Rollout
Legal · Privacy

Privacy Policy

Last updated · May 27, 2026

This Privacy Policy explains what personal data Rollout collects, why we collect it, how we store it, and the rights you have over it. We aim to keep this short, plain, and accurate. For specific GDPR rights and how to exercise them, see our GDPR Statement.

1. Who is the data controller

The data controller for Rollout is Drexler Andrei-Florin, an individual based in Timișoara, Romania. Contact: support@getrollout.app. A postal address can be provided on request to verified users exercising a data-subject right under GDPR.

2. What we collect

Account data

  • Email address, name, and avatar (via Clerk authentication).
  • Hashed authentication tokens managed by Clerk (we never see your password).

Subscription & billing data

  • Stripe customer ID, subscription status, plan, billing cycle, and invoice history.
  • We do not store your full card number — Stripe handles all card data directly.

YouTube / Google data (via YouTube API Services)

Rollout uses YouTube API Services to connect to your YouTube channel and publish videos on your behalf. By using Rollout's YouTube features, you agree to be bound by the YouTube Terms of Service, and you acknowledge that Google's privacy practices are described in the Google Privacy Policy.

When you connect your channel, we receive and store:

  • Channel ID, channel name, and uploads playlist when you connect your YouTube account.
  • OAuth refresh tokens, which are stored only on your own device, encrypted at rest using your operating system's secure credential store (Windows DPAPI / macOS Keychain). These tokens never leave your machine and are not transmitted to or stored on our servers.
  • Metadata about uploads you've published through Rollout.

Limited Use.Rollout's use of information received from YouTube API Services adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: we do not use YouTube data to serve advertising, we do not sell it or transfer it to third parties for ad targeting, credit checks, or any unrelated purpose, we do not allow humans to read it except (a) with your explicit consent, (b) when necessary for security or to comply with law, or (c) in aggregated, anonymized form for internal operations, and we only use it to provide the user-facing features you have authorized in the app.

Revoking access.You can revoke Rollout's access to your Google account at any time at the Google security settings page: security.google.com/settings/security/permissions. You can also disconnect your channel from inside Rollout's Settings page, which deletes the OAuth tokens stored on your device.

Project & content data

  • Project settings, metadata templates, watched-folder paths, and scheduling configuration.
  • Your audio and image files are processed locally on your machine. Rendered MP4s are uploaded to YouTube directly — they do not pass through our servers.

Usage & diagnostic data

  • Application logs (errors, queue events) used to diagnose issues.
  • Approximate location (country) derived from IP for tax compliance and abuse prevention.
  • Crash and performance data via Sentry, when error reporting is enabled.

3. Why we collect it (lawful basis under GDPR)

  • To provide the Service — performance of contract (Art. 6(1)(b) GDPR). Includes account, subscription, project, and YouTube data.
  • To bill and meet tax obligations — legal obligation (Art. 6(1)(c) GDPR). Includes invoices and VAT records.
  • To keep the Service secure and working — legitimate interest (Art. 6(1)(f) GDPR). Includes logs, error tracking, and abuse prevention.
  • To send product updates or announcements — consent (Art. 6(1)(a) GDPR), opt-in only. Transactional emails (receipts, security alerts) are sent under contract and cannot be opted out of.

4. Who we share data with

We share the minimum data required with the following processors, each under a Data Processing Agreement:

  • Clerk — authentication, account data.
  • Convex — database and serverless functions (project, subscription, and YouTube metadata).
  • Stripe — payment processing and billing.
  • Vercel — web hosting for the marketing site and web app.
  • Google / YouTube — when you connect your channel and upload videos.
  • Sentry — error and crash reporting (when enabled).
  • Resend — transactional email delivery.

We do not sell personal data and we do not share it with advertisers.

5. International transfers

Some processors are based in the United States or process data globally. Where required, transfers outside the EU/EEA are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards.

6. How long we keep data

  • Account data — for as long as your account exists, then deleted within 30 days of account deletion (except where longer retention is legally required, e.g. invoices).
  • Invoices & tax records — kept for the period required by Romanian and EU tax law (typically 5 years for standard invoices, up to 10 years for documents related to real estate or otherwise required by the Romanian Fiscal Code).
  • YouTube OAuth tokens — until you disconnect your channel, delete your account, or revoke access at Google.
  • Logs & diagnostic data — up to 90 days, then deleted or anonymized.
  • Project data — until you delete the project, or within 30 days of account deletion.

7. Security

We use industry-standard measures: TLS in transit, encryption at rest for credentials, scoped access controls, and the OS-level secure credential stores on desktop (DPAPI / Keychain). No system is perfectly secure, but we'll notify you and the relevant authority within 72 hours of becoming aware of a breach affecting your data, as required by GDPR.

8. Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Export your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent for marketing emails at any time.
  • Lodge a complaint with the Romanian data protection authority (ANSPDCP — dataprotection.ro) or the authority in your EU country of residence.

Most rights can be exercised directly from the Settings page in the app. For anything else, email support@getrollout.app and we'll respond within 30 days.

9. Cookies & analytics

The website uses essential cookies for authentication, payment, and bot protection. Inside the signed-in app we additionally use PostHog for product analytics on an opt-in basis (off by default, turned on only if you accept the in-app consent banner). We do not use advertising cookies or cross-site tracking. The full list and purpose of each cookie, plus a description of PostHog, is in our Cookie Policy.

10. Children

Rollout is not directed at children under 18. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we'll delete it.

11. Changes to this policy

We'll update this page when our practices change and bump the “Last updated” date at the top. Material changes will be announced by email.

12. Contact

For privacy questions or to exercise any of your rights, email support@getrollout.app.

← Back to home