Privacy Policy

§ 1. Introduction & Data Controller

This Privacy Policy explains how RKD - Rozwój Każdego Dnia ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our RKD (Rozwój każdego dnia) platform accessible at rkd.solutions.

Data Controller:

• Company: RKD - Rozwój Każdego Dnia (NDG)
• NIP: 7292764729
• Address: Maurycego Mochnackiego 9/13 m.21, 93-578 Łódź, Poland
• Email: bok@rkd.solutions

This Privacy Policy is provided in accordance with the EU General Data Protection Regulation (GDPR) and Polish data protection laws (RODO).

§ 2. What Data We Collect

2.1 Account Data (Required)

When you create an account on our platform, we collect:

• Email address - For account creation and communication
• Full name - For personalizing your experience
• Username - For platform identification
• Password - Securely hashed using industry-standard Argon2 encryption
• Birth date - To verify you are 18 years or older
• Gender - Optional (male/female/other/not shared) - For training personalization
• Country - For regional compliance and localization
• Phone number - Optional, for account recovery

2.2 Automatically Collected Data

We automatically collect certain information when you use our platform:

• Session cookies - Authentication cookie (auth-session) valid for 30 days
• IP address - For security, rate limiting, and fraud prevention
• Browser and device information - Collected by our error tracking service (Sentry) for debugging
• Usage timestamps - To track account activity

2.3 Training & Platform Data

If you use our training platform features, we collect:

• Training form answers - Questionnaire responses (up to 1000 characters per answer)
• Training plans - Plans you create (if you are a trainer)
• Exercise selections - Exercises you add to plans
• PDF generation requests - When you export training plans

2.6 Communication Data

We collect information related to our communications with you:

• Email verification codes - 6-digit codes valid for 10 minutes
• Password reset tokens - Secure tokens valid for 2 hours
• Customer service correspondence - Your messages to our support team

§ 3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b)): To provide you access to our platform, create your account, and deliver our services.
• Legitimate Interest (Art. 6(1)(f)): For fraud prevention, security monitoring, platform improvement, and error tracking.
• Legal Obligation (Art. 6(1)(c)): To comply with tax laws, financial record-keeping requirements, and anti-money laundering regulations.
• Consent (Art. 6(1)(a)): For non-essential cookies and optional features (e.g., UI preferences, newsletter subscriptions).

§ 4. How We Use Your Data

We use your personal data for the following purposes:

• Provide access to the platform - Authentication and user sessions
• Enable trainer-client relationships - Connect trainers with their clients
• Generate and deliver training plans - PDF creation and export
• Send transactional emails - Email verification, password resets, important account notifications
• Prevent fraud and abuse - Rate limiting, security monitoring, spam prevention
• Improve service quality - Error tracking with Sentry to fix bugs and improve stability
• Comply with legal obligations - Tax reporting, financial record-keeping

§ 5. Data Sharing & Third-Party Processors

We share your data only with trusted third-party service providers necessary for platform operation:

5.1 Hosting & Infrastructure

• Provider: OVH (Poland/EU)
• Purpose: Server hosting and database storage
• Data location: European Union
• Data shared: All platform data stored on OVH servers

5.2 Email Service

• Provider: Mailgun (EU endpoint: api.eu.mailgun.net)
• Purpose: Transactional email delivery (verification codes, password resets)
• Data location: European Union
• Data shared: Email addresses, verification codes, password reset tokens

5.3 Error Tracking

• Provider: Sentry (Germany region: .ingest.de.sentry.io)
• Purpose: Platform stability, bug detection, and performance monitoring
• Data location: European Union (Germany)
• Data shared: Error logs, stack traces (NO personally identifiable information - sendDefaultPii: false)
• Retention: 90 days

5.4 Cloud Storage

• Provider: Cloudflare R2 (European Union region)
• Purpose: Database backups and file storage
• Data location: European Union
• Data shared: Encrypted database backups, uploaded files
• Retention: 30 days

5.5 CDN Services

• Google Fonts (fonts.googleapis.com) - Typography resources. May receive browser/IP data for content delivery.
• jsDelivr CDN (cdn.jsdelivr.net) - Flag icons library. May receive browser/IP data for content delivery.

5.6 No Data Sales

We do NOT sell, rent, or trade your personal data to third parties.

Your data is shared only with service providers necessary for platform operation, as described above.

§ 6. Cookies & Tracking Technologies

We use cookies and similar technologies to provide functionality and improve your experience.

For detailed information, see our Cookie Policy.

6.1 Essential Cookies (No consent required)

6.2 Functional Cookies (Consent required)

6.3 Managing Cookies

You can manage your cookie preferences through:

• Our cookie consent banner (appears on first visit)
• Cookie settings (future feature in account settings)
• Your browser settings

Note: Disabling essential cookies will prevent you from logging in. Disabling functional cookies will remove saved preferences but won't affect core functionality.

§ 7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data - Retained while your account is active, deleted upon account deletion request (anonymized within 30 days)
• Training data (forms, plans) - Retained while your account is active, anonymized upon deletion
• Database backups - 30 days rolling retention
• Error logs (Sentry) - 90 days
• Legal records (tax, invoices) - 5 years as required by Polish law
• Audit logs - Retained for compliance purposes, anonymized user references

§ 8. Age Requirement

Our platform is intended for users aged 18 and older.

We do not knowingly collect personal data from anyone under 18 years of age.

If we become aware that we have collected data from a person under 18, we will delete that information promptly.

If you believe we have collected data from a minor, please contact us immediately at bok@rkd.solutions.

§ 9. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

9.1 Right to Access (Art. 15)

• Request a copy of all personal data we hold about you
• Receive information about how we process your data

9.2 Right to Rectification (Art. 16)

• Correct inaccurate personal data
• Complete incomplete information

9.3 Right to Erasure / Right to be Forgotten (Art. 17)

• Delete your account and all associated personal data
• Exceptions: Legal obligations (e.g., tax records must be kept for 5 years)

9.4 Right to Data Portability (Art. 20)

• Receive your data in a machine-readable format (JSON)
• Transfer your data to another service provider

9.5 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority:

• Urząd Ochrony Danych Osobowych (UODO)
• ul. Stawki 2, 00-193 Warszawa, Poland
• Website: https://uodo.gov.pl

We encourage you to contact us first so we can try to resolve your concerns directly.

9.6 How to Exercise Your Rights

To exercise any of these rights, please contact us:

We will respond to your request within 30 days as required by GDPR.

§ 10. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

For significant changes, we will notify you by email or by posting a prominent notice on our platform.

Changes become effective when posted. Your continued use of the platform after changes constitutes acceptance.

We encourage you to review this policy periodically.

§ 11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

• Password encryption - All passwords are hashed using Argon2, an industry-standard algorithm
• Secure connections - All data transmitted via HTTPS/TLS encryption
• Access controls - Role-based permissions limit data access to authorized personnel only
• Encrypted backups - Database backups are encrypted and stored securely
• Security monitoring - Rate limiting, logging, and error tracking to detect and prevent abuse
• EU hosting - All primary data stored on servers within the European Union

While we implement strong security measures, no system is 100% secure. We encourage you to use a strong, unique password.

§ 12. International Data Transfers

Your data is primarily processed and stored within the European Union.

Our servers (OVH), email service (Mailgun EU), error tracking (Sentry Germany), and cloud storage (Cloudflare R2 EU) are all located in the EU.

Some CDN services (Google Fonts) may process limited technical data (IP address, browser info) outside the EU. These services operate under Standard Contractual Clauses (SCCs) or equivalent safeguards.

For any transfers outside the EU, we ensure appropriate safeguards are in place as required by GDPR.

§ 13. Third-Party Links

Our platform may contain links to external websites or services (e.g., exercise videos, trainer websites).

We are not responsible for the privacy practices of these third-party sites.

We encourage you to review the privacy policies of any external sites you visit.

§ 14. Contact

For any questions or concerns about this Privacy Policy or our data practices, please contact us:

• Company: RKD - Rozwój Każdego Dnia (NDG)
• NIP: 7292764729
• Address: Maurycego Mochnackiego 9/13 m.21, 93-578 Łódź, Poland
• General inquiries: bok@rkd.solutions