Privacy Policy
Last updated: 6 June 2026 · v0.1-draft
On this page
- 1. Controller & Contact
- 2. Data-Protection Contact
- 3. Scope & EU Establishment
- 4. Data We Process
- 5. Purposes & Legal Bases
- 6. Cookies & Local Storage
- 7. Processors & Recipients
- 8. International Transfers
- 9. Data Not Obtained From You
- 10. Data Retention
- 11. Your Rights
- 12. Right to Complain
- 13. Is Provision Mandatory?
- 14. Automated Decisions
- 15. Security
- 16. Children
- 17. California & U.S. Residents
- 18. Changes
- 19. Contact
⚖️ Draft for review. Final binding text — including the per-processor transfer mechanisms and the cookie/consent regime — must be confirmed with a Romanian lawyer / DPO before publication.
This Privacy Policy explains how [Company Legal Name] SRL ("we", "us") collects and processes personal data when you use rhope, in accordance with the GDPR (Regulation (EU) 2016/679), Romanian Law 190/2018, and Law 506/2004. The supervisory authority in Romania is the ANSPDCP.
1. Controller Identity & Contact
The data controller is [Company Legal Name] SRL, CUI [CUI], [ONRC J00/0000/0000], registered seat [Registered seat, Romania]. Contact: privacy@rhope.app.
2. Data-Protection Contact / DPO
For privacy questions, contact privacy@rhope.app. A Data Protection Officer is likely not mandatory for a service of this size (⚖️ to confirm with counsel); we will state here if one is appointed.
3. Scope & EU Establishment
We are established in the EU (Romania), so no Article 27 EU representative is required. This policy covers personal data processed through the rhope website and applications.
4. Categories of Personal Data
- Account data: email address and name.
- Authentication identifiers (via Supabase, Google, or Apple).
- Billing identifiers — handled by Paddle; we do not store your card data.
- Product usage and analytics data.
- Your inputs: watchlists and portfolio entries.
- IP address, device, and log data.
- Cookies / local storage (theme, density, and session state).
5. Purposes & Legal Bases
- Providing the Service — performance of a contract (Art. 6(1)(b)).
- Billing, tax, and record-keeping — legal obligation / contract.
- Security, fraud prevention, and product analytics — legitimate interests (Art. 6(1)(f)).
- Marketing email, where applicable — consent (Art. 6(1)(a)).
7. Recipients, Processors & Sub-Processors
We share personal data with the following recipients, as processors unless noted otherwise:
| Recipient | Purpose | Transfer mechanism |
|---|---|---|
| Paddle (Merchant of Record) | Payment, billing, invoicing, tax, fraud prevention. Paddle is an independent controller for payment data — see Paddle's own privacy policy. | Per Paddle (UK/EU) — confirm |
| Supabase | Database, authentication, session storage. | SCCs / DPF — confirm |
| Google (Identity Services) | Federated sign-in (only if you choose it). | DPF — confirm |
| Apple (Sign in with Apple) | Federated sign-in (only if you choose it). | SCCs — confirm |
| Fly.io | Application hosting. | SCCs / DPF — confirm |
| Cloudflare | CDN, DNS, DDoS protection, proxy. | SCCs / DPF — confirm |
| Sentry | Error monitoring — configured to set no cookies and minimise personal data (IP/session-replay off). | SCCs / DPF — confirm |
| Resend | Transactional and authentication email. | SCCs / DPF — confirm |
We do not store your payment card information — Paddle handles it. We also obtain market data from third-party providers (Financial Modeling Prep, Finnhub, and Massive); we send them only instrument queries such as ticker symbols and never your personal data, so they are not recipients of your personal data.
8. International Data Transfers & Safeguards
Some recipients are located outside the EEA. Where that is the case, transfers are made under an appropriate Article 46 safeguard — the Standard Contractual Clauses or, where applicable, the EU–US Data Privacy Framework — confirmed per recipient (see the table above). You can request a copy of the relevant safeguard from us.
9. Data Not Obtained From You
When you sign in with Google or Apple, we receive limited profile data about you from those providers. Our Situations news feed processes third-party content (news, posts) — which we summarise using OpenAI — that may contain personal data of individuals who are not users. This content pipeline does not receive your account data; where it processes a third party's personal data, our legal basis is our legitimate interest in providing news information (Art. 6(1)(f)), subject to the Article 14(5) exemptions.
⚖️ Counsel to confirm Art. 14 scope for the Situations/LLM pipeline.
10. Data Retention
We keep account data while your account is active and for a limited period after closure. Billing and tax records are retained for the period required by Romanian law (held primarily by Paddle as Merchant of Record). Logs are short-lived.
11. Your Rights
You have the right to:
- access your personal data;
- rectify inaccurate data;
- erase data ("right to be forgotten");
- restrict or object to processing (including under Art. 6(1)(f));
- data portability;
- withdraw consent at any time.
To exercise these rights, contact privacy@rhope.app. We respond within the statutory timeframe.
12. Right to Lodge a Complaint
You may complain to the Romanian supervisory authority (ANSPDCP) or to the authority in your country of residence.
13. Is Provision Mandatory?
Some data is required to use the Service — for example, an email address is needed to create an account. Without it we cannot provide the account.
14. Automated Decision-Making / Profiling
We do not carry out automated decision-making that produces legal or similarly significant effects on you.
15. Security
We use HTTPS across the Service (via Cloudflare), row-level security in our database, scoped API access, and we do not store card data.
16. Children
The Service is not directed to children under 16 (⚖️ confirm 16 vs 18). We do not knowingly collect personal data from children.
17. California & U.S. Residents
We do not sell or share your personal information for money or for cross-context behavioural advertising. If you are a California resident, you have the right to know what personal information we hold about you, to request its deletion, to correct it, and to opt out of any sale or sharing (we do not sell or share, but you may still send a request). You will not be discriminated against for exercising these rights. To make a request, contact privacy@rhope.app. These rights are in addition to the rights in Section 11.
18. Changes to this Policy
We may update this policy. We will notify you of material changes; the "last updated" date and version above govern.
19. Contact
[Company Legal Name] SRL · privacy@rhope.app · +40 751 845 665