • posts and scheduled content
  • comments and interactions
  • direct messages
  • engagement metrics

This information is processed on behalf of customers who manage those accounts.

Where direct messages are retrieved from social platforms such as Meta (Facebook and Instagram), their use is strictly limited to enabling the in-platform inbox management features of the Rool platform. Specifically, direct message data is:

  • used only to display messages to the intended recipient and facilitate replies within the platform;
  • never analysed for advertising, targeting, or audience profiling purposes;
  • never shared with third parties except operational subprocessors strictly required to deliver the service (such as infrastructure providers); and
  • retained only for the period described in Section 9 (Data Retention), after which it is permanently deleted.

OAuth Tokens and Platform Integrations

When you connect third-party services to Rool (such as Meta, LinkedIn, Google, or X), authentication tokens are stored securely in encrypted infrastructure.

These tokens are briefly decrypted only when required to perform actions through the relevant platform APIs.

Tokens are removed when the connected account is disconnected.

5. Benchmarking and Aggregated Analytics

Rool analyses platform usage data to improve the Service and provide benchmarking insights.

Benchmarking data:

  • is aggregated across multiple customers
  • does not identify individual organisations
  • requires a minimum cohort size before insights are generated
  • may be published in anonymised industry benchmarks

Benchmarking is a core feature of the Rool platform.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our website and measure marketing performance.

Cookies used may include:

Essential Cookies

Required for core functionality such as authentication and security.

Analytics Cookie

Used to understand how visitors interact with the website, including through services such as Google Analytics. Microsoft Clarity is also used to provide session recording and heatmap analytics, which captures mouse movements, clicks, and scrolling behaviour. Both services are only activated after analytics cookie consent has been granted.

Marketing Cookies

Used to measure advertising performance and deliver targeted advertisements through platforms such as Meta, LinkedIn, and Google Ads.

The Meta Pixel, LinkedIn Insight Tag, and Google Ads conversion tracking are only activated after a visitor has explicitly accepted marketing cookies via the cookie preference centre. These tools do not load or collect any data prior to consent being granted.

Visitors may manage cookie preferences through the website’s cookie preference centre. Choices persist across sessions.

Disabling analytics or marketing cookies does not affect core website functionality.

Advertising Identifiers. Where permitted by the user’s device settings, we may collect and use device advertising identifiers (such as Apple’s Identifier for Advertisers (IDFA) or Google’s Advertising ID (GAID)) for the purpose of measuring advertising performance. Users may opt out of interest-based advertising through their device privacy settings. Where the Rool platform does not operate as a mobile application directly on a user’s device, these identifiers are not collected by Rool directly; however, third-party tools such as the Meta Pixel may collect such identifiers in accordance with their own privacy policies, and only after a visitor has granted marketing cookie consent.

7. How We Use Information

We use personal information to:

  • provide and operate the Rool platform
  • authenticate users and manage accounts
  • deliver transactional communications and notifications
  • provide customer support
  • process billing and invoices
  • analyse platform usage and improve the Service
  • generate aggregated benchmarking insights
  • measure marketing effectiveness
  • communicate with prospective and existing customers

8. Legal Basis for Processing

Where applicable, we rely on the following lawful bases. For users in New Zealand, processing is also governed by the Privacy Act 2020 (NZ).

Contractual Necessity

Processing required to provide the Rool platform and related services.

Legitimate Interests

Processing necessary for purposes such as:

  • platform security
  • fraud detection
  • service improvement and analytics
  • aggregated benchmarking
  • responding to business inquiries

Consent

Where users subscribe to marketing communications or accept certain cookies.

Users may withdraw consent at any time through unsubscribe links or cookie settings.

Where we rely on legitimate interests, we have conducted a balancing test to confirm that our interests are not overridden by the rights and interests of affected individuals. Details of this assessment are available on request. Individuals have the right to object to processing based on legitimate interests at any time by contacting privacy@roolsocial.com.

Rool does not make solely automated decisions about individuals that produce legal or similarly significant effects.

9. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes described in this policy.

Typical retention periods include:

Website inquiries - 24 months

Marketing subscriber records - Until unsubscribe

Suppression lists - Indefinite (email only, retained to honour unsubscribe preferences and prevent re-subscription)

SaaS account data - Deleted within 90 days after account termination

Billing and accounting records - 7 years

System logs - 90 days

Platform activity logs and usage analytics - 24 months

Private messages retrieved from social platforms - Default 12 months (configurable by customers, maximum 12 months)

OAuth tokens - Removed when accounts are disconnected

Expired data is permanently deleted.

Where data is retrieved via LinkedIn’s Marketing API, shorter retention periods apply in accordance with LinkedIn’s API terms: member social activity data is retained for no more than 48 hours, and LinkedIn member profile data is deleted within 24 hours of retrieval, unless a longer period is expressly permitted by LinkedIn. When a LinkedIn account is disconnected from the Rool platform, all associated LinkedIn member data is deleted promptly in addition to the removal of OAuth tokens.

10. Data Security

We implement technical and organisational measures designed to protect personal information.

These measures include:

  • encryption of data at rest
  • TLS encryption in transit
  • role-based access controls
  • encrypted storage of OAuth tokens
  • scheduled vulnerability scanning after major releases
  • controlled administrative access to systems

Despite these safeguards, no internet-based system can be completely secure.

11. Third-Party Service Providers

We use third-party providers to operate and deliver the Service.

Convex - Backend infrastructure and database - United States

Vercel - Website hosting and CDN - United States / Global

BunnyCDN - File and asset storage - United States / Global

Resend - Transactional email delivery - United States

OpenAI - AI caption generation - United States

Meta APIs - Social media publishing and authentication - United States

Google APIs - Cloud storage integration and authentication - United States

LinkedIn API - Social media publishing - United States

X / Twitter API - Social media publishing - United States

Google Analytics - Website analytics - United States

Microsoft Clarity - Website session analytics - United States

Meta Pixel - Advertising measurement - United States

LinkedIn Insight Tag - Advertising measurement - United States

Google Ads - Advertising measurement - United States

Xero - Billing and invoicing - New Zealand / Australia

Polar - Subscription billing infrastructure (planned — not yet active) - United States

These providers process data only as necessary to deliver their services.

We may use OpenAI’s API to help generate captions or similar content from information you provide. OpenAI does not use API customer data to train its models by default. OpenAI may retain certain API data, including prompts and responses, for up to 30 days for abuse monitoring and security purposes, unless a different retention arrangement applies. We recommend that users do not submit unnecessary sensitive personal information for AI-generated content features.

Meta Platform API Data

Where Rool accesses data through Meta’s APIs (including the Facebook Graph API and Instagram API), that data is used solely to provide and operate the core features of the Rool platform. Specifically, data obtained via Meta’s APIs is:

  • used only to enable the features you have explicitly requested (such as scheduling posts, retrieving messages, and viewing engagement analytics);
  • never sold, licensed, or shared with advertisers, data brokers, or any third party for commercial purposes;
  • never used for surveillance, profiling of individuals without their knowledge, or purposes unrelated to the Rool platform; and
  • processed in accordance with Meta’s Platform Terms and Developer Policies, which govern our access to and use of Meta platform data.

Rool does not request access to Meta platform data beyond what is necessary for the features described in this policy.

Rool does not build or augment individual user profiles using Meta platform data. Any analytics or benchmarking derived from Meta platform data are aggregated across multiple customers and do not identify, profile, or target individual users. Where any future feature would require building individual user profiles using Meta data, Rool will obtain explicit user consent before doing so and will update this policy accordingly.

LinkedIn API Data

Where Rool accesses data through LinkedIn’s APIs, that data is used solely to provide and operate the core features of the Rool platform. Specifically, data obtained via LinkedIn’s APIs is:

  • used only to enable the features you have explicitly requested (such as publishing posts, retrieving analytics, and managing page content);
  • never sold, licensed, transferred, or distributed to any third party, including data brokers or advertising platforms;
  • never used to create derivatives of LinkedIn member data or for purposes unrelated to the Rool platform; and
  • processed in accordance with LinkedIn’s API Terms of Use and the LinkedIn Business Development Data Processing Agreement.

Google API Data

Where Rool accesses data through Google’s APIs (including the Google Drive API and Google OAuth services), that data is used solely to provide and operate the core features of the Rool platform. Rool’s use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically, data obtained via Google’s APIs is:

  • used only to enable the features you have explicitly authorised (such as cloud storage integration and account authentication);
  • never transferred or sold to third parties, including advertising platforms or data brokers;
  • never used for serving advertisements, retargeting, or interest-based advertising of any kind; and
  • accessed only to the minimum extent necessary to deliver the requested features, in accordance with Google’s Limited Use restrictions.

Rool maintains a link to this privacy policy on the Google OAuth consent screen as required by Google’s API verification requirements. If the scope of Google data accessed changes in future, this policy will be updated and users will be prompted to provide fresh consent before any new access occurs.

X (Twitter) API Data

Where Rool accesses data through X’s (Twitter’s) APIs, that data is used solely to provide and operate the core features of the Rool platform. Specifically, data obtained via X’s APIs is:

  • used only to enable the features you have explicitly requested (such as scheduling and publishing posts to X);
  • never sold, licensed, transferred, or distributed to any third party, including data brokers or advertising platforms;
  • processed in accordance with X’s Developer Agreement and Policy.

12. International Data Transfers

Because many of our service providers operate globally, personal data may be transferred to countries outside the user's jurisdiction.

We take reasonable steps to ensure appropriate safeguards are in place when transferring data internationally. Where personal data is transferred from the European Economic Area (EEA) or the United Kingdom to countries not recognised as providing an adequate level of data protection, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses approved by the European Commission or the UK Information Commissioner’s Office. Many of our third-party providers maintain their own adequacy frameworks or certifications; a list of providers and their locations is set out in Section 11.

13. Your Rights

Depending on applicable law, individuals may have rights to:

  • access personal data we hold about them
  • correct inaccurate information
  • request deletion of personal data
  • obtain a copy of their data in a portable format
  • restrict or object to certain processing of their personal data

Users of the Rool platform may request data exports containing their stored information, including account profile data, stored messages, activity logs, analytics records, and billing metadata.

New Zealand residents have rights under the Privacy Act 2020 to access and correct personal information we hold about them. If you are not satisfied with our response to a privacy request or complaint, you have the right to contact the Office of the Privacy Commissioner (OPC) at www.privacy.org.nz.

US State Privacy Rights. If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or another US state that grants specific privacy rights, you may have additional rights including: the right to know what personal information has been collected about you and how it is used; the right to delete your personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information for cross-context behavioural advertising; and the right not to be discriminated against for exercising your privacy rights. Rool does not sell personal information. To exercise any of these rights, please contact us at privacy@roolsocial.com. We will respond to verified requests within the timeframes required by applicable law.

Requests can be submitted to: privacy@roolsocial.com

We aim to respond within 72 hours, where reasonably possible.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the relevant supervisory authority without undue delay and, where required by applicable law, within 72 hours of becoming aware of the breach. For New Zealand residents, the relevant supervisory authority is the Office of the Privacy Commissioner (OPC), and we will notify the OPC in accordance with the Privacy Act 2020.

Where a breach is likely to result in a high risk to affected individuals, we will also notify those individuals directly without undue delay, unless an exemption under applicable law applies. Notifications will describe the nature of the breach, the data affected, the likely consequences, and the steps we are taking to address it.

Breach response is overseen by our CTO. Queries relating to a suspected breach may be directed to privacy@roolsocial.com.

Where a suspected or confirmed breach involves data obtained via Google’s APIs, Rool will notify Google at security@google.com before making any public statement about the breach, except where required by applicable law, including without limitation our obligations to notify supervisory authorities (such as the Office of the Privacy Commissioner of New Zealand or the UK Information Commissioner's Office) or affected individuals under applicable Privacy Legislation. Our obligations under applicable Privacy Legislation take priority over this requirement.

15. Children’s Privacy

The Service is not directed to children.

We do not knowingly collect personal information from individuals under 16. We have set this threshold at 16 to align with the GDPR minimum age for consent. If you believe a person under 16 has provided us with personal information, please contact privacy@roolsocial.com and we will take steps to delete it.

For users in the United States, Rool also complies with the Children’s Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under the age of 13 without verifiable parental consent. If we become aware that we have inadvertently collected personal information from a child under 13 in the United States without the required parental consent, we will delete that information promptly. Parents or guardians who believe their child has submitted personal information to Rool may contact privacy@roolsocial.com to request its deletion.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect operational or legal changes.

The updated version will be posted on this page with a revised “Last updated” date.

Where changes are material — for example, where we are processing personal data in a new way or sharing it with new categories of third parties — we will notify existing users by email or in-app notification before those changes take effect.

17. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact: privacy@roolsocial.com

© Rool Social 2025

Platform TermsHome