Privacy Policy
Last updated: 30 June 2026
This Privacy Policy explains how RookieMind (“we”, “us”, “our”) collects, uses, and protects personal data when you visit our website, use our services, or otherwise interact with us (collectively, the “Services”). We are committed to protecting your personal data and processing it in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable European and Croatian data protection laws.
1. Data Controller
Data Controller: Paulina Peroš
Business name: RookieMind
Legal form: Obrt (sole proprietorship registered in Croatia)
OIB: 24628764904
Address: Matice hrvatske 15, 21000 Split, Croatia
Email: [email protected]
Website: www.paulinaperos.com
RookieMind is not registered in the Croatian VAT system (nije u sustavu PDV-a).
2. Personal Data We Process
Depending on how you interact with our Services, we may process the following categories of personal data:
2.1 Data you provide directly
Name
Email address
Phone number
Billing and invoicing information
Account or registration information
Information you provide when contacting us or using our services
2.2 Automatically collected data
When you visit our website, we may automatically collect: IP address, device and browser information, usage data (pages visited, interactions, timestamps), and referrer URLs. This data is collected via cookies and similar technologies, subject to your consent where required.
2.3 Data from third parties
We may receive personal data from trusted service providers that support our business operations, such as website hosting and IT providers, payment service providers, and marketing and analytics providers. All such data is processed in accordance with this Privacy Policy.
3. Purposes of Processing
To provide and manage our Services
To communicate with you and respond to inquiries
To manage customer relationships and accounts
To send newsletters and marketing communications (with consent)
To analyze and improve our Services
To ensure website security and prevent misuse
To comply with legal and regulatory obligations
4. Legal Bases for Processing
We process personal data based on one or more of the following legal bases under Article 6 GDPR:
Consent (Art. 6(1)(a)): for newsletters, marketing communications, personalization, and marketing/analytics cookies.
Performance of a contract (Art. 6(1)(b)): where processing is necessary to provide our Services or fulfil a contract with you.
Legal obligation (Art. 6(1)(c)): where processing is required to comply with applicable laws (for example accounting obligations).
Legitimate interests (Art. 6(1)(f)): for ensuring website security, improving our Services, and managing our business operations, provided your rights and freedoms do not override these interests.
You may withdraw your consent at any time with effect for the future.
5. Marketing, Analytics and Automation (somba.io / GoHighLevel)
We use somba.io, a marketing automation and customer engagement platform. somba.io is a white-label of the GoHighLevel platform (operated by HighLevel Inc., United States) and is provided to us under a license from Sigrun GmbH (Switzerland). This means that personal data processed through somba.io may be stored and processed on infrastructure located in the United States (see section 9).
somba.io helps us to analyze user behavior and interactions, segment audiences, send relevant communications, and improve the quality of our Services. In this context the following data may be processed: email address, usage and interaction data, and technical data (for example IP address, browser, device information).
These providers act as data processors and process personal data on our instructions and in accordance with the GDPR. Processing for marketing and personalization purposes takes place only with your explicit consent.
6. Profiling
We may use limited automated processing, including profiling, to analyze user behavior and preferences in order to personalize content and communications. This profiling does not produce legal effects and does not have similarly significant effects within the meaning of Article 22 GDPR. You have the right to object to profiling for direct marketing purposes at any time.
7. Cookies
Our website uses cookies and similar technologies to ensure functionality, analyze usage, and support marketing activities.
Essential cookies are necessary for the operation of the website.
Marketing and analytics cookies (including those used by somba.io) are activated only after you provide your explicit consent through the cookie banner.
You can manage or withdraw your consent at any time via the cookie settings on our website.
8. Data Sharing
We share personal data only where necessary and in accordance with the GDPR, including with:
somba.io / HighLevel Inc. (CRM, email and marketing automation), see section 5
1&1 IONOS SE (Germany), our email and domain hosting provider for the [email protected] mailbox
Google (Google Ireland Ltd. / Google LLC), where we use Gmail to manage and send our business email
Stripe (Stripe Payments Europe, Ltd., Ireland), our payment service provider
Anthropic, PBC (Claude) and OpenAI, L.L.C. (ChatGPT), where we use AI tools to help create content and to analyze responses you provide
Professional advisors (for example legal, tax, and accounting)
All service providers are bound by data processing agreements to process personal data securely and confidentially.
9. International Data Transfers
Some of our processors are located outside the European Economic Area. Where personal data is transferred to a third country, we ensure that appropriate safeguards are in place:
Transfers to the United States (for example via HighLevel Inc./GoHighLevel, which powers somba.io, via Google, and via our AI providers Anthropic and OpenAI) are based on the EU-US Data Privacy Framework where the recipient is certified, and/or on the European Commission's Standard Contractual Clauses (SCCs).
Transfers to Switzerland (Sigrun GmbH) are based on the European Commission's adequacy decision recognizing Switzerland as providing an adequate level of data protection.
10. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, to comply with legal obligations, to resolve disputes, and to enforce agreements. In particular:
Accounting and invoicing records are retained for the period required by Croatian tax and accounting law (generally up to 11 years).
Newsletter and marketing data is kept until you withdraw your consent or object.
Contact enquiries are kept for as long as needed to handle your request and for a reasonable period afterwards.
11. Your Rights Under GDPR
You have the following rights under the GDPR:
Right of access
Right to rectification
Right to erasure (“right to be forgotten”)
Right to restriction of processing
Right to data portability
Right to object to processing
Right to withdraw consent at any time
Right to lodge a complaint with a supervisory authority
To exercise your rights, please contact us at [email protected].
You also have the right to lodge a complaint with the competent supervisory authority. In Croatia this is the Croatian Personal Data Protection Agency (AZOP), www.azop.hr.
12. Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or misuse. However, no method of transmission over the internet is completely secure.
13. AI Tools and Automated Analysis
We may use AI tools, including Claude (Anthropic, PBC) and ChatGPT (OpenAI), to help us create content and to analyze responses you provide to us (for example survey or feedback responses). Where such responses contain personal data, these providers act as our processors and may process the data on infrastructure located in the United States (see section 9 on international transfers). We use these tools in a configuration intended to ensure that your data is not used to train the providers' AI models, and we minimize or pseudonymize personal data before analysis wherever possible. The legal basis is your consent (Art. 6(1)(a) GDPR) or our legitimate interest in understanding and improving our Services (Art. 6(1)(f) GDPR).
14. Children's Data
Our Services are not directed at children under the age of 16, and we do not knowingly collect personal data from children.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The current version will always be available on our website with the updated revision date.
16. Contact
If you have any questions about this Privacy Policy or how we process personal data, please contact: [email protected]