Legal
Privacy Policy
Last updated: 5 June 2026
This policy explains what personal data Rekka collects, why we collect it, how long we keep it and what your rights are under the EU General Data Protection Regulation (GDPR).
1. Who we are
Rekka is a workplace wellness service operated by:
Happy Cloud Studio Sp. z o.o. Ul. Grzybowska 87 00-844 Warsaw, Poland NIP: 5272786566 Email: team@happycloudstudio.com
Happy Cloud Studio Sp. z o.o. is the controller of the personal data we collect about you as a Rekka account holder (your account, billing, support correspondence and the like). For the personal data that a company adds to its workspace about its team, the company is the controller and we act as processor on its behalf. The terms governing that relationship are set out in our Data Processing Agreement.
Privacy contact: Franco Toccu, reachable at privacy@happycloudstudio.com.
2. Scope of this policy
This policy applies to:
- Visitors of rekka.app and its subdomains.
- People who create or use a Rekka account on app.rekka.app (company Owners and the employees they invite).
- People who contact us through the website form or by email.
It does not apply to third-party sites reached through links from Rekka. Those have their own policies.
3. Information we collect
3.1 Account information
When an account is created: name, email address, hashed password, language preference and the role held in the workspace (Owner or employee). When an Owner invites a colleague, the same information is collected for that colleague.
3.2 Company information
For the company workspace: company name, VAT code, business area, preferred currency, timezone, address, phone number and an optional logo, together with GDPR consent timestamps and marketing preferences.
3.3 Wellbeing content
The wellbeing data an employee chooses to record in the app: personal projects and time-tracking sessions, journal reflections and optional mood snapshots (body, heart and focus), habit tracking and streaks, and exercise sessions with their feedback. This content is private to the individual who created it. The employer and other colleagues cannot see it. We process it only to provide the service to that person, on their instructions, and for no other purpose. See section 8 on sensitive data.
3.4 Usage and technical data
Standard server logs collected automatically: IP address, browser type, requested pages and timestamps. We use them for security, abuse prevention and keeping the service running. Logs are kept for up to 90 days.
3.5 Communications
If you write to us (support email, the website contact/demo form, replies to product emails) we keep the message and our reply so we can follow up and improve the service. Submissions from the website demo form are stored in our own customer-relationship tool (Zentria, also operated by Happy Cloud Studio) so we can respond to you.
3.6 Billing information
Once paid plans launch, billing details will be collected (company name, billing address, VAT number, invoice history). Card and bank details are handled by our payment provider and never reach our servers.
3.7 Cookies
We use a small number of strictly-necessary cookies to keep you signed in and remember your language. See our Cookie Policy for the full list.
4. Why we use your data, and on what legal basis
| Purpose | Legal basis (GDPR Art. 6 / 9) |
|---|---|
| Provide Rekka to an account holder and their team | Performance of a contract (Art. 6(1)(b)) |
| Let an employee record and review their own wellbeing entries | Contract (Art. 6(1)(b)); explicit consent for sensitive entries (Art. 9(2)(a)) |
| Keep the service secure and prevent abuse | Legitimate interest (Art. 6(1)(f)) |
| Send transactional emails (signup confirmation, password reset, invitations, account notices) | Contract (Art. 6(1)(b)) |
| Issue invoices and keep tax records | Legal obligation (Art. 6(1)(c)), Polish Accounting Act |
| Respond to your support requests | Legitimate interest (Art. 6(1)(f)) |
| Send product news or offers (if and when we add them) | Consent (Art. 6(1)(a)), opt-in only |
We do not sell your data, we do not share it with advertisers, and we do not profile you or make automated decisions that produce legal effects.
5. How long we keep it
- Account data: for as long as the workspace is active. If a workspace is deleted, account data is soft-deleted immediately and permanently erased after a 30-day grace period.
- Wellbeing content: kept until the person deletes it in the app, or until the workspace is deleted.
- Server logs: up to 90 days.
- Backups: rotated within 30 days. Deleted data may persist in backups until that interval passes.
- Invoices and tax documents: 5 years from the end of the year the invoice was issued, as required by Polish law.
- Support correspondence: up to 2 years after the last message in a thread.
6. Who we share it with
We use a small number of trusted service providers (sub-processors) to operate Rekka. Each is bound by a written data processing agreement and processes data only on our instructions.
| Provider | Purpose | Place of processing |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | Frankfurt, Germany (EU) |
| Cloudflare, Inc. | Web hosting, CDN, edge application runtime, DDoS protection | Global edge network, configured for EU data residency where supported |
| Brevo (Sendinblue SAS) | Delivery of transactional emails (signup confirmation, password reset, invitations, approval and rejection notices) | France (EU) |
Planned additions, which will be reflected here before they go live:
- A payment provider, to process subscriptions once paid plans launch.
We do not share your personal data with any third party for its own marketing purposes.
7. International data transfers
Your data is primarily processed within the European Economic Area (EEA). Some of our sub-processors are part of groups with US parent companies. Where any transfer outside the EEA occurs to a country not recognised by the European Commission as providing an adequate level of protection, it is governed by the European Commission's Standard Contractual Clauses, with supplementary technical and organisational measures where appropriate.
8. Sensitive data and your wellbeing
Some entries you may choose to make in Rekka, such as a journal reflection or a mood snapshot, can reveal information about your health or emotional state, which the GDPR treats as a special category of data. We handle this with particular care:
- It is provided voluntarily by you. Every wellbeing feature is optional.
- It is processed on the basis of your explicit consent (Art. 9(2)(a)), which you can withdraw at any time by deleting the entries or your account.
- It is visible only to you. Your employer, your Owner and your colleagues cannot see your reflections, moods, habits or exercise history.
- It is never used for profiling, scoring, or automated decisions, and never sold or shared with advertisers.
9. How we protect your data
We apply appropriate technical and organisational measures, including encryption in transit and at rest, row-level access controls so each person can reach only their own data, EU-based hosting, least-privilege access for our team, and regular backups. A fuller description is set out in Annex 3 of our Data Processing Agreement.
10. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict and port your data, to object to certain processing, and to withdraw any consent you have given. Much of this you can do yourself from your account settings (edit your profile, delete entries, delete your account). For anything else, write to privacy@happycloudstudio.com and we will respond without undue delay and within one month.
You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Polish Personal Data Protection Office (UODO, uodo.gov.pl); you may also contact the authority in your own country.
11. Changes to this policy
We may update this policy if our practices change. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated by email or an in-app notice.
12. Contact
Happy Cloud Studio Sp. z o.o. Ul. Grzybowska 87, 00-844 Warsaw, Poland Privacy contact: Franco Toccu Email: privacy@happycloudstudio.com