Privacy Policy

Last updated:

Dec 6, 2025

RovaLabs (“RovaLabs”, “we”, “us”, or “our”) provides an identity and access control platform for robot fleets, including a cloud control plane (RovaID), on‑premise enforcement gateways (RovaEdge), and robot‑aware logging/observability (RovaSight) that help organizations control and audit access to robots across fleets, vendors, and sites.

This Privacy Policy explains how we collect, use, disclose, and protect information in connection with:

  • Our website at https://rovalabs.io (the “Website”);
  • Our products and services, including RovaID, RovaEdge, RovaSight, related SDKs, APIs, and documentation (collectively, the “Services”); and
  • Any other interactions you have with us where we link to or reference this Privacy Policy.

By using the Website or Services, you agree to the practices described in this Privacy Policy.

If you do not agree, please do not use the Website or Services.

1. Who We Are & Contact Details

The controller of your personal information for the purposes described in this Privacy Policy is:

RovaLabs Inc.
Email: hello@rovalabs.io

When we provide the Services to an organization (for example, your employer), that organization is typically the data controller of personal data processed within the Services, and RovaLabs acts as a processor or service provider on their behalf.

2. Scope

This Privacy Policy applies to:

  • Visitors to our Website;
  • Individuals who sign up for, access, or use the Services (for example, operators, engineers, and vendor support personnel who authenticate via their organization’s identity provider);
  • Individuals who communicate with us (e.g., via email, forms, or events).

If your organization uses the Services, our processing of your data may also be governed by a separate agreement (e.g., a subscription agreement and/or data processing agreement) with that organization. In case of conflict, that agreement will generally govern our relationship with your organization.

3. Information We Collect

We collect information in three main ways: (a) information you provide directly, (b) information we obtain from your organization or third parties, and (c) information collected automatically.

3.1 Information You Provide Directly

  • Account and profile information.
    When you or your organization create an account for the Services, we may collect:
    • Name, email address, job title/role, company name;
    • Authentication or SSO information (for example, identity provider identifiers, group membership, roles assigned in RovaID);
    • Any preferences or settings you configure.
  • Communication and support data.
    If you contact us (e.g., via email, forms, or support tickets), we collect the information you provide, such as:
    • Your contact details;
    • The content of your request and any attachments;
    • Feedback or survey responses.
  • Demo, pilot, and design‑partner information.
    When you engage in pilots or design‑partner programs, we may receive additional technical or business context about your robot fleets, sites, access patterns, and security concerns, including access flows, identities, and integrations you choose to configure within the Services.

3.2 Information from Your Organization and Integrations

Because RovaLabs is infrastructure for identity and access control for robots, much of the data we process comes from your organization and its systems, including (as configured by your admins):

  • Identity providers (IdPs).
    Information from systems like Okta, Azure AD, Google, or other IdPs used for SSO, such as:
    • Unique user identifiers;
    • Names, emails, and group memberships;
    • Mappings to roles and principals in RovaID.
  • Robot and site metadata.
    Data describing sites, robots, fleets, and zones (for example, robot IDs, vendor, model, site name, zone identifiers) that your organization configures in the Services.
  • Access events & logs.
    RovaEdge and SDKs send structured audit events to the control plane (RovaID / RovaSight), such as:
    • Who (principal, user ID, role) performed or attempted an action;
    • What action (e.g., dashboard.view, teleop.start, ssh.connect);
    • Which resource (e.g., robot ID, site, host);
    • Context (timestamp, site/zone, requested parameters like speed, source network, decision and reason).

Depending on configuration, this may include personal information relating to named users and vendor staff.

3.3 Information Collected Automatically

When you visit our Website or use the Services, we automatically collect certain information, such as:

  • Device and usage data.
    • IP address, browser type and version, operating system, device identifiers;
    • Referring URLs, pages viewed, and links clicked;
    • Dates and times of access, and other interaction data.
  • Service telemetry and performance data.
    Information about how the Services are functioning, including latency, error rates, and gateway health, which helps us monitor reliability and security.

We may collect this data using cookies, scripts, and similar technologies. You can control certain cookies via your browser settings and (where implemented) cookie banners or preference tools.

4. How We Use Information

We use the information we collect for the following purposes:

4.1 To Provide and Operate the Services

  • Setting up and managing accounts and tenant configurations;
  • Authenticating users through your organization’s IdP;
  • Evaluating and enforcing access policies (e.g., “who can do what to which robot, where, and under what conditions”);
  • Logging and presenting access events and timelines (RovaSight) for audits, incident response, and access reviews;
  • Providing SDKs, APIs, and integrations with OEM/FMS partners and identity/security tools.

4.2 To Secure and Monitor the Services

  • Detecting, investigating, and preventing security incidents, fraud, or misuse;
  • Monitoring system performance, reliability, and edge connectivity;
  • Applying least‑privilege and zero‑trust principles across robots and sites.

4.3 To Improve and Develop the Services

  • Analyzing how users and organizations use RovaID, RovaEdge, and RovaSight;
  • Developing new features and integrations;
  • Using AI/ML to assist with:
    • Policy explanations (“why was this allowed/denied?”),
    • Incident summaries (e.g., summarizing access events over a time range),
    • Recommended starter policies and configs, especially for OEM/FMS integrations.  

We design logs, events, and policies to be structured and “AI‑friendly” so that AI features can explain and summarize behavior, but humans remain in control of policies and enforcement.

4.4 To Communicate with You

  • Responding to your inquiries and support requests;
  • Sending service‑related notices (e.g., changes to policies, security notices, outages);
  • Sending marketing communications (e.g., product updates, insights, event invites) where permitted by law. You can opt out of non‑essential marketing communications at any time.

4.5 To Comply with Legal Obligations and Enforce Rights

  • Complying with applicable laws, regulations, and legal processes;
  • Protecting our rights, privacy, safety, or property, and that of our users, customers, and the public;
  • Enforcing our agreements, including our Terms of Service.

5. Legal Bases for Processing (EEA/UK Only)

If you are in the EEA or UK, we process your personal data under one or more of the following legal bases:

  • Contract performance: where processing is necessary to provide the Services or respond to your requests;
  • Legitimate interests: such as securing and improving the Services, preventing fraud, and understanding usage, where these interests are not overridden by your rights and interests;
  • Consent: where required for specific activities (e.g., certain marketing or cookies);
  • Legal obligation: where processing is necessary to comply with law.

Where we rely on consent, you may withdraw it at any time via the mechanisms provided or by contacting us.

6. How We Share Information

We do not sell your personal information.

We may share information as follows:

  • With your organization.
    If you use the Services under an organization account, administrators and other authorized users within that organization may access information about your use of the Services, including access logs and role assignments.
  • Service providers.
    We use third‑party providers to host and operate the Services (e.g., cloud hosting such as AWS), send communications, provide analytics, and deliver support. These providers may process personal data on our behalf and only according to our instructions.
  • Integration and ecosystem partners (as instructed by your organization).
    Where your organization configures integrations with OEM/FMS platforms, IdPs, SIEM tools, teleop providers, or system integrators, we may share relevant data with those tools or partners as needed to support the integration and Services.
  • Business transfers.
    In connection with a merger, acquisition, financing, reorganization, or sale of all or part of our business, we may transfer personal data to the relevant third parties, subject to appropriate protections.
  • Legal and safety.
    We may disclose information to law enforcement, regulators, or others when we believe in good faith that disclosure is reasonably necessary to:
    • Comply with applicable law, regulation, or legal process;
    • Protect the rights, safety, or property of RovaLabs, our customers, or others;
    • Investigate or prevent fraud or security issues.

7. International Data Transfers

We may process and store personal data in countries other than the country where you are located, including (for example) the United States, Canada, or other jurisdictions where we or our service providers operate.

When transferring personal data internationally, we implement appropriate safeguards, such as:

  • Standard contractual clauses approved by the European Commission or UK authorities (where applicable); or
  • Other lawful transfer mechanisms.

8. Data Retention

We retain personal data for as long as necessary to:

  • Provide the Website and Services;
  • Fulfill the purposes described in this Privacy Policy;
  • Comply with our legal obligations;
  • Resolve disputes and enforce agreements.

For data stored in RovaSight and related audit logs, retention may depend on your organization’s chosen plan and configuration. For example, log retention may vary across tiers (e.g., shorter retention for free tiers, longer retention for higher tiers).

Your organization may configure or request different retention settings, especially for enterprise deployments. We may also anonymize or aggregate data so that it is no longer reasonably associated with an identifiable individual.

9. Security

We take security seriously and design our architecture to protect access and audit data by default. Measures include, for example:

  • Use of TLS encryption in transit;
  • Strong identity and authentication for gateways, services, and users;
  • Multi‑tenant isolation and least‑privilege access controls;
  • Secure configuration management and secrets storage;
  • Logging and monitoring of key systems, including error rates and authorization behavior.

No method of transmission or storage is 100% secure. While we work to protect your data, we cannot guarantee absolute security.

10. Your Rights

Depending on your location and applicable law, you may have rights such as:

  • Access to your personal data;
  • Correction (rectification) of inaccurate data;
  • Deletion (erasure) of certain data;
  • Restriction of processing;
  • Data portability;
  • Objection to certain processing (including direct marketing);
  • Withdrawal of consent where we rely on consent.

Where we process your personal data on behalf of an organization, you should direct your request to that organization (your employer or the account owner). We will support them in responding to your request, as required by our agreement.

You can also contact us directly using the details in Section 1. We may need to verify your identity before responding to your request.

You may have the right to complain to your local data protection authority if you believe our processing of your personal data violates applicable law.

11. Children’s Privacy

The Website and Services are not directed to children under 16 (or other age as defined by local law), and we do not knowingly collect personal data from children. If we learn that we have collected such data, we will take reasonable steps to delete it. If you believe a child has provided us with personal data, please contact us.

12. Third‑Party Websites and Services

The Website and Services may contain links to third‑party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top and, where appropriate, provide additional notice (e.g., via the Website or within the Services).

Your continued use of the Website or Services after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us at:

RovaLabs Inc.
Attn: Privacy
Email: hello@rovalabs.io

Ready to secure access to your robots?

Book a short call and we’ll walk through your current setup and where RovaLabs fits.
Book a Demo

RovaLabs helps teams secure access to robots and scale automation safely across fleets, vendors and sites.

© 2025 RovaLabs Inc. All rights reserved.
Terms of ServicePrivacy Policy