Rook Privacy Policy
Effective date: 2026-06-07
This Privacy Policy explains how Obsidian Labs LLC ("Rook," "we," "us," or "our") collects, uses, shares, and protects personal information in connection with Rook, a multi-publish tool that lets content creators compose a post once and publish it to channels they own on Discord, X (Twitter), and Telegram through a tap-to-approve flow, and that offers an optional inbound webhook for a creator's own systems to drop drafts into their approval inbox.
Rook is a business-to-business product sold to creators, but individuals create and use accounts. We treat the people who use Rook as individuals who may have privacy rights regardless of whether they signed up in a business capacity. This policy is written to cover both US privacy law (including the California Consumer Privacy Act as amended by the California Privacy Rights Act, "CCPA/CPRA") and the EU General Data Protection Regulation and UK GDPR (together, "GDPR").
Rook is a tool you pay for by monthly subscription. We are not in the money flow between you and your own subscribers or audience: we are not a marketplace or payment processor for you, we take no cut of your revenue, and we do not handle your end-customers' payments. We do not serve advertising and do not use advertising or cross-site tracking technologies. For product analytics we use Plausible, a privacy-focused, cookieless analytics service that sets no cookies, stores nothing on your device, and collects no personal data. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
1. Who we are (data controller)
The controller responsible for your personal information is:
Obsidian Labs LLC 732 S 6th St, Ste R, Las Vegas, NV 89101, USA Privacy contact: privacy@postrook.com General contact: support@postrook.com
EU and UK users
Rook is operated from the United States and is directed to customers in the United States. We do not target or actively offer the Service to individuals in the European Economic Area or the United Kingdom, and we have therefore not appointed Article 27 representatives. If we later offer the Service to individuals in the EEA or UK, we will appoint and name an EU representative and a UK representative before doing so and update this policy.
Data protection contact
We have not appointed a statutory Data Protection Officer. For any question about this policy or your personal information, contact us at privacy@postrook.com.
When we are a processor for our customers
Some personal information you route through Rook (for example, content or webhook payloads originating from your own systems and audiences) may be personal data for which you, the creator, are the controller and Rook is a processor acting on your instructions. Where that is the case, our processing of that data is also governed by a data processing agreement (DPA) between you and us. To request our DPA, contact privacy@postrook.com.
2. The personal information we collect
We collect only what we need to run the service. The categories below mirror exactly what Rook actually handles.
| Category | What it includes | Source |
|---|---|---|
| Account data | Email address, username, and password. Passwords are stored only as a hash via our authentication provider (Better Auth) — we never store plaintext passwords. If you sign in with Google, we also receive a Google account identity (OAuth). | You; Google (if you use Google sign-in) |
| Content | The posts you compose and publish — a headline, structured attributes, an optional image URL, and an optional accent — and any webhook payloads your own systems send to your approval inbox. | You / your systems |
| Connected-channel credentials | OAuth access and refresh tokens for the Discord, X, and Telegram accounts or bots you connect, and webhook signing secrets. These are stored encrypted at rest using AES-256-GCM envelope encryption and are never stored in plaintext. | You (via the connect / OAuth flow) |
| Billing data | Your Stripe customer ID and subscription ID. We do not collect or store payment card numbers. All payment and card data is collected and processed directly by Stripe. | You; Stripe |
| Operational data | Server logs (via pino) and error/diagnostic telemetry (via Sentry). Our Sentry configuration is set to redact Authorization headers, cookies, and secret-named fields. | Generated automatically as you use the service |
| Usage analytics | Aggregate, anonymous usage statistics (e.g., page views, referrers, approximate country, browser/device type) collected via Plausible. Plausible is cookieless, sets nothing on your device, and does not collect personal data or build cross-site profiles. | Generated automatically as you use the service |
| Cookie data | A single httpOnly, secure session cookie used for authentication. We use no advertising or cross-site tracking cookies; our analytics provider (Plausible) is cookieless. See Section 8. | Generated when you log in |
We do not intentionally collect special category / sensitive personal information, and we ask that you not submit it through the service. We do not collect precise geolocation, biometric data, or government identifiers.
Information from other sources
Where you choose to connect a third-party account (Discord, X, Telegram) or sign in with Google, those providers' APIs return account or profile identifiers necessary to operate the connection. We obtain that information from those providers (not from publicly accessible sources) and use it only to provide the publishing service you requested.
Browser extension
If you choose to install the Rook browser extension, it is read-only: it observes only your own user-initiated activity and never automates trades, places orders, or buys or sells on your behalf. Where the extension processes personal information, it does so only to provide the functionality you have requested, on the same legal bases and subject to the same protections described in this policy.
3. How we use your information, and our legal bases
For users protected by the GDPR, the table below states the lawful basis under Article 6 for each purpose. For all users, it describes the business purpose for which the information is used.
| Purpose | Personal information used | GDPR lawful basis |
|---|---|---|
| Create and operate your account; authenticate you | Account data, cookie data | Contract (Art. 6(1)(b)) — necessary to provide the service you signed up for |
| Compose, store, and publish your content to the channels you connect, on your tap-to-approve instruction | Content, connected-channel credentials | Contract (Art. 6(1)(b)) |
| Store and refresh OAuth tokens and webhook secrets so your connected channels keep working | Connected-channel credentials | Contract (Art. 6(1)(b)) |
| Bill your subscription and manage plan tiers (Free / Pro $49 / Studio $149) | Billing data, account data | Contract (Art. 6(1)(b)); and legal obligation (Art. 6(1)(c)) for tax and accounting records |
| Send transactional email (for example, password-reset messages) | Account data | Contract (Art. 6(1)(b)) |
| Keep the service secure, prevent abuse, debug errors, and maintain reliability | Operational data, account data | Legitimate interests (Art. 6(1)(f)) — our interest in operating a secure, reliable service and protecting it and our users from abuse |
| Understand product usage to improve the service | Aggregate usage analytics (no personal data), via cookieless Plausible | Legitimate interests (Art. 6(1)(f)) — improving the service through minimal-impact, cookieless, non-identifying analytics |
| Analyze content in aggregate to understand usage patterns and improve the product | Content (reviewed only in aggregate or de-identified form, internally) | Legitimate interests (Art. 6(1)(f)) — improving features and reliability; we do not use this to endorse content, advertise, build profiles about you, train third-party models, or sell or share data |
| Comply with law and respond to lawful requests | Any of the above, as relevant | Legal obligation (Art. 6(1)(c)) |
Legitimate interests. Where we rely on legitimate interests, the interests we pursue are operating a secure and reliable service, diagnosing and fixing faults, protecting Rook and its users against fraud, abuse, and unauthorized access, and understanding how the product is used — including by analyzing content in aggregate or de-identified form — to improve it. This internal product analysis is never used to endorse individual content, to advertise, to build profiles about you, to train third-party models, or for sale or sharing. We balance these interests against your rights and freedoms, and you may object as described in Section 7.
No automated decision-making. We do not carry out automated decision-making that produces legal or similarly significant effects about you within the meaning of Article 22 GDPR, and we do not profile you for advertising.
Providing your information. Providing account, content, connection, and billing information is necessary to use Rook. If you do not provide it, we cannot create your account, publish your posts, maintain your connections, or bill your subscription.
4. How we share information — sub-processors and recipients
We do not sell your personal information and we do not share it for cross-context behavioral advertising. We share information only with the service providers (sub-processors) that help us run Rook, with the platforms you choose to publish to, and where the law requires.
Service providers (sub-processors)
We engage the following sub-processors under written contracts that require them to protect personal information and to process it only on our instructions. Each receives only the data needed for its function.
| Sub-processor | Role | What it receives |
|---|---|---|
| Render | Cloud hosting; runs the application, the PostgreSQL database, and Redis | All data stored and processed by Rook, as the underlying hosting and database layer |
| Stripe | Subscription billing and all payment/card processing | Account and billing identifiers we pass to Stripe to set up and manage your subscription (such as your email address and Stripe customer/subscription identifiers). Your payment card and any card-billing details are collected and processed by Stripe directly — we do not receive or store them. |
| Resend | Transactional email delivery (e.g., password-reset emails) | Your email address and the contents of transactional messages |
| Sentry | Error monitoring and diagnostics | Error and diagnostic telemetry, configured to redact Authorization headers, cookies, and secret-named fields |
| Cloudflare | Edge / CDN / DNS | Network-level request data passing through our edge |
| Plausible Analytics | Privacy-focused, cookieless product analytics (EU-hosted) | Aggregate, anonymous usage events (page views, referrers, approximate country and device, derived without cookies or persistent identifiers). No personal data, no cross-site tracking. |
Destination platforms you connect
When you approve a post, Rook publishes the content you chose to the platforms you have connected, through your own connected accounts:
- Discord
- X (Twitter)
- Telegram
These platforms receive the content you direct us to publish. Your use of each platform is governed by that platform's own terms and privacy policy, and we have no control over how those platforms handle data once it is published. Publishing is initiated only by your explicit tap-to-approve action; merely connecting an account does not cause anything to be published.
Other disclosures
We may disclose personal information to comply with applicable law, regulation, legal process, or an enforceable governmental request; to enforce our terms; or to protect the rights, property, or safety of Rook, our users, or others. If we are involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to this policy.
Obtaining our sub-processor information
We maintain an up-to-date list of sub-processors. To request the current list or our data processing agreement, contact privacy@postrook.com.
5. International data transfers
Rook is operated from the United States and your information is stored and processed in the United States (and other locations where our sub-processors operate). If you are in the EEA or the UK, transferring your information to the United States means it is processed outside your home jurisdiction.
Where we transfer personal data out of the EEA or the UK, we rely on a lawful transfer mechanism:
- EU–U.S. and UK Extension to the Data Privacy Framework (DPF). Where a US recipient is actively self-certified under the EU–U.S. Data Privacy Framework (and, for UK transfers, the UK Extension / UK–US Data Bridge) and the relevant data type is within the scope of its certification, we rely on that adequacy mechanism for the transfer to that recipient.
- Standard Contractual Clauses and the UK IDTA. For transfers to recipients that are not covered by the DPF, we rely on the European Commission's Standard Contractual Clauses (2021) and, for UK transfers, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, together with a transfer risk assessment and any supplementary measures that may be appropriate.
To request a copy of the safeguards we use for a given transfer, contact privacy@postrook.com.
6. How long we keep information (retention)
We keep personal information only as long as necessary for the purposes described in this policy, and then delete or de-identify it.
- Account data is retained for the life of your account and deleted (or de-identified) after account closure, subject to the exceptions below.
- Content is retained for the life of your account so the service can operate; once published to a platform, content lives on that platform independently of Rook and is governed by that platform's policies.
- Connected-channel credentials (OAuth tokens and webhook secrets) are deleted when you disconnect a channel, when a token is revoked, or when you close your account.
- Billing data is retained as long as needed to administer your subscription and to meet tax, accounting, and legal record-keeping obligations.
- Operational data (logs and error telemetry) is retained for a limited period sufficient for security, debugging, and reliability, and then rotated out.
Where we cannot state a fixed period, we determine retention by reference to the purpose for which the data was collected, our legal obligations, and the need to resolve disputes and enforce agreements.
7. Your privacy rights
Rights under the GDPR (EEA and UK users)
If you are in the EEA or the UK, you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data ("right to be forgotten") in certain circumstances;
- Restrict our processing in certain circumstances;
- Object to processing based on our legitimate interests;
- Data portability — receive data you provided to us, that we process by automated means on the basis of consent or contract, in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible;
- Withdraw consent at any time where we rely on consent, without affecting processing carried out before withdrawal.
You can revoke a connected channel's access at any time, both inside Rook (by disconnecting the channel) and directly with the third-party platform.
We will respond to a rights request within one calendar month. That period may be extended by up to two further months for complex or numerous requests, and we will tell you if that applies. For UK users, the response period may be paused while we seek clarification needed to act on your request. Requests are normally free of charge.
Complaints. You may lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office (ICO). In the EEA you may complain to the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred.
Rights under the CCPA/CPRA (California) and similar US state laws
Depending on the law that applies to you, you may have the right to:
- Know what personal information we collect, the sources, the purposes, and the categories of third parties we disclose it to;
- Access / obtain a copy of your personal information;
- Delete your personal information;
- Correct inaccurate personal information;
- Opt out of the sale or sharing of personal information and of targeted/cross-context behavioral advertising;
- Limit the use and disclosure of sensitive personal information;
- Non-discrimination for exercising your rights.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. Because we do not sell or share personal information and do not use it for cross-context behavioral advertising, we do not offer a "Do Not Sell or Share My Personal Information" mechanism — there is nothing to opt out of. We also do not use sensitive personal information for purposes that would trigger a right to limit its use, beyond what is necessary to provide the service and as otherwise permitted by law.
Residents of other US states with comprehensive privacy laws (for example, Virginia, Colorado, and Texas) may have comparable rights, including access, correction, deletion, portability, and opting out of sale, targeted advertising, and certain profiling, as well as the right to appeal a denial of a request. We honor these rights to the extent the applicable law requires.
For US state-law requests, we will confirm receipt and respond within the timeframe required by the applicable law — generally within 45 days, with one extension of up to an additional 45 days where reasonably necessary, and we will tell you if an extension applies.
How to exercise your rights
To exercise any right above, contact us at privacy@postrook.com, or by mail at the address in Section 10. We will verify your identity before acting on a request, and we will not discriminate against you for exercising your rights. You may use an authorized agent to submit a request where the law permits, subject to verification.
8. Cookies
Rook uses a single, strictly necessary httpOnly, secure session cookie to authenticate you and keep you logged in. This cookie is essential to provide the service you have requested.
Because this cookie is strictly necessary, we do not require a cookie consent banner for it under the EU ePrivacy Directive, the GDPR, or UK PECR. We do not set advertising, A/B-testing, or social-media cookies or trackers, and we do not use the session cookie for any secondary purpose such as behavioral monitoring. Our product analytics service, Plausible, is cookieless — it sets no cookies and stores no information on your device — so it likewise does not require cookie consent under the ePrivacy Directive or PECR.
For full details of the cookie, its purpose, and its duration, see our Cookie Notice. If we ever introduce any non-essential cookie or tracker, we will update that notice and obtain your prior opt-in consent where the law requires.
9. Security
We use technical and organizational measures appropriate to the risk to protect personal information, including:
- Envelope encryption at rest of OAuth tokens and secrets using AES-256-GCM, with the data key managed separately from the encrypted data;
- Encryption in transit via HTTPS/TLS;
- httpOnly, secure session cookies and security response headers;
- Immediate session invalidation on logout and password reset;
- Redaction of Authorization headers, cookies, and secret-named fields in our error monitoring.
No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a personal data breach, we will notify affected users and authorities to the extent required by applicable law and by our obligations to the platforms whose data we handle.
10. Children
Rook is a business tool intended for adults and is not directed to children. We do not knowingly collect personal information from children under 16 (or under 13 in the United States). If you believe a child has provided us personal information, contact us at privacy@postrook.com and we will delete it.
11. Content and endorsement (what this policy does not imply)
Rook is a publishing tool, not an attestation or verification service. We do not review, endorse, verify, or vouch for the content you publish, and any internal analysis we perform is aggregate or de-identified and for product improvement only (see Section 3) — it never means we have reviewed, approved, or endorse individual content. The only attribution we add is a plain "via Rook" footer shown on Free-tier posts; paid tiers publish unbranded. Rook is not a financial adviser, broker, or investment service, and gives no advice. You are responsible for having the rights to publish your content, for lawfully controlling the accounts and channels you connect, and for your own jurisdictional, regulatory, and tax compliance. Rook publishes to channels you control, not to individual end subscribers, so we structurally cannot and do not enforce per-jurisdiction visibility.
12. Changes to this policy
We may update this policy from time to time. If we make a material change, we will notify you (for example, by email or in-app) and update the effective date above. The version in force is the one posted here with the most recent effective date.
13. Contact us
For any privacy question or to exercise your rights:
Obsidian Labs LLC Privacy: privacy@postrook.com General: support@postrook.com Mail: 732 S 6th St, Ste R, Las Vegas, NV 89101, USA