Legal
Privacy Policy
Last updated: April 28, 2026 · Effective: April 28, 2026
Who we are
Rally is a community platform operated by QX Holdings Inc., a Canadian corporation. Rally powers private coaching communities, each led by a community owner (a “Coach”). This policy covers both the Rally platform and the Rally mobile app.
Contact: pascualrobshaw10km@gmail.com
Mailing address: QX Holdings Inc., 4705 Mann Road, Box 302, Rossland, BC V0G 1Y0, Canada.
Plain-language summary
- You create a profile to use Rally. We store the data you give us.
- Content you post (feed posts, comments, journal entries, dharma reviews, messages) is stored so the app can work. Who can see it depends on where you posted it.
- We use AI (“Zenith” and other community AIs) to help you. Your conversations with AI are processed by third parties (Anthropic via our AI partner Anima) and stored so the AI has context.
- We use analytics to understand how the app is used. We don’t sell your data.
- You can request deletion of your account and data at any time.
1. Data we collect
Account data
Email address, name, profile photo, username, bio, and other profile fields you choose to fill in.
Content
Anything you post, write, send, or upload inside Rally: posts, comments, direct messages, reactions, journal entries, dharma reviews, loop entries, voice notes, photos, calendar events, scheduler bookings, and notes.
AI conversations
Your messages to Zenith (or your community’s AI coach), the AI’s responses, and the context it uses to answer you (e.g. recent posts, classroom progress, journal entries — scope depends on the feature and your privacy settings). We retain conversation history so the AI has memory across sessions.
Community membership
Which communities you belong to, your role (member, admin, owner), when you joined, and your engagement level.
Device data
When you use the Rally mobile app (iOS or Android): your device type, OS version, app version, crash reports, and push notification tokens (if you enable push).
Usage data
Pages viewed, features used, session duration, and anonymous analytics events (e.g. post_created, dharma_review_submitted). Used to improve the product.
Payment data
If your coach charges for your community, payment is processed by Stripe. We receive only the minimum needed (subscription status, last-4 of card, country). We never see your full card number.
Connected services
If you connect Google Calendar (via the Rally Calendar feature), we receive calendar events you choose to sync, per the scope you grant.
What we do NOT collect
Precise location, contacts, health data, advertising identifiers, or biometric data. (Face ID / fingerprint unlock happens entirely on your device’s secure enclave; we never see the biometric template.)
2. How we use your data
- Provide the Rally platform and app
- Power AI coaching (Zenith and community AIs) with your context
- Send notifications you opted into (in-app, email, push)
- Improve the product (analytics, feature usage)
- Keep Rally secure (fraud detection, abuse prevention)
- Comply with legal obligations
We do not sell your data. We do not use your content to train third-party AI models — AI processors (Anthropic via Anima) are bound to process data only on our behalf and not train on it.
3. Who sees your data
Inside your community: coaches, moderators, and other members can see content based on where you post it. A post in the main feed is visible to all community members; a direct message is visible only to the recipient; your journal and dharma reviews are private to you (and optionally to your AI coach if you enable classroom context in your Zenith settings).
Rally platform staff: limited, role-based access. Engineering access to raw data is logged.
Third-party processors (bound by data processing agreements):
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Database, auth, file storage | All platform data (encrypted at rest) |
| Vercel | Web + API hosting | Request logs, IP |
| Anthropic (via Anima) | AI model inference | AI conversation turns + context |
| Anima | AI orchestration layer | Same as Anthropic (Anima is the API gateway) |
| Stripe | Payment processing (if your coach charges) | Billing info |
| Google Calendar sync, Google Sign-In (optional) | Calendar scope you grant, OAuth profile | |
| Firebase Cloud Messaging | Android push notifications | Device token, notification payload |
| Apple Push Notification service | iOS push notifications | Device token, notification payload |
Law enforcement: we disclose data only when legally compelled by a valid order, subpoena, or warrant.
4. AI and your data
Rally’s AI features (“Zenith” and community-specific AIs) run on Anthropic Claude models via our AI partner Anima (also operated by QX Holdings Inc.). When you interact with AI:
- Your current message plus relevant context (recent posts, profile, classroom progress, journal entries — scope depends on the feature and your Zenith privacy toggle) is sent to Anthropic.
- Anthropic processes the request and returns a response.
- We retain your conversation history so the AI has memory across sessions.
- Anthropic does not train on your data. It is processed under a commercial agreement that prohibits training use.
You can control AI context by adjusting privacy settings in Rally. Options include “full context,” “ask-only,” and “never use my classroom/journal data.”
5. Retention
- Active account data: kept while your account is active.
- After account deletion: most data is erased within 30 days; some data (audit logs, legal holds, anonymized analytics) may be retained longer where required by law.
- AI conversations:retained alongside your profile; deleted when you delete your account or explicitly clear your AI history (where supported in your community’s configuration).
- Backups: deleted data may persist in encrypted backups for up to 90 days before being purged.
6. Your rights
You can:
- Access your data — export from your settings or by emailing us
- Correct inaccurate data — edit in the app, or email us
- Delete your account and data — Settings → Account → Delete Account, or email us
- Port your data — export in machine-readable format (JSON or CSV)
- Opt out of non-essential communications — Settings → Notifications
- Withdraw consent to optional processing — revoke calendar sync, revoke AI context, etc.
EU / UK residents (GDPR): you also have the right to object to processing, restrict processing, and lodge a complaint with your local data protection authority.
California residents (CCPA / CPRA):you have the right to know, delete, correct, opt out of sale (we don’t sell), and non-discrimination. Email us to exercise these rights.
Data Controller: QX Holdings Inc.
7. Security
We use industry-standard practices:
- TLS 1.2+ for all data in transit
- Encryption at rest (Supabase: AES-256)
- Row-level security (RLS) on all database tables
- Magic-link or OAuth sign-in (we don’t store plaintext passwords)
- API keys stored as encrypted environment variables
- Biometric unlock on mobile uses your device’s secure enclave — we never see the biometric template
No system is perfectly secure. In the event of a breach affecting your data, we will notify you within the timeframe required by applicable law (typically 72 hours under GDPR).
8. International transfers
Rally uses infrastructure providers (Supabase, Vercel, Anthropic, Google, Firebase) with data centers primarily in the United States and Europe. Transfers from the EU / UK are covered by Standard Contractual Clauses where required.
9. Children
Rally is not intended for users under 16 (or the minimum age required by your country’s law, whichever is higher). We do not knowingly collect data from children. If you believe a child has given us data, email us and we will delete it.
10. Changes to this policy
We will post the updated version at this URL with a new “Last updated” date. Material changes are announced in-app and by email at least 14 days before taking effect.
11. Contact
Privacy questions: pascualrobshaw10km@gmail.com
QX Holdings Inc.
4705 Mann Road, Box 302
Rossland, BC V0G 1Y0
Canada