Privacy Policy

Last updated: December 12th 2025

This Privacy Policy explains how Roca.work SL and Kaidominic Devs SRL (together, “Roca.work”, “we”, “us”, “our”) collect, use, disclose, and protect personal data when you:

  • visit our website https://roca.work

  • contact us via forms or email

  • subscribe to our newsletter

  • interact with our marketing communications

  • use our Zendesk-related services or AI applications

We are committed to protecting your privacy and processing personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws.

1. Who We Are (Data Controllers)

Primary Data Controller

Roca.work SL
[Insert full registered address – Spain]
Email: info@roca.work

Roca.work SL acts as the primary controller for the website, commercial activities, services, and AI applications.

Joint Data Controller

Kaidominic Devs SRL
Str. Caloianca nr. 16C, Slatina, Olt, Romania
CUI 37988233
Trade Register No. J28/987/2017
Email: info@roca.work

Kaidominic Devs SRL acts as a joint controller, supporting service delivery, technical operations, and compliance activities.

The two entities cooperate closely and determine jointly the purposes and means of certain data processing operations, in accordance with Article 26 GDPR.

2. Scope of This Privacy Policy

This Privacy Policy applies to personal data processed:

  • through our website

  • through contact and lead-generation forms

  • through newsletter subscriptions

  • during sales and business communications

  • in connection with our Zendesk consulting services

  • in connection with our AI applications integrated with Zendesk

It does not apply to third-party websites or services that may be linked from our website. Those third parties have their own privacy policies.

3. Contact for Privacy Matters

For any questions regarding this Privacy Policy or the processing of your personal data, you may contact us at:

📧 info@roca.work

You may use this address to:

  • request information

  • exercise your GDPR rights

  • submit complaints or concerns

4. Categories of Personal Data We Collect

We collect personal data directly from you and indirectly through your interaction with our website and services.

4.1. Data You Provide Voluntarily

When you contact us, request information, or subscribe to our communications, we may collect the following personal data:

  • First and last name

  • Email address

  • Phone number

  • Company name

  • Job title or position

  • Any information you choose to include in your message

Providing this data is voluntary. However, if you choose not to provide certain information, we may not be able to respond to your request or provide our services.

4.2. Marketing and Newsletter Data

When you subscribe to our newsletter or marketing communications, we process:

  • Name

  • Email address

  • Company name

  • Job title (if provided)

  • Subscription preferences

  • Interaction data (opens, clicks, unsubscribe events)

Newsletter and marketing communications are sent via Mailchimp.

4.3. Website Usage and Technical Data

When you visit our website, we may automatically collect certain technical and usage data, such as:

  • IP address (in full or shortened form, depending on the tool used)

  • Browser type and version

  • Device type and operating system

  • Pages visited and actions taken on the site

  • Referrer URLs

  • Date and time of access

  • Approximate location (city / country level)

This data is collected through:

  • Squarespace analytics

  • Google Analytics (GA4)

  • Advertising and tracking technologies (where applicable)

Further details are provided in our Cookie Policy.

4.4. Cookies and Similar Technologies

We use cookies and similar technologies to:

  • Ensure the website functions correctly

  • Understand how visitors use our website

  • Measure marketing performance

  • Improve user experience

Some cookies are strictly necessary, while others are optional and subject to consent.
Due to platform limitations, some third-party cookies may load before consent.

Full details are available in our Cookie Policy.

4.5. AI Applications and Zendesk Integration

When customers use our AI applications integrated with Zendesk:

  • We process ticket content provided by the customer

  • Personal data is automatically redacted before being processed by AI models

  • No payment data, credentials, or sensitive personal data is processed

Depending on customer configuration:

  • Ticket data may be processed in real time only, or

  • Redacted ticket text may be stored temporarily to improve AI context and response quality

We do not intentionally collect or store:

  • Unredacted personal data

  • Special categories of personal data (as defined by GDPR)

4.6. Knowledge Base and AI Context Data

To support AI functionality, we may process:

  • Knowledge base articles

  • Documentation content

  • Internal help materials provided by customers

This data:

  • Does not contain personal data

  • Is used only to generate contextual AI responses

  • Is stored as text or vector embeddings

4.7. Data We Do Not Intentionally Collect

We do not intentionally collect or process:

  • Special categories of personal data (health, biometric, political, religious data, etc.)

  • Payment card information

  • Government identification numbers

  • Data relating to children

If such data is accidentally provided, it will be deleted or anonymized where possible.

5. Purposes of Processing and Legal Bases

We process personal data only where we have a valid legal basis under Article 6 of the GDPR and only for specific, explicit, and legitimate purposes.

Below is an overview of why we process personal data and on what legal basis.

5.1. Responding to Inquiries and Requests

Purpose:
To respond to messages sent via contact forms, email, or other communication channels, and to take steps at your request prior to entering into a contract.

Categories of data:

  • Name

  • Email address

  • Phone number

  • Company name

  • Job title

  • Message content

Legal basis:

  • Article 6(1)(b) GDPR — performance of a contract or steps prior to entering into a contract

5.2. Providing Services and Zendesk Consulting

Purpose:
To provide Zendesk consulting services, configuration, customization, support, and related professional services.

Categories of data:

  • Business contact details

  • Communication data

  • Service-related information

Legal basis:

  • Article 6(1)(b) GDPR — performance of a contract

5.3. Marketing Communications and Newsletters

Purpose:
To send newsletters, updates, invitations, and marketing communications related to our services.

Categories of data:

  • Name

  • Email address

  • Company name

  • Job title

  • Interaction data (opens, clicks)

Legal basis:

  • Article 6(1)(a) GDPR — consent

You may withdraw your consent at any time by using the unsubscribe link in our emails or by contacting us.

5.4. Sales Outreach and Lead Management

Purpose:
To manage business leads, conduct sales outreach, and maintain professional relationships with prospective customers.

Categories of data:

  • Name

  • Email address

  • Company name

  • Job title

Legal basis:

  • Article 6(1)(f) GDPR — legitimate interest

Our legitimate interest consists of promoting our services to business contacts in a professional and proportionate manner. You may object to this processing at any time.

5.5. Website Analytics and Performance Monitoring

Purpose:
To understand how visitors use our website, improve performance, measure content effectiveness, and optimize user experience.

Categories of data:

  • Technical and usage data

  • Cookie identifiers

  • Device and browser information

Legal basis:

  • Article 6(1)(a) GDPR — consent (where required via cookies)

Further details are available in our Cookie Policy.

5.6. Advertising and Retargeting

Purpose:
To measure marketing performance and, where applicable, display relevant advertisements on third-party platforms.

Categories of data:

  • Cookie identifiers

  • Device and browser data

  • Campaign interaction data

Legal basis:

  • Article 6(1)(a) GDPR — consent

Advertising cookies are only used where consent is given, subject to platform limitations.

5.7. AI Applications and Automation

Purpose:
To operate AI-powered applications integrated with Zendesk, generate automated or assisted responses, and improve service efficiency.

Categories of data:

  • Redacted ticket content

  • Technical metadata (non-identifying)

Legal basis:

  • Article 6(1)(b) GDPR — performance of a contract

  • Article 6(1)(f) GDPR — legitimate interest in improving service quality and automation

Customers remain responsible for ensuring that no unredacted personal data is intentionally submitted to the AI systems.

5.8. Logging, Security, and System Integrity

Purpose:
To ensure system security, detect errors, prevent abuse, and maintain service reliability.

Categories of data:

  • Technical logs

  • Anonymized or pseudonymized identifiers

Legal basis:

  • Article 6(1)(f) GDPR — legitimate interest in ensuring security and service integrity

5.9. Legal Obligations and Dispute Resolution

Purpose:
To comply with legal obligations and defend or exercise legal claims.

Categories of data:

  • Identification data

  • Communication records

  • Contractual documentation

Legal basis:

  • Article 6(1)(c) GDPR — legal obligation

  • Article 6(1)(f) GDPR — legitimate interest in legal defense

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.

The retention periods vary depending on the type of data and the purpose of processing, as described below.

6.1. Contact and Lead Data

Personal data collected through contact forms, email inquiries, or sales communications is retained:

  • For as long as our business relationship continues, or

  • Until you request deletion or object to processing, or

  • Until you unsubscribe from our communications

6.2. Marketing and Newsletter Data

Marketing and newsletter subscription data is retained:

  • Until you withdraw your consent (unsubscribe), or

  • Until the communication purpose no longer exists

You may unsubscribe at any time using the link included in each email.

6.3. Website Analytics Data

Website analytics data is retained in accordance with the configuration of the analytics tools used:

  • Google Analytics (GA4): 14 months

  • Squarespace analytics: according to platform settings

This data is aggregated and used for statistical purposes.

6.4. AI Application Data

For our AI applications integrated with Zendesk:

  • Ticket data processed in real time is not stored after processing

  • If the customer enables optional context or memory features, redacted ticket data may be stored temporarily to improve AI responses

  • AI logs and technical metadata may be retained for a limited period for debugging, security, and performance monitoring

6.5. Legal and Compliance Data

Certain data may be retained for longer periods where required to:

  • Comply with legal obligations

  • Respond to lawful requests from authorities

  • Establish, exercise, or defend legal claims

6.6. Retention Review

We periodically review stored personal data and delete or anonymize data that is no longer necessary for the stated purposes.

7. Data Recipients and Data Sharing

We do not sell personal data.

We may share personal data only where necessary and only with trusted recipients, in accordance with this Privacy Policy and applicable data protection laws.

7.1. Service Providers (Processors)

We may share personal data with the following categories of service providers, acting as data processors on our behalf:

  • Website hosting and infrastructure providers (e.g. Squarespace)

  • Email marketing and newsletter providers (e.g. Mailchimp)

  • Analytics and performance measurement providers (e.g. Google Analytics)

  • Advertising and marketing platforms (e.g. Meta, LinkedIn)

  • Cloud infrastructure and server providers (e.g. Hetzner, EU-based)

  • AI service providers used to process redacted content only (e.g. OpenAI, Google Gemini)

  • Professional advisors (legal, accounting, compliance)

All processors are contractually bound to:

  • Process personal data only on our instructions

  • Implement appropriate technical and organizational security measures

  • Comply with GDPR and applicable data protection laws

7.2. Zendesk and Customer Data

When providing Zendesk-related services or AI applications:

  • We process data only on customer instructions

  • Customers act as data controllers for their Zendesk environments

  • We act as a data processor or sub-processor, depending on the service

Customers are responsible for:

  • Lawful collection of end-user data

  • Informing their own users about data processing

  • Ensuring no unredacted personal data is intentionally submitted to AI systems

7.3. Legal and Regulatory Disclosure

We may disclose personal data where required to:

  • Comply with a legal obligation

  • Respond to lawful requests from public authorities

  • Protect our legal rights or defend against claims

Such disclosures are made only where legally required and to the minimum extent necessary.

8. International Data Transfers

Some of our service providers process data outside the European Union (EU) or European Economic Area (EEA).

Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission

  • Additional technical and organizational measures

  • Data minimization and redaction (especially for AI processing)

For AI services, only sanitized and redacted content is transmitted, and no sensitive or payment data is processed.

You may request further information about international transfers by contacting us at info@roca.work.

9. Security of Personal Data

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These measures include, where appropriate:

  • HTTPS encryption for data in transit

  • Secure hosting environments

  • Access controls and role-based permissions

  • Two-factor authentication (2FA) for administrative access

  • Data minimization and redaction mechanisms (especially for AI processing)

  • Regular monitoring and logging

  • Internal policies and procedures for data protection and incident management

Access to personal data is limited to authorized personnel who require access for legitimate business purposes.

While we take reasonable steps to protect personal data, no system can be guaranteed to be completely secure.

10. Personal Data Breaches

In the event of a personal data breach, we will:

  • Assess the nature and scope of the incident

  • Take appropriate steps to mitigate potential harm

  • Notify the competent data protection authority where required by law

  • Inform affected individuals where the breach is likely to result in a high risk to their rights and freedoms

We maintain internal procedures for detecting, reporting, and investigating personal data breaches, in accordance with GDPR requirements.

11. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR, subject to applicable legal conditions:

  • Right of access – to obtain confirmation as to whether we process your personal data and access to that data

  • Right to rectification – to request correction of inaccurate or incomplete personal data

  • Right to erasure (“right to be forgotten”) – to request deletion of your personal data

  • Right to restriction of processing – to request limited processing in certain circumstances

  • Right to data portability – to receive your data in a structured, commonly used, machine-readable format

  • Right to object – to processing based on legitimate interests or for direct marketing purposes

  • Right to withdraw consent – at any time, where processing is based on consent

To exercise any of these rights, please contact us at:
📧 info@roca.work

We may request additional information to verify your identity before responding to your request.

12. Right to Lodge a Complaint

If you believe that your personal data has been processed unlawfully, you have the right to lodge a complaint with a supervisory authority.

You may contact:

  • The data protection authority in your country of residence, or

  • The Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), or

  • The competent authority in Spain, where our primary controller is established

Contact details for the Romanian authority:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Bulevardul Gheorghe Magheru nr. 28–30, Sector 1, București, România
Email: anspdcp@dataprotection.ro

13. Automated Decision-Making

We do not use personal data to make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on individuals.

Our AI applications are designed to assist human decision-making and do not replace human judgment.

14. Children’s Data

Our website, services, and AI applications are not intended for children under the age of 16.

We do not knowingly collect personal data from children.
If you believe that a child has provided us with personal data, please contact us so we can delete it.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements.

Any updates will be published on this page, and the “Last updated” date will be revised accordingly.

16. Contact

For any questions regarding this Privacy Policy or our data protection practices, please contact:

📧 info@roca.work