Privacy Policy

Who We Are and How to Contact Us

The data controller responsible for your personal data is ROLIX Engineering Consultancy, a business registered and operating at Naxou, 1, 1st Floor, Flat/Office 103, Strovolos, 2043, Nicosia, Cyprus.

As data controller, ROLIX determines the purposes and means by which your personal data is processed. If you have any questions, concerns, or requests relating to this Privacy Policy or our data processing activities, you may contact us at any time using the details set out in Section 14 of this document.

ROLIX does not currently have a formally appointed Data Protection Officer (DPO) but takes all privacy obligations seriously and will respond to all data-related inquiries promptly and thoroughly.

Scope of This Policy

This Privacy Policy applies to all personal data processed by ROLIX in connection with:

• Visitors to the ROLIX website and any associated web pages.
• Individuals and representatives of companies who submit project inquiries, contact forms, or briefing documents through our website or by email.
• Clients engaged in active or past project engagements with ROLIX.
• Prospective clients who have expressed interest in ROLIX services but have not yet commenced a formal engagement.
• Any other individuals whose personal data is provided to ROLIX in connection with a project, including client-side contacts, technical collaborators, or project stakeholders.

This policy does not apply to any third-party websites, platforms, or services linked to or from the ROLIX website. ROLIX is not responsible for the privacy practices of any third party and encourages users to review the privacy policies of any third-party services they use.

What Personal Data We Collect

ROLIX collects and processes the following categories of personal data:

ROLIX does not collect any special categories of personal data (such as health data, biometric data, or political opinions) and does not knowingly collect personal data from individuals under the age of 18.

ROLIX does not purchase personal data from third-party data brokers or marketing lists.

How and Why We Use Your Data

ROLIX uses personal data for the following purposes:

• Service Delivery. To perform engineering consultancy services as agreed in Project Agreements, including communicating project requirements, delivering Deliverables, and managing the engagement.
• Client Communication. To respond to project inquiries, answer technical questions, provide project updates, and handle any concerns or disputes that arise during an engagement.
• Invoicing and Payment. To generate invoices, track payments, manage accounts receivable, and maintain financial records as required by law.
• Contract Management. To create, manage, and enforce Project Agreements and to maintain records of contractual commitments and Deliverables.
• Legal Compliance. To comply with applicable legal, regulatory, and tax obligations, including retention of records required by Cypriot law and EU regulations.
• Service Improvement. To improve the quality and efficiency of our services based on client feedback and project experience, using aggregated and anonymized insights.
• Marketing and Business Development. To send relevant updates, service announcements, or case study communications to existing and prospective clients who have provided consent or with whom we have an existing business relationship, as permitted by applicable law.
• Website Analytics. To understand how visitors use the ROLIX website in order to improve content, navigation, and user experience.
• Security and Fraud Prevention. To detect, prevent, and respond to security incidents, fraud, and other harmful activities.

Legal Bases for Processing

Under the GDPR, ROLIX relies on the following legal bases for processing personal data:

• Contractual Necessity (Article 6(1)(b)). Processing required to perform a project engagement or to take steps at your request prior to entering into an engagement, including all core service delivery and client communication activities.
• Legal Obligation (Article 6(1)(c)). Processing required to comply with applicable laws, including tax law, financial record-keeping requirements, and data protection regulations themselves.
• Legitimate Interests (Article 6(1)(f)). Processing necessary for ROLIX's legitimate business interests, including maintaining project records, improving services, preventing fraud, managing the website, and communicating with existing clients about related services. ROLIX has assessed that these interests do not override the fundamental rights and freedoms of data subjects.
• Consent (Article 6(1)(a)). Where ROLIX sends marketing communications to individuals who are not existing clients, this is done only with explicit prior consent. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

Data Sharing and Third Parties

ROLIX does not sell, rent, or trade personal data to any third party for commercial purposes. Personal data is shared with third parties only in the following limited circumstances:

• Payment Processors. Payment information is processed by third-party payment processors. ROLIX does not store full payment card details. Payment processors operate under their own privacy policies and comply with applicable financial data security standards.
• Cloud Storage and Productivity Tools. ROLIX uses industry-standard cloud platforms (such as cloud storage, email, and project management tools) to store and process project files and communications. These providers are selected for their security and compliance credentials and are bound by data processing agreements.
• Professional Advisors. ROLIX may share relevant data with legal advisors, accountants, or auditors where necessary to obtain professional advice or to comply with legal obligations. These parties are bound by confidentiality obligations.
• Legal Authorities. ROLIX may disclose personal data to law enforcement, regulatory authorities, or courts where required by applicable law or where necessary to protect the legal rights of ROLIX or others.
• Business Transfers. In the event of a merger, acquisition, or sale of all or substantially all of ROLIX's business assets, personal data may be transferred to the acquiring entity. Affected individuals will be notified of such a transfer and of any changes to this Privacy Policy.

All third-party service providers that process personal data on ROLIX's behalf do so only on documented instructions from ROLIX and are required to implement appropriate technical and organizational security measures.

International Data Transfers

ROLIX is based in the Republic of Cyprus, which is a member state of the European Union. Personal data collected by ROLIX is primarily stored and processed within the European Economic Area (EEA).

Some of the third-party service providers used by ROLIX (such as cloud infrastructure providers) may process data outside of the EEA, including in the United States and other countries. Where personal data is transferred outside the EEA, ROLIX ensures that such transfers are made in accordance with applicable data protection law, including through the use of:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Transfers to countries that have been recognized by the European Commission as providing an adequate level of data protection.
• Other appropriate safeguards as permitted under GDPR Chapter V.

You may request further information about the specific safeguards in place for international transfers by contacting ROLIX at rolix.ltd@atomicmail.io.

Data Retention

ROLIX retains personal data only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, and to resolve any disputes or enforce agreements. The following general retention periods apply:

• Project and contractual records (including Project Agreements, Deliverables, and correspondence) are retained for seven (7) years following the conclusion of a project engagement, in accordance with Cypriot commercial and tax law requirements.
• Financial records (including invoices and payment records) are retained for seven (7) years as required for tax and accounting purposes.
• Inquiry and pre-contract communications from prospective clients who did not proceed to a formal engagement are retained for two (2) years from the date of the last communication.
• Marketing consent records are retained for the duration of the consent and for three (3) years following withdrawal of consent or the last interaction.
• Website analytics data is retained in aggregated form for up to twenty-six (26) months.

Following the expiry of the applicable retention period, personal data is securely deleted or permanently anonymized. Where anonymization is applied, the resulting anonymized data (which is no longer personal data) may be retained indefinitely for analytical purposes.

Cookies and Website Tracking

The ROLIX website may use cookies and similar tracking technologies to enhance the user experience, analyze website traffic, and measure the effectiveness of our online presence. Cookies are small text files stored on your device when you visit a website.

ROLIX may use the following categories of cookies:

• Strictly Necessary Cookies. Required for the basic operation of the website, including navigation and access to secure areas. These cookies cannot be disabled as the website cannot function properly without them.
• Analytics Cookies. Used to collect information about how visitors use the website, such as which pages are visited most frequently and how users navigate the site. This data is used in aggregated form to improve website performance and content.
• Functional Cookies. Allow the website to remember choices you have made (such as language preferences) and provide enhanced, more personalized features.

Where required by applicable law, ROLIX will request your consent before placing non-essential cookies on your device. You may withdraw your consent to non-essential cookies at any time through your browser settings or any cookie preference tool on the website. Note that disabling certain cookies may affect the functionality of the website.

ROLIX does not currently use advertising or targeting cookies or share cookie data with third-party advertising networks.

Your Rights as a Data Subject

Under the GDPR and applicable Cypriot data protection law, you have the following rights in relation to your personal data processed by ROLIX:

• Right of Access. You have the right to request a copy of the personal data ROLIX holds about you, along with information about how it is processed.
• Right to Rectification. You have the right to request that inaccurate or incomplete personal data be corrected or completed.
• Right to Erasure. You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (and there is no other legal basis for processing), or where the data has been unlawfully processed. This right is subject to legal retention obligations.
• Right to Restriction of Processing. You have the right to request that ROLIX restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or object to processing.
• Right to Data Portability. Where processing is based on consent or contractual necessity and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to Object. You have the right to object to processing of your personal data based on ROLIX's legitimate interests. You also have an unconditional right to object to processing for direct marketing purposes at any time.
• Right to Withdraw Consent. Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to Lodge a Complaint. You have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of Cyprus (www.dataprotection.gov.cy) or with the supervisory authority in your country of residence if you believe your data has been processed in violation of applicable law.

To exercise any of the above rights, please submit a written request to rolix.ltd@atomicmail.io. ROLIX will respond to all valid requests within one (1) calendar month of receipt, or within three (3) months for complex or numerous requests (with notice of the extension provided within one month). ROLIX will not charge a fee for the exercise of these rights unless the request is manifestly unfounded or excessive.

Security of Your Personal Data

ROLIX implements appropriate technical and organizational security measures to protect personal data against unauthorized access, accidental loss, alteration, disclosure, or destruction. These measures include:

• Use of encrypted communication channels (TLS/HTTPS) for all data transmission via the website and email.
• Access controls limiting access to personal data to authorized personnel on a need-to-know basis.
• Use of secure, reputable cloud storage and productivity platforms with strong security certifications.
• Regular review of security practices to ensure continued appropriateness.
• Secure deletion of personal data upon expiry of applicable retention periods.

While ROLIX takes all reasonable precautions, no method of electronic transmission or storage is completely secure. ROLIX cannot guarantee absolute security of personal data transmitted over the internet and encourages all clients to take appropriate steps to protect their own systems and data.

In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of affected individuals, ROLIX will notify affected parties and, where required, the relevant supervisory authority, in accordance with its obligations under GDPR Articles 33 and 34.

Children's Privacy

ROLIX's services are intended for use by businesses and professional individuals. ROLIX does not knowingly collect or process personal data from individuals under the age of 18 years.

If ROLIX becomes aware that personal data has been collected from a person under 18 without appropriate parental or guardian consent, ROLIX will take prompt steps to delete such data. If you believe that personal data of a minor has been provided to ROLIX, please contact us immediately at rolix.ltd@atomicmail.io.

Changes to This Policy

ROLIX may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or the services we provide. The updated policy will be published on the ROLIX website with a revised "Last Updated" date at the top of the document.

Where changes are material, ROLIX will make reasonable efforts to notify affected individuals directly, such as by email, where we hold your contact details. Continued use of the ROLIX website or continued engagement with our services following the publication of an updated Privacy Policy constitutes acceptance of the revised policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

Contact and Data Subject Requests

For any questions about this Privacy Policy, to exercise your data subject rights, or to report a data protection concern, please contact ROLIX using the details below. We are committed to addressing all privacy-related communications professionally and within the timelines required by applicable law.