If it doesn't have any SSL/TLS or only HTTP, not HTTPS, which is more known. Then anyone who monitors the network can see whatever data is being sent, including ISP, governments, NSA, Hacker, or any adversaries you can name.
As far as I know, highly sensitive data may only be transmitted between different parties via extra-secured data channels, and in addition to HTTPS - which is of course mandatory - separate encryption and certificates are also used or, in extreme cases, must even be transmitted offline. I don't know exactly what this looks like at Roobet, but it would of course be very interesting.