GDPR Compliance Policy

Business name: Roods.io
Last Updated: 21-07-2025

  1. Introduction

Roods.io (“Roods,” “we,” “our,” or “us”) is committed to protecting the personal data and privacy of all individuals who interact with our services. This General Data Protection Regulation (GDPR) Compliance Policy outlines the procedures, safeguards, and legal basis upon which we collect, process, store, transfer, and delete personal data in accordance with Regulation (EU) 2016/679 (“GDPR”).

As a Netherlands-based company offering digital storytelling experiences through geolocation technology, we process personal data from users, contributors, partners, and organizations. Our compliance framework is built on transparency, accountability, and a commitment to data protection by design and by default.

  1. Scope of Application

This policy applies to all personal data processed by Roods in the context of:

  • Users interacting with our mobile application and digital platforms
  • Clients and partner organizations using our services
  • Event participants, story contributors, or businesses involved in geo-targeted campaigns
  • Website visitors, newsletter subscribers, and individuals communicating with us directly

It governs all processing activities conducted by Roods, whether carried out by internal staff or authorized third-party processors.

  1. Legal Grounds for Processing Personal Data

Roods processes personal data lawfully and in full compliance with Article 6 of the GDPR. Each processing activity is supported by one or more of the following legal bases:

3.1. Consent

We obtain explicit, informed, and freely given consent from individuals prior to processing personal data where consent is required. This includes but is not limited to:

  • Accepting cookies via a consent banner
  • Allowing location tracking for geo-based experiences
  • Submitting forms, contact inquiries, or newsletter subscriptions
  • Contributing stories or media via our platforms

Consent can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

3.2. Contractual Necessity

Personal data is processed when necessary to fulfill our contractual obligations with users or partners, such as:

  • Delivering app functionality and personalized routes
  • Enabling user authentication and content personalization
  • Providing technical support to registered users

This basis applies where users enter into a user agreement or access partner-based features that require data identification or location mapping.

3.3. Legitimate Interests

We process personal data to serve our legitimate business interests, provided such interests do not override the fundamental rights and freedoms of the data subject. Examples include:

  • Monitoring system performance and usage behavior
  • Ensuring security and fraud prevention
  • Analyzing anonymized data to improve content delivery
  • Supporting internal reporting and platform development

We apply a Legitimate Interest Assessment (LIA) where required to document and evaluate this legal basis.

  1. Types of Data Collected

Roods ensures data minimization and only collects data strictly necessary for the intended purposes. Categories of personal data processed include:

4.1. User-Provided Data

  • Full name, email address, or contact details
  • Story submissions, images, or audio files
  • Communication history (emails, inquiries)

4.2. Technical and Usage Data

  • IP address, browser type, and operating system
  • Mobile device identifiers, OS version, and app usage logs
  • Activity logs, interaction events, and feature engagement

4.3. Location Data

  • GPS-based or network-based location, collected only with explicit opt-in
  • Used solely to tailor story content based on a user’s physical location
  • Location data is never shared with unauthorized third parties

4.4. Cookie and Tracking Data

For more information about how we use cookies, trackers, and similar technologies, including the types of cookies we deploy and how users can manage their preferences, please refer to our separate Cookie Policy available on our website.

  1. Data Storage and Hosting Locations

All personal data is stored within the European Union, in secure environments that comply with the GDPR’s data residency and cross-border transfer requirements. Our hosting solutions include:

  • Amazon Web Services (AWS) – Data centers located in Frankfurt or Dublin with robust encryption and redundancy systems
  • MongoDB Atlas – EU-based clusters supporting full encryption at rest and during transmission, automatic backups, and strict access control

Both vendors are GDPR-compliant and certified under ISO 27001, SOC 2, and other internationally recognized security standards.

  1. Data Sharing and Third-Party Processors

Roods shares personal data only when necessary, and solely with authorized third-party service providers acting under a Data Processing Agreement (DPA). These partners may include:

  • Cloud infrastructure providers (AWS)
  • Database management services (MongoDB Atlas)
  • Communication tools (e.g., newsletter platforms, contact forms)
  • Analytics providers (Google Analytics – configured with IP anonymization)

Each processor is contractually obligated to:

  • Only process data on our documented instructions
  • Implement adequate technical and organizational security measures
  • Support us in responding to data subject rights
  • Delete or return all personal data upon termination of services

No data is sold, shared, or used for advertising beyond authorized campaign features initiated by Roods or its partners.

  1. Data Protection by Design and by Default

We adopt a proactive approach to privacy through our Privacy-by-Design and Privacy-by-Default principles:

  • Collection is limited to the minimum required for the service
  • Default settings disable location tracking, cookies, and notifications unless actively enabled by the user
  • Personal data is encrypted both in transit and at rest
  • Access to data is role-based and monitored through audit trails
  • Application development includes regular code reviews, penetration testing, and risk assessments
  • Our internal teams receive ongoing privacy training to ensure awareness of GDPR obligations
  1. Retention and Deletion of Data

Roods applies clear and enforceable data retention schedules. Personal data is retained only as long as necessary for the stated purpose, after which it is securely deleted or anonymized. Retention timelines depend on:

  • Type of data collected
  • Legal and contractual obligations
  • Ongoing user or partner relationships
  • Statutory limitation periods

Users may also request the deletion of their data at any time in accordance with their rights.

  1. User Rights Under GDPR

As a data subject, you are entitled to exercise the following rights under Articles 12–23 of the GDPR:

  • Right of Access: Request access to your personal data and receive a copy in a structured format
  • Right to Rectification: Request correction of inaccurate or incomplete personal data
  • Right to Erasure: Request deletion of your data, subject to legal retention exceptions
  • Right to Restriction: Temporarily block the processing of your data under specific conditions
  • Right to Data Portability: Receive your data in a portable format or transfer it to another controller
  • Right to Object: Object to data processing based on legitimate interests or direct marketing
  • Right to Withdraw Consent: Withdraw previously granted consent at any time
  • Right to Lodge a Complaint: File a complaint with a supervisory authority, such as the Autoriteit Persoonsgegevens in the Netherlands

Requests can be submitted to:
info@roods.io
We respond within 30 days, extendable by an additional 30 days if necessary, as per GDPR Article 12(3).

  1. Data Breach Notification Procedure

In the event of a personal data breach, Roods will activate its Incident Response and Breach Notification Protocol, which includes:

  1. Immediate detection and risk assessment of the incident
  2. Containment and remediation to minimize exposure
  3. Notification to the Dutch Data Protection Authority (DPA) within 72 hours if the breach is likely to result in a risk to data subjects’ rights and freedoms
  4. Communication with affected individuals, if the breach poses a high risk
  5. Root cause analysis and corrective action to prevent recurrence
  6. Documentation and audit reporting for internal compliance reviews

All breaches are logged in accordance with Article 33 GDPR.

  1. Updates and Revisions to This Policy

Roods reserves the right to amend this GDPR Compliance Policy to reflect changes in legal obligations, operational practices, or technical infrastructure. When such updates occur:

  • The policy will display a revised “Last Updated” date
  • A change summary or full version history may be provided
  • Users will be notified through the mobile app and/or email, where appropriate

We encourage regular review of this policy to stay informed about our privacy practices.

  1. Contact & Data Protection Oversight

While Roods is not required under Article 37 GDPR to appoint a formal Data Protection Officer (DPO), we have designated a Privacy Lead responsible for:

  • Managing GDPR-related inquiries and data subject requests
  • Overseeing compliance with applicable data protection laws
  • Coordinating with service providers and ensuring accountability
  • Monitoring internal data governance

For any questions, requests, or complaints, please contact:

Privacy Lead – Roods.io
info@roods.io

Netherlands
Subject line: GDPR Request / Privacy Inquiry