Privacy Policy

Notice News, Inc., a Delaware corporation operating the RooneAI platform ("Roone," "we," "us," or "our"), is committed to protecting the privacy of its customers and their Authorized Users. This Privacy Policy explains what information we collect, how we use it, how long we keep it, and your rights with respect to it.

Roone's Platform is a B2B service. We do not knowingly collect personal data directly from consumers or individuals other than Customer employees, contractors, and other Authorized Users who access the Platform on behalf of their organizations. If you are an individual whose data has been processed through a Roone customer's use of the Platform, please contact that customer directly.

1. Categories of Personal Data We Process

1.1 Account and Contact Information

When a Customer or Authorized User creates an account or is provisioned access, we collect: name, business email address, job title, organization name, billing address, and payment information (processed via our third-party payment processor; we do not store full payment card numbers).

1.2 Usage and Platform Data

We automatically collect technical and usage data when Authorized Users interact with the Platform, including: log data (IP addresses, browser type, operating system, referring URLs, access timestamps); device identifiers and session data; feature usage patterns, clicks, and navigation data; content workflow activity (signals viewed, drafts created, content published); and API access logs and integration activity.

1.3 Customer Content

As part of providing the Platform, we process Customer Content — including source materials, style guides, brand guidelines, draft content, and editorial feedback signals — uploaded or generated by Customer and its Authorized Users. Customer Content may include personal data about third parties (e.g., individuals mentioned in news articles, source contact information, names referenced in editorial briefings). We process Customer Content solely on behalf of and at the direction of Customer.

1.4 Editorial DNA Data

We process Customer Content and usage signals to build and maintain each Customer's Editorial DNA profile — a set of learned editorial preferences, voice parameters, and content standards specific to that Customer's account. Editorial DNA profiles are not shared across Customer accounts.

1.5 Communications Data

We collect information you provide when you contact us for support, respond to surveys, complete onboarding materials, or otherwise communicate with our team.

1.6 Legal Consent Records

We record the date, time, and manner in which Customer Authorized Users accepted these Terms, our Privacy Policy, and our Acceptable Use Policy, including IP address and user agent string, for legal compliance purposes.

2. How We Use Information

2.1 Providing and Operating the Platform. We use account information, usage data, and Customer Content to deliver the Platform's features and services, authenticate users, process transactions, and fulfill our contractual obligations to Customers.

2.2 Personalizing the Editorial DNA System. We use Customer Content, editorial feedback signals, and usage patterns to build and refine the Editorial DNA system for each Customer, tailoring AI-generated outputs to reflect each Customer's editorial voice and standards.

2.3 Improving the Platform. We use aggregated, anonymized, and de-identified usage data and platform metrics to analyze trends, identify bugs, develop new features, and improve the overall quality and performance of the Platform. We do not use Customer Content in identifiable form for this purpose without consent.

2.4 Customer Communications. We use contact information to send service-related communications such as subscription confirmations, renewal notices, product updates, security alerts, and support responses. Marketing communications are sent only with opt-in consent and include a one-click unsubscribe mechanism.

2.5 Security and Fraud Prevention. We use log data and usage information to detect, investigate, and prevent unauthorized access, abuse, or fraudulent activity on the Platform.

2.6 Legal Compliance. We process data as required to comply with applicable law, respond to legal process, and enforce our agreements.

3. Third-Party Processors and Sub-processors

We do not sell, rent, or trade personal data. We share information only as described below. A full, current list of our sub-processors is maintained at roone.ai/subprocessors.

3.1 AI Model Providers. Customer Content and Editorial DNA prompts are transmitted to the following AI providers to generate Platform outputs:

• Anthropic, PBC (Claude API) — LLM inference for content drafts, scoring, enrichment, and conversational features. Location: United States. Anthropic's Commercial Terms apply; no model training on customer data. Retention: inputs/outputs deleted within 30 days by default.
• OpenAI, LLC (text-embedding-3-small) — text embedding for semantic search and signal clustering. Location: United States. OpenAI's Business Terms apply; API inputs not used for training by default. Retention: up to 30 days for abuse monitoring.
• Groq, Inc. (Llama, Whisper) — LLM inference for signal scoring and summarization; audio/video transcription. Location: United States (GCP infrastructure). Inference data not retained by default under Groq's commercial terms.

None of the above AI providers train their generative models on Roone customer data under their respective commercial terms. Roone has entered into, or will enter into, data processing agreements with each provider consistent with GDPR Article 28 requirements.

3.2 Data and Content Sources.

• Event Registry / NewsAPI.ai — news data API providing article metadata, titles, summaries, and entity data from 150,000+ publishers, used to power Intelligence Feeds. Location: European Union. NewsAPI.ai acts as an independent data controller for the news content it provides.
• RSS.app (Magnet Networks) — social-to-RSS feed conversion enabling monitoring of public social media accounts. Location: United States.

3.3 Infrastructure and Operations.

• Railway Corporation — application hosting, managed Postgres (database), and Redis (job queue). Location: United States (with optional Netherlands and Singapore regions). Sub-processors include Google Cloud Platform (compute) and Cloudflare (CDN).
• Twilio Inc. (SendGrid) — transactional email delivery (password resets, alerts, report deliveries, invitations). Location: United States. DPA auto-applies under Twilio's standard terms.
• Functional Software, Inc. (Sentry) — application error monitoring and performance tracking. Location: United States (EU data storage available on request). PII scrubbing is configured to minimize capture of personal data in error events.
• Stripe, Inc. — payment processing. Location: United States. Acts as an independent data controller for payment data.

3.4 Business Transfers. If Roone is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will provide notice before personal data is transferred and becomes subject to a materially different privacy policy.

3.5 Legal Requirements. We may disclose information if required by applicable law, court order, or governmental authority.

4. Customer Content and AI Model Training

• We process Customer Content solely to provide the Platform to Customer and to power the Editorial DNA system for that Customer's account.
• We do not use Customer Content in identifiable form to train general-purpose AI models that are made available to third parties, without Customer's prior written consent.
• We do not sell personal data or Customer Content.
• We may use aggregated, anonymized, and de-identified data derived from platform usage across customers to improve the Platform's core AI capabilities. Such data cannot reasonably be used to identify any individual Customer or its content.
• Editorial DNA profiles built for a Customer are specific to that Customer's account and are not shared with or used to benefit other Customers.
• Third-party AI providers (Anthropic, OpenAI, Groq) do not train their models on inputs submitted through the Roone API under their respective commercial terms.

5. Source Content Analysis Disclosure

To power editorial intelligence features, the Platform may fetch and transiently process publicly available article text from news sources. This processing is done in memory for the limited purpose of entity extraction and signal scoring. Article body text is not stored in persistent systems after analysis is complete. Roone honors robots.txt exclusion standards. This practice is consistent with industry-standard media monitoring and analytics tools.

6. Data Retention

6.1 Account and Usage Data. We retain account information and usage logs for the duration of the Subscription Term and for up to three (3) years thereafter for audit, legal compliance, and dispute resolution purposes.

6.2 Customer Content. We retain Customer Content for the duration of the Subscription Term. Upon termination, Customer may request export within thirty (30) days. After that window, Roone may permanently delete Customer Content from active systems.

6.3 Audit Logs. Platform audit logs (recording user actions, content changes, and access events) are retained according to the tier selected by Customer (options: 30 days, 90 days, 1 year, or indefinite). Customers can configure their retention tier in Platform settings.

6.4 Legal Consent Records. Records of ToS acceptance (including email, timestamp, IP address, and version accepted) are retained indefinitely for legal compliance purposes.

6.5 Transient AI Processing. Inputs and outputs transmitted to third-party AI providers are subject to those providers' retention policies (typically up to 30 days for API customers; zero data retention available for eligible requests).

6.6 Backups. Customer Content may persist in encrypted backup systems for up to ninety (90) days after deletion from active systems.

7. Data Security

Roone implements commercially reasonable technical, administrative, and physical safeguards designed to protect personal data and Customer Content against unauthorized access, disclosure, alteration, or destruction. These measures include: encryption of data in transit (TLS) and at rest (AES-256-GCM for sensitive fields); role-based access controls; comprehensive audit logging; multi-factor authentication for administrative access; and regular security assessments. In the event of a personal data breach affecting Customer data, Roone will notify Customer within seventy-two (72) hours of becoming aware of the breach.

8. International Data Transfers

Roone is based in the United States. Customer Content and personal data may be transferred to and processed in the United States and other countries where Roone's Sub-processors operate. For transfers of personal data from the European Economic Area (EEA) or United Kingdom to the United States, Roone relies on: (a) the EU-U.S. Data Privacy Framework and/or the UK Extension thereto, where applicable; or (b) Standard Contractual Clauses (Module Two: Controller to Processor) as published by the European Commission, available upon request at hello@roone.ai.

9. GDPR — Data Subject Rights

This Section applies to personal data of individuals located in the European Economic Area ("EEA") or the United Kingdom ("UK"). To the extent Roone processes personal data on behalf of Customer as a processor subject to GDPR, the parties' respective obligations are governed by Section 12 of Roone's Terms of Service (Data Processing Addendum). Data subjects may have the following rights, which should be exercised through the Customer organization that controls the processing:

• Right of access — request a copy of personal data held about you
• Right to rectification — request correction of inaccurate personal data
• Right to erasure — request deletion of personal data in certain circumstances
• Right to restriction — request that processing be limited in certain circumstances
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests

Where Roone processes personal data as a controller (e.g., account and contact data of Customer administrators), data subjects may direct requests to hello@roone.ai. Roone will respond within thirty (30) days.

10. CCPA — California Residents

We do not sell personal information as defined under the California Consumer Privacy Act. We do not share personal information for cross-context behavioral advertising. California residents may exercise their CCPA rights (access, deletion, correction, opt-out of sale/sharing) by contacting us at hello@roone.ai. We will not discriminate against any person for exercising their CCPA rights.

11. No HIPAA Processing

The Platform is not designed or certified for the processing of Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act ("HIPAA"). Customer shall not submit or process PHI through the Platform without a separate written Business Associate Agreement executed between the parties. Roone makes no representations as to HIPAA compliance with respect to standard Platform subscriptions.

12. Cookies and Tracking Technologies

We use strictly necessary cookies (required for the Platform to function), functional cookies (remember user preferences), and analytics cookies (aggregated, anonymized usage data). We do not use third-party advertising cookies on the Platform.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify the Customer at the email address on file and post the updated policy on the Platform. The updated policy will be effective thirty (30) days after notice.

14. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us at:

Notice News, Inc. d/b/a Roone
Attn: Privacy · PO Box 93, 179 Rehoboth Ave., Rehoboth Beach, DE 19971
Email: hello@roone.ai