Legal

Privacy Policy

Effective: 22 May 2026 · Last updated: 22 May 2026

1. Who we are

Roogify is a website-as-a-service product operated by Roogify LLC, a company organised under the laws of the State of Wyoming, USA. Our registered agent address is 30 N Gould St, STE R, Sheridan WY 82801, USA. We are the data controller for the personal data described in this policy.

You can contact us about anything in this policy by emailing team@roogify.com.

This policy explains, in plain English, what personal data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have. It applies to roogify.com, to any demo or live site we build for a customer, and to email we send on behalf of our service.

2. What information we collect

2.1 Information you give us

When you contact us — by email, by filling in a form on roogify.com, or by replying to a message we sent you — we receive whatever you choose to share. That usually includes your name, the name of your business, your business email address and phone number, and any context you give about what you need from us.

If you become a customer, we additionally collect billing details (handled by Stripe, not stored on our own servers), the content you want on your website (text, logos, photos, opening hours), and any subsequent edit requests you send us.

2.2 Information we collect automatically

When you visit roogify.com or a website we host for a customer, our hosting providers record standard server log data — IP address, browser type, the page you requested, and the time of the request. This is used to operate the service, prevent abuse, and diagnose problems. Logs are retained by the processor for around 30 days and then deleted.

We do not set advertising cookies. We do not track you across other websites. We do not sell or rent your data to anyone.

2.3 Information we collect from third parties

To find businesses who might benefit from our service, we use public business directories and search APIs (Google Places, Brave Search). The only data we collect this way is information a business has chosen to publish — the company name, the trading address, the public phone number, and a public-facing email address (for example, info@ or hello@).

We do not scrape personal data of named individuals from social networks. We do not buy lead lists from data brokers.

3. How we use your information

We use personal data only for the following purposes:

  • To respond to your enquiries and to deliver the service you have asked us to deliver.
  • To contact business decision-makers about our service, where it is reasonable to do so under the lawful basis explained below.
  • To take payment for and account for our service.
  • To diagnose technical problems, prevent fraud, and keep the service running safely.
  • To comply with our legal and tax obligations.

We do not use your data to train AI models on your behalf or anyone else's. When we use AI tools internally (see Section 6, Subprocessors), we use them in a transient way that does not contribute your data to provider training sets.

4. Lawful basis for processing (UK GDPR / EU GDPR)

Under the UK GDPR and EU GDPR, we have to tell you the lawful basis on which we process your personal data. Here is ours, broken out by activity:

  • Cold outreach to a registered limited company's business email address. Lawful basis: legitimate interest (Article 6(1)(f) UK GDPR), in reliance on the corporate subscriber exemption in regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). We have carried out a Legitimate Interests Assessment and balanced our interest in offering a relevant B2B service against the privacy expectations of the recipient. We do not cold-email sole traders, partnerships of individuals, or named personal mailboxes without a prior business connection.
  • Lead enrichment using public business data. Lawful basis: legitimate interest. Only data the business has chosen to publish is processed.
  • Contact form submissions and enquiry replies. Lawful basis: consent (Article 6(1)(a)) — by submitting a form or replying, you are choosing to start a conversation with us.
  • Service delivery, hosting, edits, and billing for active customers. Lawful basis: performance of a contract (Article 6(1)(b)).
  • Service emails to active customers (account, technical, billing). Lawful basis: contract and legitimate interest.
  • Tax and accounting record retention. Lawful basis: compliance with a legal obligation (Article 6(1)(c)).
  • Marketing emails to people who have opted in to a list (we do not currently run such a list, but if we ever do). Lawful basis: consent.

5. Cold outreach and your right to object

If you received an email from us out of the blue, here is exactly what happened: we identified your business in a public directory, found a publicly listed business email address, and judged that our service was potentially relevant. We did not buy your details from a third-party broker, and we did not target a named individual.

You have an absolute right to object to direct marketing under Article 21(2) UK GDPR. We respect this without question and without asking why. There are three equivalent ways to opt out:

  • Click the one-click unsubscribe link in any email we send. This uses the standard List-Unsubscribe header so it works from the headers of compatible mail clients as well.
  • Reply to the email with the word "stop", "unsubscribe", or anything similar. A human reads every reply.
  • Email team@roogify.com and ask to be removed.

Once you opt out we add your address to a permanent suppression list. We do not contact you again, and we do not pass your details to anyone else.

6. Subprocessors

We use a small set of trusted service providers to run the service. Each one is bound by a written data processing agreement and is only allowed to process your data on our instructions. Here is the complete list:

  • Cloudflare, Inc. (USA) — DNS, CDN, Pages hosting, D1 database, Workers, Email Routing. Processes all website traffic, lead records, and email threads.
  • Vercel Inc. (USA) — Hosting for individual customer demo websites. Processes visitor analytics on demo sites and any form submissions made there.
  • Resend (USA) — Transactional and outreach email delivery. Processes recipient email address, subject, and body.
  • Anthropic PBC (USA) — AI generation of draft email content and design briefs. Email body content is sent transiently and is not retained by Anthropic for training under our enterprise terms.
  • Stripe, Inc. (USA, with Stripe Payments Europe Ltd in Ireland for EU customers) — Payment processing. Processes billing details and payment history.
  • Mercury (Choice Financial Group) (USA) — Business banking for receiving payouts. Receives aggregate payout data only — no customer personally identifying information.
  • Google LLC (USA) — Places API for discovering businesses that might be a fit for our service. Only public business data is exchanged.
  • Brave Software (USA) — Brave Search API for discovering publicly listed business email addresses. Only public business data is exchanged.
  • Telegram FZ-LLC (United Arab Emirates) — Internal operator notifications. Receives lead-status events only (for example, "new reply received") — no customer personally identifying information is sent to Telegram.

We will update this list when it changes. If you want to be notified of changes in advance, email team@roogify.com.

7. International data transfers

Roogify LLC is established in the United States. Most of our subprocessors are also established in the United States; one (Telegram) is established in the United Arab Emirates. This means personal data may be transferred outside the United Kingdom and the European Economic Area.

Where we transfer personal data of UK or EU data subjects to the United States, we rely on the EU-US Data Privacy Framework (and the UK extension to it) where our processor is certified, and on the European Commission's Standard Contractual Clauses (plus the UK Information Commissioner's Office international data transfer addendum) in all other cases. For the Telegram transfer to the UAE, we rely on Standard Contractual Clauses combined with the operator-only nature of the data shared.

8. Data retention

We keep personal data for no longer than we need it. Specifically:

  • Cold outreach leads who never engaged: 24 months from the last touchpoint, then deleted from our lead database.
  • Leads who replied but did not become customers: 36 months from the last reply.
  • Active customer records: for the duration of the subscription plus seven years afterwards, to satisfy United States federal and state tax record retention requirements.
  • Email thread history: retained for the same period as the underlying lead or customer record.
  • Server access logs (Cloudflare, Vercel): retained by the processor for around 30 days and then deleted.
  • Stripe transaction data: seven years, as required by financial regulation.
  • Opt-out / suppression list: kept indefinitely for the express purpose of making sure we do not contact you again.

9. Your rights

Under the UK GDPR and the EU GDPR you have the following rights in relation to the personal data we hold about you. We honour all of them whether you are in the UK, the EU, or elsewhere:

  • Right of access (Article 15) — to ask for a copy of the personal data we hold about you.
  • Right to rectification (Article 16) — to have inaccurate personal data corrected.
  • Right to erasure (Article 17), sometimes called the "right to be forgotten" — to have your personal data deleted.
  • Right to restriction (Article 18) — to ask us to stop using your personal data while you challenge our handling of it.
  • Right to data portability (Article 20) — to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21) — to object to our processing of your personal data, including an absolute right to object to direct marketing.
  • Right to withdraw consent — where we are relying on your consent, to withdraw it at any time. This does not affect the lawfulness of earlier processing.
  • Right to lodge a complaint with a supervisory authority. In the UK that is the Information Commissioner's Office (ICO) at ico.org.uk/concerns. In the EU it is your national data protection authority.

To exercise any of these rights, email team@roogify.com. We will respond within one month, as required by Article 12(3) UK GDPR. If your request is particularly complex, we may extend that by up to a further two months and will tell you why.

10. Cookies and tracking

roogify.com itself sets no third-party advertising or analytics cookies. The only cookies set are strictly necessary cookies used by our hosting provider Cloudflare for security and load balancing. We do not run cross-site tracking pixels, retargeting tags, or behavioural advertising scripts.

If we ever introduce additional cookies, we will add a clear cookie banner with granular controls before doing so, and we will update this policy.

11. Security

We take reasonable technical and organisational measures to protect personal data. In practical terms that means:

  • All traffic to roogify.com and to customer sites is served over HTTPS with modern TLS.
  • Our lead and customer database is encrypted at rest by our infrastructure provider.
  • Access to administrative systems requires multi-factor authentication.
  • Only a small number of named operators have access to customer data, and access is logged.
  • We do not store full payment card numbers — those are handled by Stripe under PCI-DSS.

No system is perfectly secure. If you believe your data has been compromised, please tell us immediately at team@roogify.com so we can investigate.

12. Children's privacy

Roogify is a business-to-business service. It is not directed at children, it is not intended to be used by anyone under the age of 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Changes to this policy

We review this policy at least once a year, and we update it whenever a material change is needed — for example, if we add a new subprocessor or change a retention period. The "Last updated" date at the top of this page always reflects the latest revision.

For material changes, we will additionally announce the change by email to active customers and by a homepage banner for at least 30 days.

14. Contact us

If you have any questions about this policy, or if you want to exercise any of your rights, please contact us:

Roogify LLC
30 N Gould St, STE R
Sheridan, WY 82801
United States of America
team@roogify.com

15. Effective date

This Privacy Policy is effective from 22 May 2026 and was last updated on 22 May 2026.