Privacy
Privacy & Cookie Policy
Last updated: 2 June 2026
This Privacy & Cookie Policy explains how we collect, use, and protect your personal data when you use the rohcode website (rohcode.com) and our services. It also explains the cookies we use and your rights under data protection law.
1. Who we are
rohcode is a web development studio operated by Ryan O'Hanlon, trading as rohcode, a sole trader based in Ireland ("rohcode", "we", "us", "our").
For the personal data we process about our own clients and website users, we are the data controller. Our full postal address is available on request.
Contact for any data protection matter: ryan@rohcode.com
2. What this policy covers
This policy covers personal data we process as a controller — that is, data about you as a visitor to our website, as someone who creates an account, and as a client who buys our services. Where we build and host a website for a client, any personal data belonging to that website's own visitors is processed by us on the client's behalf as a processor, governed by the Client Services Agreement rather than this policy (see section 10).
3. The personal data we collect
We collect only what we need to provide our services:
- Account and contact data — your name, email address, and company or business details, provided when you create an account or contact us.
- Order and project data — the catalog selections, content, text, and images you submit as part of a build order.
- Payment data — payments are processed entirely by Stripe. We receive confirmation of payment and limited transaction details, but we never see, receive, or store your full card details.
- Communications — messages you send us, including messages exchanged through the in-app chat with our staff.
- Technical data — limited log and session information generated automatically when you use the site (for example, to keep you securely logged in).
We do not run analytics, advertising, or tracking of any kind.
4. How we use your data, and our lawful basis
| What we use it for | Lawful basis (GDPR Article 6) |
|---|---|
| Creating and managing your account, building and running your website, and handling your orders | Performance of a contract |
| Responding to your enquiries and providing support | Performance of a contract / our legitimate interests |
| Sending you essential service and transactional emails (order confirmations, account notices) | Performance of a contract |
| Keeping accounting and tax records | Compliance with a legal obligation |
| Keeping our website and your account secure | Our legitimate interests |
We do not send marketing emails unless you have asked us to, and you can opt out at any time.
5. Cookies and similar technologies
We keep cookies to an absolute minimum. We use only strictly necessary cookies — the small number required for the site to work and to keep you securely logged in. We use no analytics, advertising, or tracking cookies of any kind.
Under the ePrivacy Directive, strictly necessary cookies are exempt from consent requirements — they exist only to deliver a service you have actively requested. For that reason we do not display a cookie consent banner, because there are no optional cookies to consent to. We are required to tell you these cookies exist, which is what this section does.
The cookies we set are:
| Cookie | Set by | Purpose | Type |
|---|---|---|---|
| Authentication / session token | Supabase | Keeps you securely logged in to your account | Strictly necessary |
| Session refresh token | Supabase | Maintains your session without repeated logins | Strictly necessary |
Payment security cookies (e.g. __stripe_mid, __stripe_sid) | Stripe | Fraud prevention and secure checkout | Strictly necessary |
| Session / CSRF state | rohcode | Protects forms and keeps the site secure | Strictly necessary |
You can block or delete cookies through your browser settings, but if you block the cookies above, you may not be able to log in or use parts of the site.
6. Who we share your data with
We do not sell your personal data. We share it only with the trusted service providers that make our service work, each acting as a sub-processor under a data processing agreement:
- Supabase — database, authentication, and storage (EU-hosted infrastructure).
- Vercel — website hosting and delivery.
- Stripe — payment processing.
- Resend — sending transactional and service emails.
We may also disclose data where required by law, or to establish, exercise, or defend legal claims.
7. International transfers
We host data on EU-based infrastructure wherever possible. Where a provider (such as a payment or email provider) processes some data outside the European Economic Area, that transfer is protected by appropriate safeguards, such as the European Commission's Standard Contractual Clauses.
8. How long we keep your data
We keep personal data only as long as necessary:
- Accounting and billing records — six years, as required by Irish tax law.
- Account and project data — for as long as your account is active, and for a reasonable period afterwards.
- Enquiries and communications — for as long as needed to deal with the matter and a reasonable period afterwards.
When data is no longer needed, we securely delete or anonymise it.
9. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased, where there is no overriding legal reason for us to keep it (for example, the six-year tax-record obligation);
- restrict or object to certain processing;
- receive a portable copy of the data you have provided to us;
- withdraw consent at any time, where we rely on consent.
To exercise any of these rights, email ryan@rohcode.com. We will respond within one month, and we aim to respond within five working days. If you are unhappy with how we handle your data, you can complain to the Irish Data Protection Commission at dataprotection.ie.
10. Your website's visitors — our role as processor
When we build and host a website for a client, that website may collect personal data from its own visitors (for example, through a contact form). For that data, the client is the data controller and we act as a data processor on their behalf. The terms governing that relationship are set out in the Client Services Agreement, including a data processing agreement. This Privacy & Cookie Policy does not govern how an individual client uses data collected through their own website.
11. Security
We take appropriate technical and organisational measures to protect your data, including encrypted connections, access controls, and reliance on reputable infrastructure providers. No system can be guaranteed perfectly secure, but we work to protect your data and to respond quickly if a problem arises.
12. Children
Our services are intended for businesses and adults, and are not directed at children. We do not knowingly collect personal data from anyone under the age of 16 (the age of digital consent in Ireland).
13. Links to other websites
Our website may link to external sites we do not control. We are not responsible for the content or privacy practices of those sites, and we encourage you to read their policies.
14. Changes to this policy
We may update this policy from time to time. The "last updated" date at the top shows when it was last changed. Significant changes will be communicated where appropriate.
15. Contact
For any question about this policy or your personal data, contact ryan@rohcode.com.