Privacy Policy

Last updated: 30 June 2026

This Privacy Policy explains how RookieMind (“we”, “us”, “our”) collects, uses, and protects personal data when you visit our website, use our services, or otherwise interact with us (collectively, the “Services”). We are committed to protecting your personal data and processing it in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable European and Croatian data protection laws.

1. Data Controller

Data Controller: Paulina Peroš

Business name: RookieMind

Legal form: Obrt (sole proprietorship registered in Croatia)

OIB: 24628764904

Address: Matice hrvatske 15, 21000 Split, Croatia

Email: [email protected]

Website: www.paulinaperos.com

RookieMind is not registered in the Croatian VAT system (nije u sustavu PDV-a).

2. Personal Data We Process

Depending on how you interact with our Services, we may process the following categories of personal data:

2.1 Data you provide directly

Name

Email address

Phone number

Billing and invoicing information

Account or registration information

Information you provide when contacting us or using our services

2.2 Automatically collected data

When you visit our website, we may automatically collect: IP address, device and browser information, usage data (pages visited, interactions, timestamps), and referrer URLs. This data is collected via cookies and similar technologies, subject to your consent where required.

2.3 Data from third parties

We may receive personal data from trusted service providers that support our business operations, such as website hosting and IT providers, payment service providers, and marketing and analytics providers. All such data is processed in accordance with this Privacy Policy.

3. Purposes of Processing

To provide and manage our Services

To communicate with you and respond to inquiries

To manage customer relationships and accounts

To send newsletters and marketing communications (with consent)

To analyze and improve our Services

To ensure website security and prevent misuse

To comply with legal and regulatory obligations

4. Legal Bases for Processing

We process personal data based on one or more of the following legal bases under Article 6 GDPR:

Consent (Art. 6(1)(a)): for newsletters, marketing communications, personalization, and marketing/analytics cookies.

Performance of a contract (Art. 6(1)(b)): where processing is necessary to provide our Services or fulfil a contract with you.

Legal obligation (Art. 6(1)(c)): where processing is required to comply with applicable laws (for example accounting obligations).

Legitimate interests (Art. 6(1)(f)): for ensuring website security, improving our Services, and managing our business operations, provided your rights and freedoms do not override these interests.

You may withdraw your consent at any time with effect for the future.

5. Marketing, Analytics and Automation (somba.io / GoHighLevel)

We use somba.io, a marketing automation and customer engagement platform. somba.io is a white-label of the GoHighLevel platform (operated by HighLevel Inc., United States) and is provided to us under a license from Sigrun GmbH (Switzerland). This means that personal data processed through somba.io may be stored and processed on infrastructure located in the United States (see section 9).

somba.io helps us to analyze user behavior and interactions, segment audiences, send relevant communications, and improve the quality of our Services. In this context the following data may be processed: email address, usage and interaction data, and technical data (for example IP address, browser, device information).

These providers act as data processors and process personal data on our instructions and in accordance with the GDPR. Processing for marketing and personalization purposes takes place only with your explicit consent.

6. Profiling

We may use limited automated processing, including profiling, to analyze user behavior and preferences in order to personalize content and communications. This profiling does not produce legal effects and does not have similarly significant effects within the meaning of Article 22 GDPR. You have the right to object to profiling for direct marketing purposes at any time.

7. Cookies

Our website uses cookies and similar technologies to ensure functionality, analyze usage, and support marketing activities.

Essential cookies are necessary for the operation of the website.

Marketing and analytics cookies (including those used by somba.io) are activated only after you provide your explicit consent through the cookie banner.

You can manage or withdraw your consent at any time via the cookie settings on our website.

8. Data Sharing

We share personal data only where necessary and in accordance with the GDPR, including with:

somba.io / HighLevel Inc. (CRM, email and marketing automation), see section 5

1&1 IONOS SE (Germany), our email and domain hosting provider for the [email protected] mailbox

Google (Google Ireland Ltd. / Google LLC), where we use Gmail to manage and send our business email

Stripe (Stripe Payments Europe, Ltd., Ireland), our payment service provider

Anthropic, PBC (Claude) and OpenAI, L.L.C. (ChatGPT), where we use AI tools to help create content and to analyze responses you provide

Professional advisors (for example legal, tax, and accounting)

All service providers are bound by data processing agreements to process personal data securely and confidentially.

9. International Data Transfers

Some of our processors are located outside the European Economic Area. Where personal data is transferred to a third country, we ensure that appropriate safeguards are in place:

Transfers to the United States (for example via HighLevel Inc./GoHighLevel, which powers somba.io, via Google, and via our AI providers Anthropic and OpenAI) are based on the EU-US Data Privacy Framework where the recipient is certified, and/or on the European Commission's Standard Contractual Clauses (SCCs).

Transfers to Switzerland (Sigrun GmbH) are based on the European Commission's adequacy decision recognizing Switzerland as providing an adequate level of data protection.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, to comply with legal obligations, to resolve disputes, and to enforce agreements. In particular:

Accounting and invoicing records are retained for the period required by Croatian tax and accounting law (generally up to 11 years).

Newsletter and marketing data is kept until you withdraw your consent or object.

Contact enquiries are kept for as long as needed to handle your request and for a reasonable period afterwards.

11. Your Rights Under GDPR

You have the following rights under the GDPR:

Right of access

Right to rectification

Right to erasure (“right to be forgotten”)

Right to restriction of processing

Right to data portability

Right to object to processing

Right to withdraw consent at any time

Right to lodge a complaint with a supervisory authority

To exercise your rights, please contact us at [email protected].

You also have the right to lodge a complaint with the competent supervisory authority. In Croatia this is the Croatian Personal Data Protection Agency (AZOP), www.azop.hr.

12. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or misuse. However, no method of transmission over the internet is completely secure.

13. AI Tools and Automated Analysis

We may use AI tools, including Claude (Anthropic, PBC) and ChatGPT (OpenAI), to help us create content and to analyze responses you provide to us (for example survey or feedback responses). Where such responses contain personal data, these providers act as our processors and may process the data on infrastructure located in the United States (see section 9 on international transfers). We use these tools in a configuration intended to ensure that your data is not used to train the providers' AI models, and we minimize or pseudonymize personal data before analysis wherever possible. The legal basis is your consent (Art. 6(1)(a) GDPR) or our legitimate interest in understanding and improving our Services (Art. 6(1)(f) GDPR).

14. Children's Data

Our Services are not directed at children under the age of 16, and we do not knowingly collect personal data from children.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The current version will always be available on our website with the updated revision date.

16. Contact

If you have any questions about this Privacy Policy or how we process personal data, please contact: [email protected]