Legal document · Version 1.0
Privacy Policy
In effect since May 4, 2026
This English translation is provided for international athletes joining the waitlist. The Spanish version is the legally binding text. In case of any discrepancy between the two versions, the Spanish version prevails.
This policy explains what personal data we collect when you join the waitlist of RKOVERY, what we do with it, and what rights you have over it. It's written so you understand it, not to hide information in legal jargon.
If after reading it you have any question, write to us at contact@rkovery.com and we'll get back to you.
1. Who is the data controller
The controller of your personal data is, at this moment, a natural person:
- Name: Adrián Torres Bellido
- Tax ID (NIF): 47407853-T
- Address: C/ Obispo González Abarca nº 12, esc. A, 1º 4ª, 07800 Ibiza, Illes Balears, Spain
- Contact email: contact@rkovery.com
RKOVERY is in pre-launch phase and the company that will operate the app (RKOVERY S.L.) is pending incorporation. Once that company is registered with the Commercial Registry, it will take over as data controller. We'll let you know by email at least 30 days before the change is effective and we'll update this policy with the company's full details. Your rights, the purposes and the time periods will not change: only the legal entity responsible changes.
Data Protection Officer (DPO): we have not appointed a DPO. The law (Art. 37 GDPR) does not require us to do so while we are not carrying out massive and systematic processing of sensitive data, which is not the case at this waitlist phase (we only collect email). When the app goes live and we start processing health data at scale, we will appoint a DPO and announce it in a new version of this policy.
2. What data we collect and why
We collect only the minimum data needed to run the waitlist and let you know when RKOVERY is available.
2.1. Data you give us
- Your email address, when you fill in the form and click the button to join the waitlist.
2.2. Technical data associated with form submission
When you submit the form, we automatically record the following information so we can prove — if ever required — that your consent was real, free and traceable:
- Your IP address at the time of submission.
- Browser and device information (user-agent).
- Source of the visit (UTM parameters if you arrived from a specific campaign).
- Browser language (locale).
- Exact date and time of submission (UTC timestamp).
- Exact version of this policy and the terms that were published at that moment (consent_version).
2.3. What we use all this for
For one thing only: to send you email communications related to the RKOVERY app launch. This includes, without limitation:
- Letting you know when the app is available.
- Announcing relevant project milestones before launch (progress, early access windows, events).
- Occasionally asking for your opinion on the product if you want to participate.
We do not use your data for anything else. We do not sell it. We do not share it with third parties for advertising purposes. We do not run automated profiling or scoring from your email. We do not cross it with external databases. We do not install tracking, analytics or advertising cookies on this landing page.
3. Legal basis for processing
The legal basis on which we rely for this processing is your explicit consent, under Art. 6.1.a GDPR and Art. 6 LOPDGDD (Spanish Data Protection Act).
Your consent is expressed when, after reading (or having had the opportunity to read) this policy and the terms, you type your email into the form and click the button to join. That click is a clear affirmative action, as Art. 4.11 GDPR requires.
You may withdraw your consent at any time, with no need to justify it. Withdrawing is as easy as giving it:
- Clicking the "Unsubscribe" link that appears in every one of our emails.
- Or writing to us at contact@rkovery.com from the email address you want to unsubscribe.
The withdrawal of consent does not affect the lawfulness of processing carried out before you withdrew it (Art. 7.3 GDPR).
4. How long we keep your data
We keep your email and the associated technical data for:
- As long as you are actively subscribed to the waitlist.
- 3 additional years from the moment you unsubscribe or from the moment we detect prolonged inactivity (inactivity meaning you don't open any of our emails for 12 consecutive months).
After that period, we delete the data completely from our systems and from those of the providers that store it on our behalf. Deletion is real and definitive, not soft-deleted — that is, the data ceases to exist; it does not stay hidden in a recoverable trash.
The reason we keep the data for 3 years after unsubscription is defensive: to be able to prove, in the event of a complaint, that the processing was carried out lawfully. We do not use that data to send you anything during that post-unsubscription retention period.
5. Who we share data with
To run the waitlist we rely on tech providers. Those providers are data processors (Art. 28 GDPR): they process the data on our behalf, following our instructions, and are bound by Data Processing Agreements (DPAs) that require them to apply security and confidentiality measures.
The processors currently involved are:
| Provider | What we use it for | HQ |
|---|---|---|
| Loops | Sending waitlist emails and managing the subscriber list. | United States |
| Supabase | Storing the subscriber database and the technical consent records. | United States |
| Vercel | Hosting rkovery.com (servers that serve the page and process form submissions). | United States |
If at any time we add a new processor or replace an existing one, we will update this table and issue a new version of the policy. Substantial changes will be communicated to you by email.
We do not transfer your data to third parties for purposes other than the processing described here. In particular, we do not transfer data to advertising networks, data brokers or third companies for those third parties' own commercial purposes.
6. International transfers
The three providers listed in the previous section are headquartered in the United States, so processing your data involves an international transfer outside the European Economic Area.
The transfer is lawful because it is backed by two guarantee mechanisms recognised by the European Commission:
- EU-US Data Privacy Framework Adequacy Decision (Commission Decision of 10 July 2023), when the provider is certified under that framework. This mechanism aligns the guarantees offered by the US provider with European ones.
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), incorporated into the data processing agreements signed with each provider. The SCCs require the provider to apply guarantees equivalent to GDPR even if the data is physically in the US.
If you want a copy of the specific guarantees signed with each of the providers, write to us at contact@rkovery.com and we'll share them with you.
7. Your rights
GDPR and LOPDGDD grant you a set of rights over your personal data. You can exercise all of them at any time, free of charge, by writing to us at contact@rkovery.com from the address you gave us.
| Right | What you can do |
|---|---|
| Access(Art. 15 GDPR) | Ask us to confirm what data of yours we hold and obtain a copy. |
| Rectification(Art. 16 GDPR) | Ask us to correct inaccurate data or to complete incomplete data. |
| Erasure(Art. 17 GDPR) | Ask us to delete your data. If there is no legal obligation preventing it, we delete it. |
| Restriction(Art. 18 GDPR) | Ask us to stop processing your data for a period (for example, while a rectification is being resolved). |
| Portability(Art. 20 GDPR) | Ask us to deliver your data in a structured, commonly used format so you can take it to another service. |
| Objection(Art. 21 GDPR) | Object to a specific processing. |
| Withdrawal of consent(Art. 7.3 GDPR) | Withdraw your consent with no need to justify it. Equivalent to unsubscribing. |
| Not being subject to automated decisions(Art. 22 GDPR) | Not applicable to this processing, since we do not make automated decisions with legal effects on you. |
Maximum response time: one month from your request, extendable by two additional months in complex cases, duly communicated (Art. 12.3 GDPR).
To verify that the request comes from you and not a third party, we may ask you for reasonable proof of identity (for example, that the request comes from your own email or equivalent document).
8. Complaint with the supervisory authority
If you believe that the processing of your data does not comply with the law, or if you exercise any of the rights above and are not satisfied with the response, you have the right to file a complaint with the Spanish Data Protection Authority (AEPD):
- Website: https://www.aepd.es
- Electronic office: https://sedeagpd.gob.es
- Postal address: C/ Jorge Juan, 6, 28001 Madrid, Spain
Before going to the AEPD, we encourage you to contact us first at contact@rkovery.com. We can probably resolve it directly and faster.
Additional information
Minimum age
Only people over 16 years old can join the RKOVERY waitlist. If we learn that a record belongs to someone under that age, we delete it immediately. If you are a parent or legal guardian of a minor under 16 who has signed up, write to us at contact@rkovery.com and we'll proceed with deletion.
Cookies and similar technologies
The waitlist landing page does not install tracking, analytics or advertising cookies. Only strictly technical and session cookies necessary for the page to function are used, which are exempt from consent under Art. 22.2 LSSI (Spanish e-Commerce Act). When the app goes live, we will publish a separate cookie policy specific to the new processing activities introduced.
Automated decisions and profiling
At this waitlist phase, we do not make automated decisions nor profile subscribers, within the meaning of Art. 22 GDPR.
Health data
At this waitlist phase we do not collect health data. When the app is available and you start using it, we will collect data about your sporting activity, pain and physical patterns: at that moment the reinforced regime of Art. 9 GDPR (separate explicit consent, impact assessment and other guarantees) will apply, which we'll detail in a policy specific to the app.
Changes to this policy
If this policy changes substantially, we'll communicate it to you by email before the change comes into effect and we'll publish the new version on the website with its number and date. Previous versions are kept archived internally to guarantee consent traceability.