Privacy Policy

1. Information About Us

Rokito is a Europe-based web application for financial tracking and management. Rokito operates as the Data Controller responsible for the collection and processing of your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

We are committed to protecting your privacy and ensuring that your personal data is handled in a transparent, secure, and lawful manner.

Contact Information

For all privacy-related inquiries, data subject requests, or concerns regarding this Privacy Policy, please contact us at:

Email: contact.rokito@gmail.com

We ask that you only use this email for legitimate privacy and data protection requests. We aim to respond within 5 business days for general inquiries and within 45 calendar days for formal data subject requests.

2. Information We Collect

We collect and process the following categories of personal data in order to provide the Service:

2.1 Account & Authentication Data

Email address
Full name
Company or organization name (optional)
Password (stored as a cryptographic hash; never in plaintext)
Account creation date and last login date
Subscription status and plan information

2.2 Account Settings

Preferred currency
Language and timezone preferences
Display precision settings
Notification preferences

2.3 Financial Data (User-Generated)

You create and manage the following data within the Service. This data is entered by you and is under your control:

Invoices (amounts, dates, line items, client information)
Transactions (income and expense records)
Projects (budgets, descriptions, dates, statuses)
Wallets and accounts (balance information)
Custom financial records and categories

2.4 Team & Collaboration Data

Team names and descriptions
Team member email addresses (for invitations)
User roles within teams (owner, member)
Currency and display settings per team

2.5 Payment & Billing Data

Payment transaction metadata (via Polar, our payment processor)
Subscription and billing status
Promo code usage

Important: We do not store full credit card numbers or payment card details. All payment processing is handled by Polar, a PCI-DSS compliant payment processor.

2.6 Email & Communication Data

Email addresses of invoice recipients (when you send invoices)
Email delivery metadata (delivery status, opens, clicks) via Resend
Support correspondence (if you contact us)

2.7 Technical & Security Data

Session identifiers (temporary, for authentication)
IP addresses of login sessions
User agent and browser information
Failed login attempts (retained for 30 days for security monitoring)
Audit logs (timestamped records of data access and modifications)

2.8 Data We Do Not Collect

Biometric data
Full credit card or payment card details
Special category data (health, race, religion, political opinions, etc.)
Precise geolocation data (beyond IP-based approximation)
Browsing history within the application

3. How We Use Your Data

3.1 Service Delivery

Creating and managing your account
Storing and retrieving your financial data
Enabling team collaboration and multi-user access
Processing and generating invoices
Generating reports and analytics dashboards

3.2 Payment & Billing

Processing payments via Polar (our payment processor)
Managing subscriptions and billing cycles
Generating receipts
Fraud prevention and risk assessment

3.3 Communication

Sending transactional emails (password resets, invoice delivery, notifications)
Notifying you of account security events
Responding to support inquiries
Informing you of material changes to service or policies

3.4 Security & Compliance

Detecting and preventing fraud and abuse
Maintaining audit logs for regulatory compliance
Investigating security incidents
Enforcing our Terms of Use

3.5 Analytics & Improvement

Understanding aggregated, anonymized usage patterns
Identifying and fixing bugs and performance issues
Improving user experience and feature development

We do not use your data for behavioral profiling or targeted advertising.

3.6 What We Do Not Do

We do not sell your personal data to third parties.
We do not share your data with marketing or advertising partners.
We do not use your data for automated decision-making or profiling.
We do not disclose your financial data to anyone other than authorized team members you have invited.

4. Legal Basis for Processing

Under GDPR Article 6, we are required to identify a lawful basis for each category of data processing. The following table describes the legal basis for our processing activities:

Processing Purpose	Lawful Basis
User authentication and account management	Contract (Art. 6(1)(b))
Service delivery (data storage, invoice generation)	Contract (Art. 6(1)(b))
Payment processing	Contract (Art. 6(1)(b))
Maintaining financial records and audit logs	Legal Obligation (Art. 6(1)(c))
Fraud prevention and security monitoring	Legitimate Interest (Art. 6(1)(f))
Service improvement and bug fixing	Legitimate Interest (Art. 6(1)(f))
Non-essential cookies (if added in future)	Consent (Art. 6(1)(a))
Marketing emails (if you opt in)	Consent (Art. 6(1)(a))

5. Data Retention

We retain your personal data only for as long as necessary to provide the Service and comply with applicable legal obligations. Retention periods vary depending on the type of data, applicable law in your jurisdiction, and operational and security requirements.

Data Category	Typical Retention	Notes
Account data (email, name)	Duration of account	Or longer if legally required
Financial records (invoices, transactions)	As required by law	May vary by jurisdiction (typically 5–7 years)
Audit logs	As required for security and compliance	Or longer if legally required
Payment data (via Polar)	Per Polar’s policy	PCI-DSS compliance
Email metadata (via Resend)	Per Resend’s policy	Email delivery
Backup data	Aligned with primary data	Disaster recovery
Team invitations	Not retained	Auto-deleted after response
Failed login attempts	Limited period	Security monitoring

Note: The retention periods above are guidelines only. These timeframes may be extended or shortened at our discretion to comply with legal obligations, security requirements, or operational needs. We may implement automated deletion processes that supersede these guidelines. For questions about your specific data, contact us at contact.rokito@gmail.com.

Beta Notice: As this is a beta service, data loss may occur without notice. We do not guarantee permanent data retention at this stage. You are strongly advised to maintain your own backups and archives of critical financial information.

5.1 Account Deletion

When you request account deletion:

Your personal data (email, name, settings) is removed and the account is anonymized.
Financial records are anonymized and retained indefinitely for regulatory compliance. These records cannot be linked back to your identity.
All team data you own is permanently deleted via cascade deletion.
Account deletion is immediate and irreversible.
We recommend exporting your data before requesting deletion.

6. Third-Party Data Sharing

We share your data only with the following service providers, strictly for the purposes described below. We do not sell, rent, or trade your personal data to any third party.

6.1 Polar (Payment Processing)

Data shared: Tokenized payment information, billing metadata, transaction history
Purpose: Processing payments and managing subscriptions
Security: PCI-DSS compliant; full card details are never transmitted to or stored by Rokito
Privacy Policy: polar.sh/legal/privacy

6.2 Resend (Email Delivery)

Data shared: Email addresses, email content, delivery metadata (opens, clicks, bounces)
Purpose: Sending invoices, notifications, and transactional emails
Privacy Policy: resend.com/legal/privacy-policy

6.3 Hosting Infrastructure

Data stored: All user data (encrypted in transit and at rest)
Region: Europe
Purpose: Infrastructure, hosting, and data storage

6.4 Future Integrations

We may integrate additional third-party services in the future, such as analytics or error-tracking tools. If such integrations involve sharing your personal data, we will update this Privacy Policy accordingly and, where required, obtain your consent before sharing.

6.5 Our Commitments

All third-party processors are contractually obligated to:

Protect your data with standards equivalent to our own.
Not use your data for their own independent purposes.
Not disclose your data to additional parties without authorization.
Assist with data subject rights requests upon our instruction.

7. Your Rights

Under GDPR and other applicable data protection laws, you have the following rights regarding your personal data:

7.1 Right of Access

You can request a copy of all personal data we hold about you. We will respond within 45 calendar days. Data is provided in CSV or JSON format. See Section 8 for details on Subject Access Requests.

7.2 Right to Rectification

You can correct inaccurate personal data at any time through your account settings, or by submitting a request to contact.rokito@gmail.com. We will confirm corrections within 45 days.

7.3 Right to Erasure (“Right to Be Forgotten”)

You can request deletion of your personal data. Upon request, your account is anonymized and personal data is removed within 30 days.

Exceptions — we cannot delete:

Financial records required by tax or regulatory law (retained for 7 years, anonymized)
Audit logs required for security and compliance (retained for 3–7 years)
Data necessary for active legal claims or investigations

7.4 Right to Data Portability

You can export your data in a machine-readable format (CSV or JSON). This includes your personal data and all data from teams you own. Data from teams where you are only a member is not included (see Section 8 and Section 11).

7.5 Right to Object

You can object to processing based on legitimate interest. You can opt out of marketing emails at any time via the unsubscribe link in each email or by contacting contact.rokito@gmail.com.

7.6 Right to Restrict Processing

You can request that we restrict processing of your data (stored but not actively used) while the accuracy of data is disputed or the legality of processing is under review.

7.7 Children’s Privacy

Rokito is not directed to children under 13 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact contact.rokito@gmail.com and we will delete it promptly.

7.8 How to Exercise Your Rights

To exercise any of the above rights, contact us at contact.rokito@gmail.com. We will verify your identity before processing your request and respond within 45 calendar days. There is no charge for exercising these rights.

8. Subject Access Requests

A Subject Access Request (SAR) is your right under GDPR Article 15 to obtain a copy of all personal data we process about you.

8.1 How to Submit a Request

Email: contact.rokito@gmail.com
Subject line: “Data Subject Access Request”
Include: Your account email address and any relevant details

8.2 Verification

We will verify your identity by confirming your email address and account details before disclosing any data. This protects your data from unauthorized access.

8.3 Timeline & Format

Response time: Within 45 calendar days of receipt and verification. If the request is complex, we may extend by up to 2 additional months (we will notify you).
Format: CSV or JSON, at our discretion.
Cost: Free of charge (once per year). Additional requests may incur a reasonable administrative fee.

8.4 What You Receive

Personal account data: Email, name, company, account settings, subscription status, account creation and login dates.
Owned team data: All invoices, transactions, projects, team member lists, and financial records from teams where you are the owner.
Member team metadata: Team names, owner email, your role, and date joined for teams where you are a member (not owner).

8.5 What You Do Not Receive

Financial data from member teams: Invoices, transactions, and projects from teams where you are only a member. This data belongs to and is controlled by the team owner.
Other users’ personal data: Email addresses or account details of other team members (protected by their own privacy rights).
Audit logs: Retained for regulatory compliance and security; not provided to individual users.

8.6 Why Member Team Data Is Excluded

When you are invited to a team, you have access to view the team’s data, but you do not own it. The team owner is the data controller for that team’s financial information. Including member team data in your export would violate the privacy and business confidentiality of the team owner.

If you need data from a team where you are a member, please contact the team owner directly or submit a request to us and we will forward it to the owner.

8.7 Future Export Feature

We plan to add an automatic data export feature within your account settings, allowing you to download your data at any time without submitting a formal request. This feature will include one-click export for all owned teams.

9. Data Security

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

9.1 Encryption

In transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
At rest: Data stored on our servers is encrypted using AES-256 encryption.
Passwords: Never stored in plaintext. All passwords are hashed using bcrypt or Argon2 with unique salts.

9.2 Authentication & Access Control

Secure session management with automatic expiration.
Rate limiting on authentication endpoints to prevent brute-force attacks.
Role-based access control within teams (owner and member roles).
Email verification required for account activation.

9.3 Administrative Access

Our administrator can view account metadata (email addresses, team names, subscription status) but cannot access your financial data (invoices, transactions, projects) under normal circumstances.

In exceptional cases where technical support or security investigation requires access to your data, such access is:

Logged and auditable.
Limited to what is strictly necessary to resolve the issue.
Subject to strict confidentiality obligations.
Disclosed to you where possible (except in active security incidents).

9.4 Infrastructure

Servers hosted in Europe with enterprise-grade security.
Regular backups stored in the EU region.
Automatic security updates and patching.
Firewall and DDoS protection.

9.5 Limitations

While we implement industry-standard security measures, no system is perfectly secure. We cannot guarantee absolute protection against all threats. As a beta service, we are continuously improving our security posture. We disclaim liability for breaches resulting from circumstances beyond our reasonable control.

10. Cookies & Tracking

10.1 Cookies We Use

Rokito uses only strictly necessary and functional cookies. We do not use marketing, retargeting, or tracking cookies.

Cookie	Type	Purpose	Retention
Session	Necessary	Maintains your login session	Session duration
CSRF Token	Necessary	Protects against cross-site request forgery	Session duration
Theme	Functional	Remembers your UI theme preference	12 months
Language	Functional	Remembers your language preference	12 months

10.2 What We Do Not Use

Marketing or retargeting cookies
Cross-site tracking pixels
Third-party advertising cookies
Behavioral analytics cookies (currently)

10.3 Managing Cookies

You can control cookies through your browser settings. Disabling strictly necessary cookies may impair the functionality of the Service (e.g., you may not be able to stay logged in).

10.4 “Do Not Track”

If your browser sends a “Do Not Track” (DNT) signal, Rokito respects this signal and does not implement additional tracking.

10.5 Future Analytics

If we introduce analytics tools or non-essential cookies in the future, we will:

Display a cookie consent banner requesting your explicit consent.
Allow you to reject non-essential cookies.
Never pre-check consent options.
Update this Privacy Policy accordingly.

11. Team Collaboration & Data Ownership

Rokito supports multi-user team collaboration. This section explains how data ownership and privacy work within teams.

11.1 Team Ownership

When you create a team, you become the owner. As owner, you:

Own and control all financial data within the team (invoices, transactions, projects).
Can invite and remove team members.
Can export all team data.
Are responsible for accuracy and compliance of team data.
Retain read-only access even if your plan downgrades.

11.2 Team Membership

When you are invited to a team, you become a member. As a member, you:

Can view and work with team data as permitted by the owner.
Cannot export the team’s financial data (it belongs to the owner).
Cannot access team data after being removed.
Can leave the team at any time.

Important: Even if you created a record (such as an invoice) within a team, that record belongs to the team owner, not to you. This ensures the owner’s business confidentiality is protected.

11.3 Data Visible to Team Members

Within a team, members can see:

Other members’ names and email addresses (necessary for collaboration).
Team financial data (invoices, transactions, projects) as permitted by the owner.

11.4 Team Invitations

When you invite someone, an invitation email is sent to their email address.
The invitee can accept or decline the invitation.
Invitations are not stored after acceptance or rejection.

11.5 Subscription Downgrade

If a team’s subscription downgrades:

Team members lose access to the team immediately.
The owner retains read-only access to all historical data indefinitely.
No data is deleted.

11.6 Member Removal

When a member is removed from a team:

They lose access to team data immediately.
Their personal account remains unaffected.
They can request (via SAR) confirmation that they were a member, but cannot access the team’s financial data.

12. Data Breach Notification

A data breach occurs when personal data is accessed, disclosed, altered, or destroyed without authorization.

12.1 Our Response Procedure

Discovery & Assessment: We investigate the breach immediately, assess the scope and severity, and determine what data was affected.
Authority Notification (72 hours): If the breach poses a risk to your rights and freedoms, we notify the relevant data protection authority within 72 hours of discovery, as required by GDPR Article 33.
User Notification: If the breach is likely to result in a high risk to your rights and freedoms, we notify affected users without undue delay via email.

12.2 What We Communicate

In the event of a breach, our notification will include:

A description of the breach and when it occurred.
The categories and approximate number of records affected.
The likely consequences of the breach.
Measures we have taken or propose to take to address the breach.
Recommendations for protecting yourself (e.g., changing your password).

12.3 Exceptions

We may not notify you individually if the data was encrypted or otherwise rendered unintelligible to unauthorized parties, or if subsequent measures have eliminated the risk. In such cases, we may issue a public notice instead.

12.4 Reporting a Suspected Breach

If you suspect that your data has been compromised, please contact us immediately at contact.rokito@gmail.com. We will investigate promptly.

13. International Compliance

13.1 GDPR (European Union)

Rokito is fully committed to compliance with the General Data Protection Regulation (GDPR). Our compliance measures include:

Identifying a lawful basis for each processing activity (see Section 4).
Implementing and honoring all data subject rights (see Section 7).
Maintaining data processing agreements with all third-party processors.
Notifying authorities of breaches within 72 hours where required.
Disclosing data controller information (see Section 1).

13.2 CCPA (California, United States)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: Request a copy of your personal data (within 45 days).
Right to Delete: Request deletion of your personal data (with legal exceptions).
Right to Correct: Request correction of inaccurate data.
Right to Opt-Out: We do not sell or share your data for advertising, so this right is not applicable.
Non-Discrimination: We will not deny service or change pricing because you exercised your privacy rights.

13.3 Data Storage & Transfers

All primary data is stored on servers located in Europe. Backups are also stored within the EU region.

If data is transferred outside the European Economic Area (EEA) in the future (for example, through a third-party service provider), we will ensure adequate protection through Standard Contractual Clauses (SCCs) or equivalent safeguards approved by the European Commission.

13.4 Other Jurisdictions

If you are located in a jurisdiction not covered above, we default to GDPR standards as our baseline for data protection, which represents one of the highest levels of privacy protection globally. If your local law requires additional protections, please contact us.

14. Policy Updates

14.1 When We Update This Policy

We may update this Privacy Policy when:

We add new features that process data differently.
We integrate new third-party services.
Legal requirements change.
We improve our privacy or security practices.

14.2 Types of Changes

Minor changes (no notification required):

Typographical or grammatical corrections.
Clarifications that do not change the meaning of existing terms.
Updated links or contact information.

Material changes (email notification required):

New categories of data collection.
New third-party data processors.
Changes to data retention periods.
Changes to your rights or how you can exercise them.
Changes to the purposes of data processing.

For material changes, we will notify you via email at least 30 days before the change takes effect.

14.3 Your Acceptance

Your continued use of the Service after the notification period constitutes acceptance of the updated Privacy Policy. If you disagree with changes, you may request data deletion and deactivate your account at any time.

14.4 Non-Retroactive

Policy changes apply only to data collected after the effective date of the change. Data collected under a previous version of this policy is protected under the terms that were in effect at the time of collection.

15. Complaints & Legal Resources

15.1 Contact Us First

If you believe that Rokito has violated your privacy rights, we encourage you to contact us first so we can resolve the issue directly:

Email: contact.rokito@gmail.com
Subject: “Privacy Concern”
Response time: Within 14 business days

15.2 Lodge a Complaint with a Data Protection Authority

If we are unable to resolve your concern to your satisfaction, you have the right to lodge a complaint with your local data protection authority. You can find your national authority through the European Data Protection Board:

European Data Protection Board — Members

15.3 California Residents

If you are a California resident and wish to file a complaint under the CCPA, you may contact the California Attorney General’s office:

California Attorney General — Privacy Protection

15.4 Non-Discrimination

If you exercise any of your privacy rights, Rokito will not:

Discriminate against you or deny you access to the Service.
Retaliate or penalize you in any way.
Change the quality or pricing of the Service.