Privacy Policy

1. Introduction

Rovee ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website and services.

We are based in Portugal and comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

Data Controller: Rovee
Address: Portugal
Email: privacy@rovee.io
DPO: Not required under GDPR Article 37 (small organization)

3. What Data We Collect

3.1 Personal Data You Provide

• Email address - Required for waitlist signup
• Vehicle information (optional) - RV type, length, current navigation app, pain points

3.2 Automatically Collected Data

• Analytics data - Page views, clicks, referral sources (anonymized)
• Technical data - IP address, browser type, device type, operating system
• Cookies - See our Cookie Policy

4. Legal Basis for Processing

We process your data based on the following legal grounds:

• Consent (Article 6(1)(a) GDPR) - When you join the waitlist or provide optional profile data
• Legitimate interests (Article 6(1)(f) GDPR) - For analytics, security, and service improvement
• Legal obligation (Article 6(1)(c) GDPR) - When required by law

5. How We Use Your Data

• To manage the waitlist and notify you about beta access
• To improve our product based on user feedback
• To send you important updates about Rovee
• To analyze website usage and improve user experience
• To prevent fraud and ensure security

6. Data Retention

We retain your personal data only as long as necessary:

• Waitlist data: Until you unsubscribe or request deletion, maximum 2 years after beta ends
• Analytics data: 26 months (Google Analytics default)
• Server logs: 30 days

7. Your Rights Under GDPR

You have the following rights:

• Right to access - Request a copy of your data
• Right to rectification - Correct inaccurate data
• Right to erasure ("Right to be forgotten") - Request deletion of your data
• Right to restrict processing - Limit how we use your data
• Right to data portability - Receive data in a structured format
• Right to object - Object to certain processing activities
• Right to withdraw consent - Withdraw consent at any time

To exercise these rights, email us at privacy@rovee.io or use our Data Request Form.

8. Data Security

We implement appropriate technical and organizational measures:

• HTTPS encryption for all data transmission
• Password hashing for authentication
• Regular security audits
• Limited access to personal data
• EU-based infrastructure (AWS EU-West)

9. Data Transfers

Your data is stored in the European Union (AWS EU-West region). We do not transfer your personal data outside the EU/EEA. Analytics data is processed by Plausible (EU-based, privacy-focused analytics).

10. Third-Party Processors

We use the following data processors:

• Supabase - Database hosting (EU)
• AWS - Infrastructure hosting (EU-West)
• Plausible - Privacy-focused analytics (EU)
• Fly.io - Application hosting

All processors are GDPR compliant and have Data Processing Agreements (DPAs) in place.

11. Cookies

We use minimal cookies for essential functionality. See our Cookie Policy for details. We do not use tracking cookies or advertising cookies.

12. Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect data from children under 16. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through a notice on our website.

14. Contact Us

For privacy-related questions or to exercise your rights:
Email: privacy@rovee.io
Data Request Form: rovee.app/data-request
Response time: Within 30 days (as required by GDPR)

15. Data Breach Notification

In the unlikely event of a personal data breach, we will:

• Notify the Portuguese Data Protection Authority (CNPD) within 72 hours of becoming aware of the breach
• Notify affected users without undue delay if the breach is likely to result in high risk to their rights and freedoms
• Document all breaches, including facts, effects, and remedial actions taken

We maintain a data breach response plan and conduct regular security assessments to prevent breaches.

16. Unsubscribe and Opt-Out

You can unsubscribe from our communications at any time:

• Email: Click the "Unsubscribe" link in any email we send
• Waitlist: Email privacy@rovee.io with subject "Unsubscribe"
• All communications: Use our Data Request Form

Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal. You will be removed from future communications within 48 hours.

17. Records of Processing

As required by GDPR Article 30, we maintain records of processing activities including:

• Contact details of the controller (Rovee)
• Purposes of processing (waitlist management, analytics)
• Categories of data subjects (website visitors, waitlist members)
• Categories of personal data (email, vehicle preferences)
• Recipients of personal data (Supabase, AWS - all with DPAs)
• Data retention periods
• Security measures implemented

These records are available for inspection by supervisory authorities upon request.

18. Privacy by Design

We implement privacy by design and default principles:

• Data minimization: We only collect data necessary for the specific purpose
• Purpose limitation: Data is only used for the stated purposes
• Storage limitation: Data is deleted when no longer needed
• Default privacy: Most privacy-friendly settings are default
• Transparency: Clear privacy notices and consent mechanisms
• User control: Easy access to data and rights exercise

19. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. All decisions are made by humans.

20. Cross-Border Data Transfers

All personal data is stored and processed within the European Union (EU). We do not transfer personal data outside the EU/EEA. Our infrastructure providers (AWS EU-West, Fly.io) maintain data centers within the EU.

21. Technical and Organizational Measures

We implement the following security measures to protect your data:

• Encryption: HTTPS/TLS 1.3 for data in transit
• Access control: Role-based access, least privilege principle
• Authentication: Strong passwords, 2FA where possible
• Logging: Access logs for audit purposes
• Backups: Encrypted, geographically distributed
• Incident response: Documented breach response procedures
• Regular reviews: Quarterly security assessments
• Staff training: Privacy and security awareness for all team members

22. Data Portability Format

When you request data portability (Article 20 GDPR), we provide your data in the following formats:

• JSON: Machine-readable structured format (preferred)
• CSV: Spreadsheet-compatible format
• PDF: Human-readable summary (on request)

Data is provided via secure email link or direct download, valid for 30 days. We can also transfer data directly to another controller if technically feasible.

23. Complaints

If you are not satisfied with our response, you have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD):
Website: www.cnpd.pt