Privacy Policy

1. Who we are

Rowbot is a club management platform operated by Experiential Technologies Ltd ("we", "us", "our"), a company registered in England and Wales (Company No. 12585767). We provide software that helps rowing clubs manage their members, schedules, equipment, and more.

This policy explains what personal data we collect, why, and what your rights are.

2. Our role in relation to your data

Rowbot serves two roles depending on the type of data:

• Data Controller - We are the controller for data related to your Rowbot user account (your email address, login credentials, and platform-level profile). We determine how this data is used to provide and secure the platform.
• Data Processor - For data that your club stores about you in Rowbot (membership details, squad assignments, attendance, lineup selections, equipment usage, etc.), your club is the data controller. We process this data on their behalf and according to their instructions.

If you have questions about how your club uses your data within Rowbot, contact your club directly. If you have questions about your Rowbot account or the platform itself, contact us.

3. What data we collect

Account data (we are the controller)

When you create a Rowbot account, we collect:

• Email address
• Name
• Password or authentication tokens (for magic link / social login)
• Profile information you choose to add (e.g. profile photo)

We use this data to:

• Authenticate you and keep your account secure
• Provide access to clubs you belong to
• Send you essential communications (login links, security alerts)

Lawful basis: Legitimate interests (providing and securing the service) and, where applicable, performance of a contract.

Club data (your club is the controller)

Your club and its administrators may store the following about you:

• Contact details (phone number, emergency contacts)
• Club membership information (membership type, dates, status)
• Squad and group assignments
• Attendance and availability
• Lineup and crew selections
• Coaching notes and certifications
• Equipment allocations
• Financial information (invoices, payment status)
• Any other information your club chooses to record

We process this data on your club's behalf. The lawful basis for this processing is determined by your club - typically legitimate interests (running the club) or performance of a contract (your club membership).

Health and activity data

If you choose to connect a fitness platform (e.g. Strava, Concept2, Apple Health) or log training data, Rowbot may process:

• Workout and activity records (distance, duration, stroke rate, splits)
• Heart rate data
• Other fitness metrics from connected services

This is special category data under UK GDPR. We only process it with your explicit consent, which you give when you connect a service or enable activity tracking. You can disconnect at any time, and we will stop syncing new data. You can also request deletion of previously synced data.

Your club's coaches and administrators may be able to view your activity data within Rowbot, depending on your club's settings and permissions. Your club will inform you of who has access.

Technical data

We automatically collect limited technical data when you use Rowbot:

• IP address and approximate location
• Browser or device type
• Pages visited and actions taken within the platform
• Error logs

Lawful basis: Legitimate interests (maintaining and improving the service).

4. How we share your data

We do not sell your data. We share it only with:

• Your club's administrators and authorised users - according to your club's permission settings
• Sub-processors - third-party services that help us run the platform (see below)
• Legal requirements - if required by law, regulation, or legal process

Sub-processors

We use the following third-party services to operate Rowbot:

• Amazon Web Services (AWS) - Hosting, database, file storage (UK, London)
• Postmark - Transactional email (US)
• Stripe - Payment processing (US)
• GoCardless - Direct debit payment processing (UK)

Where data is transferred outside the UK, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses, adequacy decisions).

Fitness platform integrations (Strava, Concept2, etc.) are initiated by you and governed by those platforms' own privacy policies.

5. How we use artificial intelligence

Some features within Rowbot are powered by artificial intelligence (AI). These features are optional - your club chooses whether to enable them, and some features additionally require your individual consent before they process your data.

What AI features are available:

• Reporting and analytics - helping club administrators generate insights from club data such as attendance patterns, equipment usage, and membership trends
• Training and health recommendations - providing personalised suggestions based on your activity history and training data
• Photo tagging - using facial recognition to identify and tag members in club photos
• Natural language queries - allowing administrators to ask questions about club data in plain English

How it works technically:

We use AWS Bedrock, a managed AI service hosted in London (UK), to process AI requests. The AI models are provided by Anthropic (Claude). Importantly:

• Your data is processed in the UK (AWS eu-west-2 region, London)
• Your data is never used to train AI models - not by us, not by AWS, not by Anthropic
• AI prompts and responses are processed in real-time and are not stored by the AI providers after processing
• For photo tagging, we use AWS Rekognition, also hosted in the UK

What requires your consent:

Most AI features operate on data you have already provided to the platform (your activity logs, attendance records, etc.) and are covered by your club's existing basis for processing your data.

However, photo tagging and facial recognition involves processing your biometric data, which is a special category of personal data under UK GDPR. This feature requires your explicit consent before we process your photos for facial recognition purposes. You can:

• Choose whether to opt in to photo tagging when prompted
• Withdraw your consent at any time through your account settings
• Request deletion of your facial recognition data at any time

If you withdraw consent, your facial recognition data (facial feature vectors) will be deleted immediately, and you will no longer be tagged in new photos. Existing tags on past photos will be removed.

Accuracy:

AI-generated content - including reports, recommendations, and photo tags - is provided for informational purposes only. Training and health recommendations are general in nature and should not be treated as professional medical or coaching advice. Photo tagging may occasionally produce incorrect results; you can correct or remove any inaccurate tags.

Your rights:

No decisions with legal or significant effects on you are made solely by AI within Rowbot. AI features assist club administrators and coaches in making decisions, but humans always make the final call. You have the right under UK GDPR not to be subject to solely automated decision-making that significantly affects you.

Full details of AI data processing are set out in the AI Features Addendum.

6. How long we keep your data

• Account data - Retained while your account is active. If you delete your account, we delete your account data within 30 days.
• Club data - Retained while your club uses Rowbot. If a club leaves the platform, their data is deleted within 30 days of termination unless they request an export. Individual member data is deleted on request from you or your club.
• Health and activity data - Retained until you disconnect the integration and/or request deletion.
• Technical logs - Retained for up to 12 months.

7. Your rights

Under UK GDPR, you have the right to:

• Access your personal data (request a copy of what we hold)
• Correct inaccurate data
• Delete your data (right to erasure)
• Restrict processing in certain circumstances
• Port your data (receive it in a structured, machine-readable format)
• Object to processing based on legitimate interests
• Withdraw consent for health data processing at any time

For data where we are the controller (your account), contact us directly. For data where your club is the controller, contact your club - we will assist them in fulfilling your request.

To exercise any of these rights, email us at privacy@rowbot.app.

8. Cookies

We use essential cookies to provide the Service (authentication, session management). We do not use third-party tracking or advertising cookies. You can manage cookie preferences through your browser settings.

9. Security

We take reasonable technical and organisational measures to protect your data, including:

• Encryption in transit (TLS) and at rest
• Tenant isolation (your club's data is separated from other clubs')
• Role-based access controls
• Regular security reviews

10. Children

Rowbot is not intended for use by children under 16. We do not knowingly collect data from children under 16 without parental consent. If you believe a child's data has been collected without appropriate consent, please contact us.

11. Changes to this policy

We may update this policy from time to time. We will notify you of significant changes via email or an in-app notice. The "last updated" date at the top of this page will always reflect the most recent version.

12. Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113

We'd appreciate the chance to address your concern first - please contact us before escalating to the ICO.

13. Contact us

Experiential Technologies Ltd (Company No. 12585767)

For data protection queries: privacy@rowbot.app

For general support: support@rowbot.app