Privacy Policy

Last updated: 19 May 2026

This Privacy Policy explains how Rookely collects, uses and protects your personal data when you use our website (rookely.com) and application (app.rookely.com). We are committed to processing your data in accordance with the General Data Protection Regulation (GDPR).

1. Who we are (Data Controller)

Rookely is operated by:

2. What data we collect and why

Account registration (email & password)

Sign-in with Google (optional)

When you choose to sign in via Google OAuth, we receive your email address, display name and profile picture URL. We do not receive your Google password, do not read your Google account content, and do not post anything on your behalf.

Content you create in the app

Event titles and descriptions, dates, logistics assignments, personal checklists, poll votes, expense records, and uploaded photos. This data is associated with your account solely to provide the service to you and your group.

Data you provide about other people

When you organise an event in Rookely, you can add other participants by name (and optionally email or phone), including people who don't have a Rookely account themselves — for example, so an organiser can track who paid for what in a group of friends. You are responsible for adding only people with whom you have a clear social, family or organisational context that makes recording their participation reasonable. See section 6 below for how we handle the data of non-account participants and how those people can have their data removed.

Web push notifications (optional)

If you enable browser push notifications, we store the push subscription provided by your browser: an endpoint URL pointing to your browser vendor's push service (typically Mozilla, Google Firebase Cloud Messaging or Apple Push Notification service), and the public p256dh and auth keys used to encrypt push payloads. The push payloads we send are encrypted with these keys before leaving our server. You can revoke a push subscription at any time from your browser's notification settings or from your account settings in the app.

User preferences

Data collected automatically

We do not use advertising cookies, third-party trackers, analytics pixels, or A/B testing tools.

3. Legal basis for processing (GDPR Art. 6)

PurposeLegal basis
Providing the core service (account, events, all app features) Art. 6(1)(b) — performance of a contract
Sending transactional emails (invitations, password resets, email verification) Art. 6(1)(b) — performance of a contract
Sending the periodic email digest of unread in-app notifications. Opt-out available via the unsubscribe link in each digest email or from your account settings. Art. 6(1)(b) — performance of a contract
Delivering web push notifications you subscribed to in your browser Art. 6(1)(b) — performance of a contract (your explicit subscription)
Security and fraud prevention (server logs) Art. 6(1)(f) — legitimate interest
Responding to your support or privacy enquiries Art. 6(1)(b) or Art. 6(1)(f)

4. Who we share your data with

We use the following sub-processors. We do not sell your personal data or use it for advertising.

ProviderRoleLocationGDPR safeguard
Hetzner Online GmbH Hosting & file storage (photos) Germany (EU) EU/EEA — no transfer
Resend Inc. Transactional email delivery USA Standard Contractual Clauses (SCCs)
Google LLC OAuth sign-in (optional) USA Standard Contractual Clauses (SCCs)
Cloudflare Inc. CDN, DNS, DDoS protection USA Standard Contractual Clauses (SCCs)

Web push notifications are delivered through the push service of the browser vendor you chose (typically Mozilla, Google Firebase Cloud Messaging or Apple Push Notification service). These services act as the transport layer selected by your browser, not as sub-processors we engaged. The push payloads we send through them are encrypted using the keys your browser generated when you subscribed.

5. Data shared between members of an event

Rookely is a collaborative tool. When you create or join an event, certain information becomes visible to other members of that event:

Each member of an event has a legitimate interest in seeing this shared content for the purpose of coordinating the event (GDPR Art. 6(1)(f)). This information is not made public outside the event.

6. People added to events without a Rookely account

Organisers can add participants by name (with optional email or phone) without those people creating an account themselves. We process this data on the basis of the organiser's legitimate interest in coordinating the event and our legitimate interest in providing the service to the group (GDPR Art. 6(1)(f)).

If you find your data in Rookely and you don't have an account (for example, someone told you that you appear in an event or settlement), you can ask us to remove or pseudonymise your data. Email [email protected] from any address with:

We will identify the relevant records and respond within 30 days. Where erasure is granted, we will pseudonymise your participant entry (replacing your name with a neutral label such as "Removed participant" and clearing your email and phone). Financial entries showing amounts paid or owed by your participant entry may remain visible to other members of that event, in pseudonymised form, where this is necessary to protect their legitimate interests — for example, to preserve a record of debts owed between members of the group (GDPR Art. 17(3)(e)).

7. Data retention

DataRetention period
Account data (name, email)Until account deletion + 30 days
Event content (logistics, polls, checklists) Until the event is deleted by the organiser
Uploaded photos Until deleted by the user or the event is deleted by the organiser
Server logsUp to 30 days
Web push subscription (endpoint, encryption keys) Until you disable push in your browser or remove the subscription from your account settings
User preferences (language, timezone, notification opt-outs) Until account deletion + 30 days
Expense settlement records Until the event is deleted by the organiser. If your account is deleted while a settlement is open, your personal identifiers (real name, email) are pseudonymised but the amounts you paid, contributed or owe remain visible to other members of that event until the event is deleted, where this is necessary to protect their legitimate interests.

8. Cookies

We use a single, strictly necessary session cookie to keep you authenticated. It is set only when you log in and removed when you log out or the session expires. No consent banner is required because this cookie is technically essential and not used for profiling or tracking.

9. Your rights

Under the GDPR you have the right to:

To exercise any of these rights, email [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Poland: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa — uodo.gov.pl.

10. International data transfers

Certain sub-processors (Resend, Google, Cloudflare) are headquartered in the United States. Data transfers to these providers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Art. 46(2)(c). All application data is hosted on Hetzner servers located within the European Union.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of Rookely after a change is published constitutes acceptance of the revised policy. For significant changes, we will notify you by email where required by law.

12. Contact

For any questions about this policy or to exercise your rights: