Legal document

Rebuyo Privacy Policy

Last updated: March 1, 2026

1. Data Controller

The controller of personal data is Karol Rokita, a sole proprietor registered in CEIDG (Central Register and Information on Economic Activity), ul. Dolomitowa 3/19, 25-705 Kielce, Poland, NIP: 9592027551, REGON: 384487881 (hereinafter the "Controller").

Contact for data protection matters: privacy@rebuyo.io

2. What Data We Collect

As part of the Platform's operation, we process the following categories of data:

User Data (store owners)

  • email address and password (hashed with Argon2id algorithm),
  • company name, tax ID (optional, for invoicing),
  • API keys and HMAC tokens,
  • dashboard usage data (activity logs).

End Customer Data

  • email address (provided by the User when registering a purchase),
  • purchase data: product identifier, purchase date, quantity,
  • consent status for receiving reminders,
  • reminder interactions (email opens, link clicks).

3. Purposes and Legal Basis for Processing

Purpose Legal Basis (GDPR)
Providing Platform services Art. 6(1)(b) - performance of a contract
Sending reminders to End Customers Art. 6(1)(a) - End Customer consent
Invoicing and billing Art. 6(1)(c) - legal obligation
Analytics and service improvement Art. 6(1)(f) - legitimate interest of the Controller
Security and abuse prevention Art. 6(1)(f) - legitimate interest of the Controller

4. Data Sharing

Data may be shared with the following categories of recipients:

  • Email service providers - Mailgun (sending reminders), based on a data processing agreement.
  • SMS service providers - Twilio (optionally, when the User enables the SMS channel).
  • Infrastructure providers - OVHcloud (OVH Groupe SAS) - EU-based server hosting.
  • Payment providers - to the extent necessary to process payments for Growth and Scale plans.

We do not sell personal data to third parties. We do not profile End Customers for advertising purposes.

5. Data Retention

Data Category Retention Period
User account data Until account deletion + 30 days
End Customer data Until consent withdrawal or User account deletion
Invoicing data 5 years from end of tax year (legal obligation)
Audit logs 12 months

6. Data Subject Rights

Under the GDPR, you have the following rights:

  • Right of access - you can obtain information about your processed data.
  • Right to rectification - you can correct inaccurate data.
  • Right to erasure - you can request deletion of your data ("right to be forgotten").
  • Right to restriction of processing - you can restrict how your data is processed.
  • Right to data portability - you can receive your data in a machine-readable format.
  • Right to object - you can object to processing based on legitimate interest.
  • Right to withdraw consent - at any time, without affecting the lawfulness of processing carried out before the withdrawal.

To exercise these rights, write to: privacy@rebuyo.io

You also have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO).

7. Data Security

We implement the following security measures:

  • transmission encryption (TLS/HTTPS),
  • password hashing with Argon2id algorithm,
  • webhook signing with HMAC tokens,
  • data stored exclusively in EU data centers,
  • role-based access control (RBAC) in the dashboard,
  • audit logs recording data access.

8. Cookies

The rebuyo.io website uses cookies to ensure proper functioning and to analyze traffic. Before storing optional cookies, we require your consent via our cookie consent panel.

Cookie Categories

Category Purpose Provider Retention
Necessary Storing cookie consent preferences (rebuyo_consent) Rebuyo (localStorage) Until cleared by user
Analytics Website traffic analysis, visit statistics, traffic sources Google Analytics 4 (Google LLC) Up to 2 years (_ga), 24 hours (_ga_*)
Marketing Ad personalization and campaign effectiveness measurement Google Ads (Google LLC) Up to 2 years

Managing Cookies

On your first visit, we display a cookie consent banner where you can accept all cookies, reject optional ones, or customize settings in the preferences panel. You can change your preferences at any time by clicking the "Cookie settings" link in the site footer.

Analytics cookies (Google Analytics 4, ID: G-HMT4XCY4CZ) are loaded only after you give consent - we use Google Consent Mode v2, meaning no data is sent to Google without your explicit approval.

You can also delete cookies through your browser settings. Deleting necessary cookies (localStorage) will cause the cookie consent banner to appear again.

Dashboard (app.rebuyo.io)

The dashboard uses session cookies necessary for the application to function (authentication, CSRF).

9. Data Transfers Outside the EEA

Personal data is stored and processed exclusively on servers located in the European Union.

When using sub-processors outside the EEA (e.g., Mailgun, Twilio), transfers are based on Standard Contractual Clauses (SCCs) approved by the European Commission.

10. End Customer Consent (Double Opt-in)

Rebuyo requires the User to obtain End Customer consent before sending reminders. The Platform supports a double opt-in mechanism - the End Customer must confirm their consent by clicking a link in a verification email.

The End Customer can withdraw consent at any time by clicking the "Unsubscribe" link included in every reminder.

11. Changes to the Privacy Policy

The Controller reserves the right to update this Policy. Users will be notified of significant changes by email at least 14 days in advance.

The current version of the Policy is always available at rebuyo.io/en/privacy.

12. Contact

For matters related to personal data protection, please contact:

  • Email: privacy@rebuyo.io
  • Address: Karol Rokita, ul. Dolomitowa 3/19, 25-705 Kielce, Poland