Privacy Policy
This Privacy Policy explains how Rookely collects, uses and protects your personal data when you use our website (rookely.com) and application (app.rookely.com). We are committed to processing your data in accordance with the General Data Protection Regulation (GDPR).
1. Who we are (Data Controller)
Rookely is operated by:
- Business name: Kamil Kunikowski Services
- Address: ul. gen. Meriana C. Coopera 7P lok. 23, 01-315 Warszawa, Poland
- NIP (Tax ID): 5050067173
- REGON: 542898346
- Privacy contact: [email protected]
2. What data we collect and why
Account registration (email & password)
- Email address — to identify your account and send essential service emails.
- Display name — shown to members of your events.
- Password — stored as a one-way bcrypt hash. We never have access to your plaintext password.
Sign-in with Google (optional)
When you choose to sign in via Google OAuth, we receive your email address, display name and profile picture URL. We do not receive your Google password, do not read your Google account content, and do not post anything on your behalf.
Content you create in the app
Event titles and descriptions, dates, logistics assignments, personal checklists, poll votes, expense records, and uploaded photos. This data is associated with your account solely to provide the service to you and your group.
Data you provide about other people
When you organise an event in Rookely, you can add other participants by name (and optionally email or phone), including people who don't have a Rookely account themselves — for example, so an organiser can track who paid for what in a group of friends. You are responsible for adding only people with whom you have a clear social, family or organisational context that makes recording their participation reasonable. See section 6 below for how we handle the data of non-account participants and how those people can have their data removed.
Web push notifications (optional)
If you enable browser push notifications, we store the push subscription provided by your browser: an endpoint URL pointing to your browser vendor's push service (typically Mozilla, Google Firebase Cloud Messaging or Apple Push Notification service), and the public p256dh and auth keys used to encrypt push payloads. The push payloads we send are encrypted with these keys before leaving our server. You can revoke a push subscription at any time from your browser's notification settings or from your account settings in the app.
User preferences
- Language — to display the interface in your preferred language.
- Timezone — to schedule the daily email digest at an appropriate local hour and to display event dates and times correctly.
Data collected automatically
- Session cookie — a single HTTP-only, secure cookie required to keep you signed in. It is created when you log in and deleted when you log out or the session expires.
- Server logs — IP address, request path and timestamp, retained for up to 30 days for security and debugging purposes.
We do not use advertising cookies, third-party trackers, analytics pixels, or A/B testing tools.
3. Legal basis for processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Providing the core service (account, events, all app features) | Art. 6(1)(b) — performance of a contract |
| Sending transactional emails (invitations, password resets, email verification) | Art. 6(1)(b) — performance of a contract |
| Sending the periodic email digest of unread in-app notifications. Opt-out available via the unsubscribe link in each digest email or from your account settings. | Art. 6(1)(b) — performance of a contract |
| Delivering web push notifications you subscribed to in your browser | Art. 6(1)(b) — performance of a contract (your explicit subscription) |
| Security and fraud prevention (server logs) | Art. 6(1)(f) — legitimate interest |
| Responding to your support or privacy enquiries | Art. 6(1)(b) or Art. 6(1)(f) |
4. Who we share your data with
We use the following sub-processors. We do not sell your personal data or use it for advertising.
| Provider | Role | Location | GDPR safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Hosting & file storage (photos) | Germany (EU) | EU/EEA — no transfer |
| Resend Inc. | Transactional email delivery | USA | Standard Contractual Clauses (SCCs) |
| Google LLC | OAuth sign-in (optional) | USA | Standard Contractual Clauses (SCCs) |
| Cloudflare Inc. | CDN, DNS, DDoS protection | USA | Standard Contractual Clauses (SCCs) |
Web push notifications are delivered through the push service of the browser vendor you chose (typically Mozilla, Google Firebase Cloud Messaging or Apple Push Notification service). These services act as the transport layer selected by your browser, not as sub-processors we engaged. The push payloads we send through them are encrypted using the keys your browser generated when you subscribed.
5. Data shared between members of an event
Rookely is a collaborative tool. When you create or join an event, certain information becomes visible to other members of that event:
- Your display name and email address are visible to other members.
- For expense settlements, the organiser, treasurer and other participants see the amounts you paid, contributed or owe within that event.
- Polls, logistics assignments, comments and photos you post in an event are visible to other members of that event.
Each member of an event has a legitimate interest in seeing this shared content for the purpose of coordinating the event (GDPR Art. 6(1)(f)). This information is not made public outside the event.
6. People added to events without a Rookely account
Organisers can add participants by name (with optional email or phone) without those people creating an account themselves. We process this data on the basis of the organiser's legitimate interest in coordinating the event and our legitimate interest in providing the service to the group (GDPR Art. 6(1)(f)).
If you find your data in Rookely and you don't have an account (for example, someone told you that you appear in an event or settlement), you can ask us to remove or pseudonymise your data. Email [email protected] from any address with:
- your full name as it might appear in the app,
- the email or phone number that might have been used to add you,
- the event name, if you know it.
We will identify the relevant records and respond within 30 days. Where erasure is granted, we will pseudonymise your participant entry (replacing your name with a neutral label such as "Removed participant" and clearing your email and phone). Financial entries showing amounts paid or owed by your participant entry may remain visible to other members of that event, in pseudonymised form, where this is necessary to protect their legitimate interests — for example, to preserve a record of debts owed between members of the group (GDPR Art. 17(3)(e)).
7. Data retention
| Data | Retention period |
|---|---|
| Account data (name, email) | Until account deletion + 30 days |
| Event content (logistics, polls, checklists) | Until the event is deleted by the organiser |
| Uploaded photos | Until deleted by the user or the event is deleted by the organiser |
| Server logs | Up to 30 days |
| Web push subscription (endpoint, encryption keys) | Until you disable push in your browser or remove the subscription from your account settings |
| User preferences (language, timezone, notification opt-outs) | Until account deletion + 30 days |
| Expense settlement records | Until the event is deleted by the organiser. If your account is deleted while a settlement is open, your personal identifiers (real name, email) are pseudonymised but the amounts you paid, contributed or owe remain visible to other members of that event until the event is deleted, where this is necessary to protect their legitimate interests. |
8. Cookies
We use a single, strictly necessary session cookie to keep you authenticated. It is set only when you log in and removed when you log out or the session expires. No consent banner is required because this cookie is technically essential and not used for profiling or tracking.
9. Your rights
Under the GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion of your account and associated data. When you delete your account, your personal identifiers (real name, email, phone, password) are removed. Content that other group members rely on — in particular, amounts you contributed to or owe within an open expense settlement — may be retained in pseudonymised form (your name replaced with a neutral label) until the event is deleted by the organiser, where this is necessary to protect their legitimate interests (GDPR Art. 17(3)(e)).
- Portability — receive a structured, machine-readable (JSON) export of your account data, the event content you created, your expense entries and your notification preferences. Email [email protected] and we will provide the export within 30 days.
- Restriction of processing — ask us to pause processing while a dispute is resolved.
- Objection — object to processing based on our legitimate interest.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. In Poland: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa — uodo.gov.pl.
10. International data transfers
Certain sub-processors (Resend, Google, Cloudflare) are headquartered in the United States. Data transfers to these providers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Art. 46(2)(c). All application data is hosted on Hetzner servers located within the European Union.
11. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of Rookely after a change is published constitutes acceptance of the revised policy. For significant changes, we will notify you by email where required by law.
12. Contact
For any questions about this policy or to exercise your rights:
- Email: [email protected]
- Post: Kamil Kunikowski Services, ul. gen. Meriana C. Coopera 7P lok. 23, 01-315 Warszawa, Poland