GDPR Compliance

Last updated: May 4, 2026

Data controller

Vincenzo.be SRL, registered in Belgium, is the data controller for your personal data within the Roger Service.

• Email: hello@heyroger.ai
• Country: Belgium (EU)

Legal bases for processing

• Performance of contract (Art. 6.1.b GDPR): account, conversations, execution of Google Ads actions you request.
• Legitimate interest (Art. 6.1.f GDPR): security, fraud detection, error tracking, aggregated product analytics.
• Legal obligation (Art. 6.1.c GDPR): retention of accounting invoices.
• Consent (Art. 6.1.a GDPR): connection to Google Ads via OAuth (which you can revoke at any time).

Your rights

• Access: obtain a copy of your personal data.
• Rectification: correct inaccurate data.
• Erasure: delete your data and close your account ("right to be forgotten").
• Portability: export your conversations and data in a structured format.
• Objection: object to processing based on our legitimate interest.
• Restriction: request that we suspend a contested processing.

To exercise these rights, email hello@heyroger.ai. We respond within 30 days.

Account deletion

When you delete your account:

• Your Google OAuth tokens are deleted immediately and access to your Google Ads account is revoked.
• Your conversations and profile data are deleted within 30 days.
• Encrypted backups containing them are erased within 90 days maximum, following the backup rotation schedule.
• Invoices are retained for 7 years (accounting obligation), with no identifier beyond what is required for accounting processing.

International transfers

Some of our sub-processors (Google, Postmark, Bugsnag, Anthropic, OpenAI) are located in the United States. Transfers rely on the European Commission's Standard Contractual Clauses and, for eligible sub-processors, on adequacy under the EU-US Data Privacy Framework.

Sub-processors

The current list of our sub-processors is published in the Privacy Policy.

Security

• Communications encrypted in TLS 1.2+
• OAuth tokens encrypted at rest
• Magic-link or Google OAuth sign-in (no password to remember)
• Daily encrypted database backups
• Code and infrastructure access restricted and logged
• Incident monitoring and 72-hour notification in case of breach

Cookies

The marketing site uses Plausible Analytics, which sets no cookies and stores no personally identifiable data. The authenticated application only sets the cookies required for your session.

Complaints

You may file a complaint with the Belgian Data Protection Authority: autoriteprotectiondonnees.be.