PRIVACY
POLICY

Rookia Tecnologia Ltda. ("Rookia", "we", "us", or "our") is committed to protecting the privacy and personal data of all users of its platform, available at rookia.com and related mobile applications (collectively, the "Platform"). Rookia provides technology solutions for managing sports competitions and events -- starting with CrossFit and expanding to multi-sport -- serving athletes, event organizers, staff, and spectators worldwide.

This Privacy Policy describes what personal data we collect, how we use it, with whom we share it, and what rights you have over it. It applies to all users of our Platform, regardless of location, and is designed to comply with both the Brazilian General Data Protection Law (Lei Geral de Protecao de Dados Pessoais -- LGPD, Law No. 13,709/2018) and the European Union General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with these practices, please do not use the Platform.

Rookia Tecnologia Ltda. is the data controller responsible for the personal data collected through the Platform. For questions, requests, or complaints regarding this Privacy Policy or our data practices, please contact us at:

• Email: contact@rookia.com
• Website: rookia.com

We will respond to all data-related requests within 30 (thirty) calendar days.

This Policy applies to the following categories of users ("Users"):

• Athletes and Competitors: individuals who register for or participate in events managed through the Platform;
• Event Organizers: individuals or organizations that create and manage competitions using the Platform;
• Staff: referees, judges, volunteers, and other personnel associated with events on the Platform;
• Spectators and Fans: individuals who browse the Platform to follow competition results, rankings, and event information;
• Minors: users under the age of 18, whose registration requires verified parental or guardian consent (see Section 10).

4.1 Data You Provide Directly

When you create an account or interact with our Platform, we may collect:

• Full name, username, and display name;
• Email address and password (password is stored in encrypted form);
• Date of birth;
• Gender (optional);
• Profile photo or other images you choose to upload;
• Contact information (phone number, address -- where applicable);
• Sports category, weight class, division, team affiliation, and other competition-relevant information;
• Event registration details submitted by you or on your behalf by an organizer or team representative.

4.2 Athletic Performance and Results Data

As part of the core functionality of the Platform, we collect:

• Competition scores, rankings, and results;
• Workout performance data (e.g., times, reps, weights);
• Historical competition records associated with your athlete profile.

Note: event results and rankings may be publicly visible on the Platform (see Section 8).

4.3 Media

With your consent or as part of event management, we may collect photos or videos submitted by you, event organizers, or staff. You retain ownership of content you upload, but grant Rookia a license to display it on the Platform as described in our Terms of Service.

4.4 Payment Information

Rookia does not directly store credit card or financial account data. Payments are processed by third-party payment providers (such as Stripe). We receive only limited transaction confirmation data (e.g., payment status, last four digits of card) from these providers. Their use of your financial data is governed by their own privacy policies.

4.5 Data Collected Automatically

When you use the Platform, we automatically collect:

• IP address and approximate geographic location;
• Browser type, operating system, and device type;
• Pages visited, features used, and time spent on the Platform;
• Referring URLs and navigation paths;
• Session identifiers and interaction logs.

This data is collected via cookies and similar technologies, including Google Analytics. Please see Section 7 (Cookies) for more information.

4.6 Social Login Data

If you choose to sign in using Google (and, in the future, Apple or other providers), we receive from that provider your name, email address, profile picture, and unique provider ID. We do not receive your social media passwords. Your use of social login is subject to the respective provider's terms and privacy policy.

We use your personal data only for lawful purposes and to the extent necessary. Specifically:

• Account management: to create, maintain, and secure your account;
• Event services: to register you for events, process your participation, and provide event-related communications;
• Results and rankings: to display competition outcomes, leaderboards, and athlete profiles publicly on the Platform;
• Platform improvement: to analyze usage patterns and improve features, performance, and user experience (using tools such as Google Analytics);
• Communications: to send transactional emails (registration confirmations, result notifications, account updates) and, where you have opted in, marketing and promotional communications;
• Legal compliance: to comply with applicable laws, regulations, or legal proceedings in Brazil, the EU, or other applicable jurisdictions;
• Safety and integrity: to detect, prevent, and address fraud, abuse, or security threats.

We do not sell your personal data to third parties.

Under the LGPD and GDPR, we rely on the following legal bases to process your personal data:

• Consent: for optional data (e.g., marketing emails, optional profile fields, photos), where you have given clear and informed consent. You may withdraw consent at any time;
• Contractual necessity: to provide you with the services you have requested (e.g., event registration, account creation);
• Legal obligation: where processing is required to comply with applicable law;
• Legitimate interests: for analytics, fraud prevention, and Platform security, where our interests do not override your fundamental rights and freedoms;
• Protection of life: in rare emergency circumstances involving the safety of a person.

For minors under the age of 13 (or applicable age of digital consent in your jurisdiction), processing is based on verified parental consent.

We use cookies and similar technologies to operate and improve the Platform. Cookies are small text files stored on your device. We use:

• Essential cookies: necessary for the Platform to function (e.g., session management, login state);
• Analytics cookies: we use Google Analytics to understand how users interact with the Platform, which pages are most visited, and how to improve user experience. Google Analytics may set its own cookies. You can opt out of Google Analytics tracking by using the Google Analytics Opt-out Browser Add-on;
• Preference cookies: to remember your settings and preferences.

We do not currently use advertising or targeting cookies, nor do we allow third-party advertisers to track you through our Platform.

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of the Platform.

Certain information on the Platform is publicly visible to any visitor without requiring a login. This includes:

• Athlete profiles (name, sport, division, team affiliation);
• Competition results, scores, and rankings;
• Event information, schedules, and rulebooks;
• Competition history associated with your athlete profile.

If you wish to have your public profile information modified or removed, please contact us at contact@rookia.com. Please note that results from past events may be retained for historical accuracy and integrity of competition records, even after account deletion.

We do not sell, rent, or trade your personal data. We may share your data in the following circumstances:

• Event Organizers: when you register for an event, the organizer receives the registration data necessary to manage your participation (e.g., name, division, results). Organizers are responsible for their own privacy practices;
• Service Providers: we share data with trusted third-party vendors who support the operation of our Platform (e.g., cloud hosting, email delivery, payment processing, analytics). These providers are contractually bound to process data only as instructed by us and in accordance with applicable law;
• Legal requirements: we may disclose data when required by law, court order, or governmental authority in Brazil, the EU, or other jurisdictions;
• Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same level of protection as described in this Policy;
• With your consent: for any sharing not described above, we will seek your explicit consent.

Rookia allows users under the age of 18 to register on the Platform, provided that a parent or legal guardian has given verifiable consent prior to registration. We collect only the personal data necessary for the minor's participation in sports events.

We do not share minors' personal data with third parties for marketing purposes. Parents or guardians may at any time request access to, correction of, or deletion of their child's personal data by contacting us at contact@rookia.com.

If we become aware that we have inadvertently collected personal data from a minor without parental consent, we will promptly delete that data.

Rookia operates in Brazil and the European Union, and your personal data may be processed in, or transferred to, countries outside your own. When we transfer personal data originating from the EU to countries not recognized as providing adequate data protection, we implement appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

By using the Platform from outside Brazil or the EU, you acknowledge that your data may be transferred to and processed in Brazil or the EU.

We retain your personal data for as long as your account is active and as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. Our retention guidelines are:

• Active accounts: data is retained for the duration of the account's activity;
• Deleted accounts: personal data is retained for up to 90 (ninety) days after account deletion, after which it is permanently deleted or anonymized, except where legal obligations require longer retention;
• Competition results and athletic records: may be retained indefinitely in anonymized or aggregated form to preserve the integrity of historical competition data;
• Financial transaction records: retained for up to 5 (five) years as required by Brazilian and applicable EU tax and financial regulations;
• Backup and archival systems: data deleted from active systems may persist in encrypted backups for up to an additional 30 (thirty) days before being purged.

13.1 Rights under LGPD (Brazil)

• Confirmation of the existence of processing;
• Access to your data;
• Correction of incomplete, inaccurate, or outdated data;
• Anonymization, blocking, or deletion of unnecessary or excessive data;
• Portability of your data to another service provider;
• Deletion of data processed with your consent;
• Information about third parties with whom data has been shared;
• Information about the possibility of not providing consent and the consequences thereof;
• Revocation of consent.

13.2 Rights under GDPR (EU/EEA)

• Right of access (Article 15);
• Right to rectification (Article 16);
• Right to erasure / "right to be forgotten" (Article 17);
• Right to restriction of processing (Article 18);
• Right to data portability (Article 20);
• Right to object to processing (Article 21);
• Right not to be subject to automated decision-making (Article 22).

To exercise any of these rights, please contact us at contact@rookia.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (in Brazil: ANPD -- Autoridade Nacional de Protecao de Dados; in the EU: your relevant national supervisory authority).

We implement commercially reasonable technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, and destruction. These include encrypted data transmission (HTTPS/TLS), password hashing, access controls, and regular security reviews.

However, no method of transmission over the internet or electronic storage is 100% secure. We encourage you to use a strong and unique password and to notify us immediately at contact@rookia.com if you suspect any unauthorized access to your account.

The Platform may contain links to third-party websites or services (e.g., event sponsor pages, social media profiles). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through our Platform.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address registered with your account) or by a prominent notice on the Platform, at least 15 (fifteen) days before the changes take effect. Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes.

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact:

• Rookia Tecnologia Ltda.
• Email: contact@rookia.com
• Website: rookia.com