Launch offer - use code KONTO50 for -50% on any kit or plan. See pricing

Last updated: June 19, 2026

ROUNDKIT PRIVACY POLICY

Version 1.0 — effective from June 19, 2026

Important notice. This document is an English translation of the Polish-language original "Polityka prywatności RoundKit", provided for the convenience of non-Polish-speaking users. We have made our best effort to ensure accuracy, but in the event of any discrepancy, the Polish-language version prevails. The Polish original is the only legally binding version and is available at https://roundkit.runriva.com/pl/legal/polityka-prywatnosci.

§ 1. Introductory Information

  1. This privacy policy (hereinafter: "Policy") sets out the rules for the processing of personal data of users of the RoundKit service, available at https://roundkit.runriva.com (hereinafter: "Service").
  2. The Policy is an annex to the Service Terms, available at https://roundkit.runriva.com/legal/terms. Capitalized terms not defined in the Policy have the meaning given to them in the Terms. The term "Customer" also covers a person making a purchase without an Account and a person using the free Creator.
  3. The Policy fulfils the information obligation arising from Articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter: "GDPR").

§ 2. Data Controller

  1. The controller of personal data (hereinafter: "Controller") is Maciej Dzierżek, a sole proprietor entered in the Polish CEIDG, with the place of business at: ul. Cieszyńska 1a/57, 02-716 Warsaw, Poland, Tax ID (NIP): PL7411885009, Statistical ID (REGON): 280016640.
  2. The Controller may be contacted on all matters concerning the processing of personal data: by email at maciej.dzierzek@gmail.com; and by traditional mail at the address indicated in section 1.
  3. The Controller has not appointed a Data Protection Officer (DPO), as it is not obliged to do so under Article 37 GDPR.

§ 3. What Personal Data We Process

The Controller processes the following categories of personal data:

  1. Account data (if the Customer creates an Account):

    1. email address;
    2. password — stored only as a non-reversible cryptographic hash — or, in the case of Google login, the Google account identifier and basic profile data shared by Google (name, email address, profile picture);
    3. the Customer's name;
    4. marketing consent status;
    5. the organizer's logo uploaded by the Customer (for branding of Materials — Host/Pro Plans);
    6. the IP address and timestamp of acceptance of the Terms and the Policy;
    7. language preferences and interface settings (light/dark theme).

  2. Order and payment data:

    1. the buyer's email address (also collected for a One-Time Purchase without an Account);
    2. order history, including the parameters of the ordered Set (categories, difficulty, number of rounds), amount, currency, and order status;
    3. the timestamp of the declaration waiving the right of withdrawal (§ 13 of the Terms);
    4. Subscription status and data (dates, amounts, currency, billing period), the customer identifier at the Payment Operator;
    5. payment card data and full invoice data are processed solely by the Payment Operator (Stripe) as the entity that settles transactions (merchant of record) and are not stored by the Controller. The Controller receives limited billing data from the Operator (e.g. transaction status, customer identifier, amount, and currency).

  3. Service usage data:

    1. the Creator state (the composed Set) linked to a session identifier (cookie) or Account;
    2. the Customer's question history (anti-duplicate mechanism) — email address or Account identifier, Question identifiers, and a timestamp;
    3. server and security logs (IP address, User-Agent header, timestamps, suspicious traffic patterns, failed logins).

  4. Communication data with the Controller: the content of email messages and the Controller's responses; communication metadata (date, email address).

  5. Marketing data — processed only if separate consent has been given: email address; consent status (date given, date of any withdrawal); delivery metadata (opens, clicks — to the extent provided by the email service provider).

  6. Analytics data — processed only after consent to analytics cookies (§ 7): cookie identifiers and Service usage events (Google Analytics 4); session recordings and interaction heatmaps, user and session identifiers (Microsoft Clarity).

  7. Cookies and similar technologies — detailed in § 7.

The Controller does not process special categories of data within the meaning of Article 9 GDPR.

§ 4. Purposes and Legal Bases of Processing

  1. Performance of the Agreement — Article 6(1)(b) GDPR: provision of the Creator and composing a Set; fulfilment of the One-Time Purchase and Subscription, generating and delivering the Materials (including applying the Watermark); operation of the Account, archive of Sets, and the anti-duplicate mechanism; communication related to performance of the Agreement (purchase confirmations, download links, notifications). Retention: until termination of the Agreement and for the period necessary to handle re-downloads and complaints.

  2. Compliance with legal obligations — Article 6(1)(c) GDPR: retention of billing data and accounting documents (as a rule, 5 years); handling of complaints and withdrawals; responses to requests of authorized authorities. Retention: in accordance with the legal obligation.

  3. Legitimate interest of the Controller — Article 6(1)(f) GDPR: protection against abuse and fraud, including applying the Watermark (anti-reshare) and limiting download frequency; monitoring Service security and detecting incidents; pursuing and defending against claims; handling correspondence; aggregated analytics for the development of the Service; marketing of the Controller's own products and services to existing Customers (without using the channel for which separate consent is required). Retention: server logs — up to 90 days; security logs — up to 12 months; other data for the period necessary, no longer than the limitation period for claims.

  4. Customer consent — Article 6(1)(a) GDPR and Article 173 et seq. of the Telecommunications Law: sending the Controller's commercial information by electronic means; analytics cookies (Google Analytics 4, Microsoft Clarity). Retention: until withdrawal of consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

§ 5. Marketing Communication

  1. Transactional communication related to performance of the Agreement (purchase confirmations, download links, email verification, password reset, notifications of changes to the Terms) is sent regardless of marketing consent — it constitutes performance of the Agreement.
  2. Commercial information (marketing) is sent only after the Customer has given separate, voluntary consent (checkbox not pre-checked). Consent may also be used as a condition for making a discount code available.
  3. The Customer may withdraw marketing consent at any time: by clicking the "unsubscribe" link in the message footer, changing the settings in the Account, or sending a request to the address indicated in § 2 section 2. Withdrawal is free of charge and does not affect further use of the Service.

§ 6. Sub-processors (Processors)

  1. The Controller entrusts the processing of personal data to the following entities (Sub-processors), only to the extent necessary for the provision of the Service:
Sub-processor Purpose of processing Location Basis of transfer outside the EEA
Railway Corp. (USA) Application hosting Servers in the EU region; access from the USA Standard Contractual Clauses (SCC)
Neon, Inc. (USA) Postgres database (Accounts, orders, question history, Subscription data) Servers in the EU region; access from the USA SCC
Cloudflare, Inc. (USA) CDN and DDoS protection (processes IP address and HTTP headers) and storage of Materials files and logos in the R2 service (bucket in the EU region) Global Edge network / EU; access from the USA SCC
Stripe Payments Europe, Limited (Ireland) and Stripe, Inc. (USA) Payment handling as the entity that settles transactions (merchant of record), billing, invoices, card data, tax settlement Ireland, USA SCC + EU-U.S. Data Privacy Framework
Resend, Inc. (USA) Sending of email messages (transactional and marketing) USA SCC
Google Ireland Limited / Google LLC (Ireland, USA) Google account login (OAuth) and Google Analytics 4 (after consent) EU, USA SCC + EU-U.S. Data Privacy Framework
Microsoft Corporation (USA, EU) — Microsoft Clarity Analytics of Service usage: heatmaps and session recordings (after consent) USA / EU SCC + EU-U.S. Data Privacy Framework
Functional Software, Inc. (Sentry) (USA) Application error monitoring — error logs may contain a Customer identifier, IP address, and fragments of requests USA SCC
  1. Some Sub-processors are based in third countries (outside the EEA), in particular the United States. Transfers take place on the basis of Standard Contractual Clauses (SCC) approved by the European Commission and, for certified entities, on the basis of the EU-U.S. Data Privacy Framework. The Controller takes care that Sub-processors provide an adequate level of data protection.
  2. The Controller informs of material changes to the list of Sub-processors by updating the Policy, with at least 14 days' advance notice.

§ 7. Cookies and Similar Technologies

  1. The Service uses cookies and similar technologies (localStorage). The Controller uses the following types:
Cookie / technology Purpose Lifetime Category
rk_build Remembering the Creator state (composed Set) up to 7 days Essential
logged-in Customer session (session token) Maintaining the login session per session settings Essential
CSRF protection Protecting forms against attacks browser session Essential
rk_consent Recording cookie preferences 1 year Essential
preferences (language, theme) Remembering interface settings up to 1 year Preference
_ga, _ga_* Google Analytics 4 — user identifier and usage statistics up to 2 years Analytics
_clck, _clsk Microsoft Clarity — user and session identifier 1 year / 1 day Analytics
  1. Essential cookies are used without the Customer's consent, on the basis of Article 173(3) of the Telecommunications Law (cookies necessary for the provision of the service).
  2. Analytics cookies (Google Analytics 4 and Microsoft Clarity) are used only after the Customer's consent. These scripts load only after the "Analytics" category is accepted in the consent banner; without consent nothing is collected or recorded. Microsoft Clarity may record session recordings and interaction heatmaps. See Microsoft's privacy statement (https://www.microsoft.com/privacy/privacystatement) and Google's privacy information (https://policies.google.com/privacy).
  3. The Service displays a cookie consent banner on the first visit, allowing the Customer to accept or reject non-essential categories. The Customer may change their preferences at any time via the "Cookie preferences" link in the Service footer or in the browser settings. The Controller does not use marketing or advertising cookies.

§ 8. Data Retention Periods

Data category Retention period
Active Account (email, settings) Until termination of the Agreement (deletion of the Account)
Account data after deletion Permanent deletion, except data required by law; any backup copy until backup rotation
Billing data and accounting documents 5 years from the end of the tax year (tax obligation)
Materials files (R2) As a rule 14 days from generation, then deletion
Organizer logo (R2) Until removed by the Customer or branding is discontinued
Question history (anti-duplicate) Until deletion of the Account or the Customer's request
Server logs up to 90 days
Security logs (attack attempts, failed logins) up to 12 months
Email communication 3 years from the last exchange
Marketing consent Until withdrawal; after withdrawal, the withdrawal record is retained as proof
Disputed data (proceedings, claims) Until final conclusion of the case + limitation period

After the retention period elapses, data is permanently deleted or anonymized.

§ 9. Customer Rights

  1. The Customer has the following rights under the GDPR: the right of access (Art. 15); the right to rectification (Art. 16); the right to erasure ("right to be forgotten", Art. 17); the right to restriction of processing (Art. 18); the right to data portability (Art. 20) — in a structured, commonly used format (JSON or CSV); the right to object (Art. 21) — to processing based on legitimate interest and always to direct marketing; the right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of prior processing; and the right not to be subject to a decision based solely on automated processing (Art. 22).
  2. Rights are exercised through Account features (editing data, deleting the Account, managing consents, export) or a request sent to the email address indicated in § 2 section 2.
  3. The Controller responds within one month of receipt; for complex requests the deadline may be extended by a further two months, of which the Controller informs the Customer.
  4. The exercise of rights is free of charge; the Controller may refuse or charge a reasonable fee only for manifestly unfounded or excessive requests (Art. 12(5) GDPR).
  5. Right to complain — the Customer may lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw; https://uodo.gov.pl). A Customer residing in another EU Member State may lodge a complaint with the authority competent for their habitual residence.

§ 10. Data Security

  1. The Controller applies technical and organizational measures appropriate to the identified risks, in particular: encryption of transmission (TLS); non-reversible password hashing; short-lived secured download links; access control based on the principle of least privilege; periodic backups; and incident monitoring.
  2. The Controller does not hold ISO 27001, SOC 2, or similar certifications. The security of the Service is based on measures proportionate to the scale and nature of a sole proprietorship.
  3. In the event of a personal data breach likely to result in a risk to the rights and freedoms of Customers, the Controller will notify the supervisory authority under Article 33 GDPR and, in the case of high risk, the affected Customers under Article 34 GDPR.

§ 11. Automated Decisions and Profiling

  1. The Controller does not take decisions based solely on automated processing, including profiling, producing legal effects on Customers or significantly affecting them similarly.
  2. The automated mechanisms applied by the Controller (the anti-duplicate mechanism, download rate limiting, abuse detection) are based on deterministic rules, not on profiling within the meaning of Article 4(4) GDPR.

§ 12. Children

  1. The Service is not directed to persons under the age of 16.
  2. The Controller does not knowingly process personal data of children under 16. Upon obtaining information about such processing without the consent of a legal representative, the Controller will immediately delete the data.

§ 13. Customers Outside the European Union

  1. The Service is available globally. A Customer using the Service from a third country (outside the EEA) is subject to this Policy and to Polish law and the GDPR to the extent that the Controller is the responsible entity (Article 3 GDPR).
  2. A Customer from a third country has the same rights as a Customer from the European Union, described in § 9.

§ 14. Changes to the Policy

  1. The Controller may change the Policy for important reasons, in particular changes in the law, changes of Sub-processors or scope of processing, the introduction of new features, or technical changes in infrastructure.
  2. The Controller informs of changes by publishing the amended version at https://roundkit.runriva.com/legal/privacy and, for Customers with an Account, additionally by email, at least 14 days before the changes take effect.
  3. A Customer who does not agree with a change may delete their Account or stop using the Service.

§ 15. Final Provisions

  1. The Policy constitutes an annex to the Service Terms.
  2. In matters not regulated in the Policy, the provisions of the Terms and generally applicable law apply, in particular the GDPR, the Polish Personal Data Protection Act of 10 May 2018, the Electronic Services Act, and the Telecommunications Law.
  3. This Policy enters into force on June 19, 2026. Version: 1.0.

End of Privacy Policy.