Privacy Policy

Last updated: 2 May 2026

This Privacy Policy explains how Rookely collects, uses and protects your personal data when you use our website (rookely.com) and application (app.rookely.com). We are committed to processing your data in accordance with the General Data Protection Regulation (GDPR).

1. Who we are (Data Controller)

Rookely is operated by:

Business name: Kamil Kunikowski Services
Address: ul. gen. Meriana C. Coopera 7P lok. 23, 01-315 Warszawa, Poland
NIP (Tax ID): 5050067173
REGON: 542898346
Privacy contact: privacy@rookely.com

2. What data we collect and why

Account registration (email & password)

Email address — to identify your account and send essential service emails.
Display name — shown to members of your events.
Password — stored as a one-way bcrypt hash. We never have access to your plaintext password.

Sign-in with Google (optional)

When you choose to sign in via Google OAuth, we receive your email address, display name and profile picture URL. We do not receive your Google password, do not read your Google account content, and do not post anything on your behalf.

Content you create in the app

Event titles and descriptions, dates, logistics assignments, personal checklists, poll votes, expense records, and uploaded photos. This data is associated with your account solely to provide the service to you and your group.

Data collected automatically

Session cookie — a single HTTP-only, secure cookie required to keep you signed in. It is created when you log in and deleted when you log out or the session expires.
Server logs — IP address, request path and timestamp, retained for up to 30 days for security and debugging purposes.

We do not use advertising cookies, third-party trackers, analytics pixels, or A/B testing tools.

3. Legal basis for processing (GDPR Art. 6)

Purpose	Legal basis
Providing the core service (account, events, all app features)	Art. 6(1)(b) — performance of a contract
Sending transactional emails (invitations, password resets, notifications)	Art. 6(1)(b) — performance of a contract
Security and fraud prevention (server logs)	Art. 6(1)(f) — legitimate interest
Responding to your support or privacy enquiries	Art. 6(1)(b) or Art. 6(1)(f)

4. Who we share your data with

We use the following sub-processors. We do not sell your personal data or use it for advertising.

Provider	Role	Location	GDPR safeguard
Hetzner Online GmbH	Hosting & file storage (photos)	Germany (EU)	EU/EEA — no transfer
Resend Inc.	Transactional email delivery	USA	Standard Contractual Clauses (SCCs)
Google LLC	OAuth sign-in (optional)	USA	Standard Contractual Clauses (SCCs)
Cloudflare Inc.	CDN, DNS, DDoS protection	USA	Standard Contractual Clauses (SCCs)

5. Data retention

Data	Retention period
Account data (name, email)	Until account deletion + 30 days
Event content (logistics, polls, checklists, expenses)	Until the event is deleted by the organiser
Uploaded photos	Until deleted by the user or the event is deleted by the organiser
Server logs	Up to 30 days
Expense settlement records	Until the event is deleted by the organiser

6. Cookies

We use a single, strictly necessary session cookie to keep you authenticated. It is set only when you log in and removed when you log out or the session expires. No consent banner is required because this cookie is technically essential and not used for profiling or tracking.

7. Your rights

Under the GDPR you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — request deletion of your account and associated data.
Portability — receive your data in a structured, machine-readable format.
Restriction of processing — ask us to pause processing while a dispute is resolved.
Objection — object to processing based on our legitimate interest.
Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@rookely.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Poland: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa — uodo.gov.pl.

8. International data transfers

Certain sub-processors (Resend, Google, Cloudflare) are headquartered in the United States. Data transfers to these providers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Art. 46(2)(c). All application data is hosted on Hetzner servers located within the European Union.

9. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of Rookely after a change is published constitutes acceptance of the revised policy. For significant changes, we will notify you by email where required by law.

10. Contact

For any questions about this policy or to exercise your rights:

Email: privacy@rookely.com
Post: Kamil Kunikowski Services, ul. gen. Meriana C. Coopera 7P lok. 23, 01-315 Warszawa, Poland