Privacy Policy
Annex 1: Privacy Policy (Rocketmail as Data Controller)
This annex explains how Rocketmail processes personal data when acting as a data controller, in accordance with Articles 13 and 14 of the GDPR. It applies to any natural person concerned by the processing of their personal data, in particular in the case of:
- When a User subscribes to the Application Services
- When a User or Sub-User uses their account
- When the Application Services are used in any way
This annex forms part of the Agreement and constitutes a privacy policy pursuant to Articles 13 and 14 of the General Data Protection Regulation (GDPR).
1. Data controller
Rocketmail S.à r.l.
16-18 rue Robert Stumper, L-2557 Luxembourg-City, Luxembourg
RCS Luxembourg B157869
The company can be contacted:
- By email: support@lodago.com
- By the contact form available on the website www.lodago.com
2. Summary of Processing Activities
| Purpose of Processing | Legal Basis | Categories of Data | Data Subjects | Retention Period |
|---|---|---|---|---|
| Manage subscriptions and grant Sub-User access | Contract performance | Company info, billing details, identity (name, email, address), function, subscription options, payment data | Sub-User | 5 years after subscription ends |
| Invoice services and maintain accounts | Legal obligation | Same as above | Sub-User | Accounting and tax limitation periods |
| Appointment booking with Rocketmail team | Consent | Identity (name, email), function, company, appointment details, and messages | Sub-User | During subscription period |
| Fulfill GDPR rights and verify identity | Legal obligation | Identity (name, email, electronic ID or copy of ID if necessary) | Sub-User | Max 12 months after last contact (or identity check only for time of verification) |
| Monitor data breaches | Legitimate interest | Connection logs (access, usage) | Sub-User | 12 months |
| CRM and customer relationship management | Legitimate interest | Identity, company info, subscription data, and messages | Sub-User | 3 years after last interaction |
| Technical support | Consent | Identity, function, company, and messages exchanged | Sub-Users | 5 years after end of technical support |
Fields marked with an asterisk in forms are required. Failure to complete them may prevent Rocketmail from responding to requests.
3. Data Processed on Behalf of Users
When Sub-Users use Lodago to book meetings, scan leads, or register attendees for events, the User is the data controller for any customer or third-party data processed. Rocketmail acts as a data processor per Article 28 of the GDPR and only follows documented instructions from the User. Any rights requests must be directed to the User.
4. Data Recipients
Rocketmail only communicates personal data to authorized and designated recipients. The recipients concerned are, internally, the internal departments of Rocketmail and, depending on the personal data concerned, externally:
| Recipients | Data Shared |
|---|---|
| Amazon EU (Hosting) | Data related to Application Services |
| Adyen | Company and billing details |
| Zoho EU, Tax Administration | Invoicing and accounting data |
| Freshworks CRM, Zendesk | Support and IT ticket data |
| HubSpot CRM | Subscription and relationship history |
5. Security Measures
In accordance with Article 32 GDPR, Rocketmail applies appropriate technical and organizational measures to ensure data security, considering the nature of processing and associated risks, including accidental or unlawful access, loss, or disclosure. These safeguards include:
- Encrypted HTTP authentication
- Redundant servers and load balancing
- Firewall and intrusion protection
- Vulnerability scans and penetration tests
- Daily remote backups*
- SHA256 data encryption at rest and in transit
6. International Transfers
No personal data is transferred outside the EU.
7. Data Subject Rights
Data subjects have the following rights:
- Withdraw consent at any time (where applicable)
- Information and transparency (Articles 13–14 GDPR)
- Access (Article 15 GDPR)
- Rectification of inaccurate/incomplete data (Article 16 GDPR)
- Erasure / right to be forgotten (Article 17 GDPR)
- Restriction of processing (Article 18 GDPR)
- Objection to processing (Article 21 GDPR)
- Data portability (Article 20 GDPR)
- No automated decision-making (Article 22 GDPR)
- Right to define post-mortem data instructions (for EU residents)
Requests may be submitted:
- by email to dpo@lodago.com
- or by post to 16-18 rue Robert Stumper, L-2557 Luxembourg-City, Luxembourg
Complaints may be filed with the CNPD (National Commission for Data Protection, Complaints Department):
- 15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg
- https://cnpd.public.lu
- https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html
7. How to exercise your rights?
The rights can be exercised by simple mail sent to Rocketmail by post at the address 9 rue du Laboratoire l-1911 Luxembourg or by email at the email address: dpo@rocketmail.lu. In case of reasonable doubt(s) about the identity of the person concerned, Rocketmail may request a copy of an identity document in order to ensure the exact identity of the person making any request and to avoid communication of data to an illegitimate third party.
If the response provided by Rocketmail is not satisfactory to the person concerned, the latter is hereby informed that they may submit a complaint to the National Commission for Data Protection, Complaints Department, 15 Boulevard du Jazz, L-4370 Belvaux or https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html.
8. Definitions
- Application Services: SaaS offering by Rocketmail allowing access to the Software, including hosting, maintenance, and support
- Data Controller: Rocketmail S.à r.l., 16-18 rue Robert Stumper, L-2557 Luxembourg-City, Luxembourg, RCS Luxembourg B157869
- Data Subject: Any individual whose personal data is processed
- Personal Data: Any information relating to an identified or identifiable natural person. An “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
- Processor: Entity processing data on behalf of the controller
- Processing or Processing(s): Any operation or set of operations, whether or not carried out using automated processes, applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure, or destruction.
- Recipient: Any natural or legal person, public authority, service, or any other organization that receives communication of personal data, whether or not it is a third party.
- Software: The software developed by Rocketmail S.à r.l. and marketed under the name Lodago. It includes functionalities related to event and meeting management, scheduling, and attendee engagement, as well as the associated documentation, interfaces, and configurable parameters.
- Sub-User: Any physical person designated by the User who benefits, through the User’s Subscription, from the Application Services. A Sub-User can be an employee, a contractor, an agent and/or any person involved in general business operations of the User, such as its Affiliates for their own general business operations. The Sub-User must be at least 18 years old on the date they benefit from the Application Services.
- Subscription: The User’s agreement with Rocketmail for use of Application Services
- User: The Subscriber’s legal entity using the Application Services
Annex 2: Data Processing Agreement (Rocketmail as Processor)
This annex constitutes a data processing agreement pursuant to Article 28 of the General Data Protection Regulation (GDPR). It defines the conditions under which Rocketmail, acting as a data processor, is authorized to process personal data on behalf of the User, the data controller, in the context of providing the Application Services described in the Agreement.
1. Purpose of Processing
The following outlines the data processing Rocketmail performs on behalf of the User, solely based on the User’s documented instructions and for the purpose of delivering the Application Services:
- Deliver the Application Services
- Allow Sub-Users and third parties to schedule, update, and manage meetings
- Register participants for events
- Capture and process lead information (e.g., scanned business cards or form submissions)
- Synchronize calendars
- Store appointment history and messages
- Track email opens and monitor platform use
- Enable support interactions
- Assist Users with GDPR compliance (breaches, access rights, verification)
- Host, secure, and back up data
2. Duration
This annex applies throughout the duration of the User’s Subscription.
3. Nature of Processing
Operations include: collection, transmission, storage, backup, and exchange.
4. Types of Data and Data Subjects
The type of data processed mainly concerns information related to appointment scheduling, lead capture, and participant registration (such as individuals’ identity, email address, date and time of the meeting, purpose of the meeting, meeting details, and purpose of the event). The specific data processed depends on what is provided by the User and Sub-Users.
The categories of data subjects include Sub-Users, recipients of the Users and Sub-Users, and more generally, any natural person whose data is processed by the User or Sub-Users on behalf of the User (the data controller) and transmitted to Rocketmail (the data processor).
5. User Obligations
The User undertakes to:
- Make available to Rocketmail all information and data necessary for the execution of Rocketmail’s tasks;
- Provide written documentation of any instructions given to Rocketmail regarding the processing of data;
- Ensure that Rocketmail complies with its obligations under the GDPR both prior to and during the data processing;
- Supervise the processing activities;
- Inform the individuals concerned at the time of data collection, in accordance with Articles 13 and 14 of the GDPR, including that their data may be collected and processed by Rocketmail.
In accordance with Article 28(3) of the GDPR, it is recalled that the data controller is responsible for the processing of personal data and holds the rights defined under Article 28 of the aforementioned Regulation.
6. Rocketmail Commitments
Rocketmail agrees to:
- Process data only for the documented purposes
- Alert the User if any instruction appears to violate data protection laws
- Guarantee confidentiality and train authorized personnel
- Ensure that the persons authorized to process personal data under this Agreement:
- Are committed to confidentiality or are subject to an appropriate legal duty of confidentiality
- Receive the necessary training in the protection of personal data
- Consider the principles of data protection by design and data protection by default in its tools, products, applications, or services
- Assist the User with obligations under Articles 32–36 GDPR
7. Use of Subprocessors
Rocketmail may appoint subprocessors to perform specific processing activities but must inform the User in advance in writing, specifying the processing concerned, the identity and contact details of the subprocessor, and the start date.
The User may object within fifteen (15) calendar days of notification.
Rocketmail will ensure subprocessors are bound by written agreements imposing equivalent GDPR obligations, including appropriate technical and organizational measures.
Rocketmail remains fully liable to the User for the performance by the subsequent subcontractor of its obligations.
8. Assistance with Rights and Compliance
To the extent possible, Rocketmail undertakes to assist the User in:
- Complying with data subjects’ rights under the GDPR, including rights of access, rectification, erasure, objection, restriction of processing, data portability, not being subject to automated individual decision-making (including profiling), and the right to define post-mortem instructions
- Forwarding any such requests received directly by Rocketmail to the User without delay
- Conducting data protection impact assessments (DPIAs)
- Performing prior consultations with supervisory authorities, where applicable
9. Security Breach Notification
Rocketmail will notify the User of any personal data breach as soon as possible and no later than 24 hours after becoming aware. Notification will be sent to the email provided by the User.
10. Security Measures
In accordance with Article 32 GDPR, Rocketmail applies appropriate technical and organizational measures to ensure data security, considering the nature of processing and associated risks, including accidental or unlawful access, loss, or disclosure. These safeguards include:
- Encrypted HTTP authentication
- Redundant servers and load balancing
- Firewall and intrusion protection
- Vulnerability scans and penetration tests
- Daily remote backups
- SHA-256 data encryption at rest and in transit
11. End of Processing
At the end of the Subscription or upon termination of this Agreement, Rocketmail undertakes to cease all processing of the User’s and/or Sub-Users’ personal data in accordance with the User’s instructions. Rocketmail shall delete and/or return all personal data processed as a processor by appropriate means agreed with the User, no later than two (2) weeks after the termination or expiration of this Agreement, and shall provide a written statement confirming the deletion, destruction, or erasure has been completed.
12. Register of Processing Activities
Rocketmail declares that it maintains a written record of all categories of processing activities carried out on behalf of the User, including:
- The name and contact details of the data controller, any subprocessors, and, where applicable, the data protection officer
- The categories of processing carried out on behalf of the controller
- Where applicable, transfers of personal data to a third country or international organization, including the identification of such entities and, in the case of transfers under Article 49(1)(2) GDPR, documentation of appropriate safeguards
- To the extent possible, a general description of the technical and organizational security measures, including, where appropriate:
- Encryption of personal data
- Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Measures to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
- Procedures for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure data security
13. Documentation and Audits
Rocketmail shall make available to the User all documentation necessary to demonstrate compliance with its obligations under applicable personal data protection laws.
Rocketmail shall allow audits or inspections to be carried out by the User or an auditor appointed by the User, at the User’s expense, and shall assist with such audits.
Audits must respect business confidentiality and intellectual property rights, and under no circumstances will access to the source code of the Application Services be permitted.
14. Definitions
- Application Services: SaaS offering by Rocketmail allowing access to the Software, including hosting, maintenance, and support
- Data Controller: The User (as defined in Article 4.7 of the GDPR)
- Data Subject: Any individual whose personal data is processed
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable as of 25 May 2018
- Personal Data: Any information relating to an identified or identifiable natural person. An “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity
- Parties: Refers to Rocketmail and the User
- Processor: Rocketmail S.à r.l., 16-18 rue Robert Stumper, L-2557 Luxembourg-City, Luxembourg, RCS Luxembourg B157869 (as defined in Article 4.8 of the GDPR)
- Processing: Any operation performed on personal data (e.g., storage, transmission, deletion)
- Recipient: Person or organization receiving personal data
- Software: The software developed by Rocketmail S.à r.l. and marketed under the name Lodago. It includes functionalities related to event and meeting management, scheduling, and attendee engagement, as well as the associated documentation, interfaces, and configurable parameters
- Subprocessor: Refers to all subcontractors of Rocketmail
- Sub-User: Any physical person designated by the User who benefits, through the User’s Subscription, from the Application Services. A Sub-User can be an employee, a contractor, an agent, and/or any person involved in general business operations of the User, such as its Affiliates for their own general business operations. The Sub-User must be at least 18 years old on the date they benefit, through the User’s Subscription, from the Application Services
- Subscription: The User’s agreement with Rocketmail for use of Application Services
- User: The Subscriber’s legal entity using the Application Services and acting as data controller
