Privacy Policy
CrazyRocket
Last Updated: March 31, 2026
Introduction
CrazyRocket ("CrazyRocket", "we", "our", or "us") understands that your privacy is important to you and that you care about how your personal information is used and shared online.
We respect and value the privacy of everyone who visits our website and uses our Pop-up Service. We only collect and use personal information in ways that are useful to you and in a manner consistent with your rights and our obligations under applicable law, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, the UK Data Use and Access Act 2025 (DUAA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), other US state privacy laws, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the Australian Privacy Act 1988 (as reformed).
This Policy applies to our use of any and all personal data collected by us in relation to your use of our website and our Pop-up Service.
Please read this Privacy Policy carefully and ensure that you understand it. Your acceptance of this Privacy Policy is deemed to occur upon your first use of our website. If you do not accept and agree with this Privacy Policy, you must stop using our website immediately.
1. Definitions and Interpretation
In this Policy the following terms shall have the following meanings:
"Account" means an account required to access and/or use certain areas and features of our website and Pop-up Service;
"Cookie" means a small text file placed on your computer or device by our website when you visit certain parts of our website and/or when you use certain features of our website or Pop-up Service. Details of the Cookies used are set out in section 13, below;
"Our Site" means this website, www.CrazyRocket.io;
"Customer" means website owners, merchants, and administrators that have purchased and/or added our Pop-up Service to their website(s) to collect emails and deliver discount coupons to their Users;
"User" means anybody accessing our website or the Pop-up Service provided by us;
"Pop-up Service" means the gamified pop-up features provided by our software, including spin wheels, scratch cards, slot machines, and other campaign widgets;
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection law;
"Processing" means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, or deletion;
"Sub-processor" means any third-party service provider that processes Personal Data on our behalf;
"CrazyRocket / We / Us / Our" means CrazyRocket by Andrea De Santis.
2. Identity of the Data Controller
2.1 - Our website and Pop-up Service is operated by CrazyRocket by Andrea De Santis.
2.2 - For questions about this Privacy Policy or to exercise your data protection rights, please contact us at:
hello@crazyrocket.io
2.3 - If you are located in the EU/EEA or UK and wish to raise a concern about our data processing practices, you have the right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement. For the UK, the relevant authority is the Information Commissioner's Office (ICO) at
ico.org.uk.
3. Scope – What Does This Policy Cover?
This Privacy Policy applies to your use of our website and the Pop-up Service provided by us, whether you are a Customer managing campaigns or a User interacting with our pop-ups on a Customer's website.
It does not extend to any websites that are linked to from our website (whether we provide those links or whether they are shared by other users). We have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.
4. What Personal Data Do We Collect?
Some data will be collected automatically by our website and our Pop-up Service; other data will only be collected if you voluntarily submit it. Depending upon your use of our website and the Pop-up Service, we may collect some or all of the following categories of Personal Data:
| Category |
Examples |
Collection Method |
| Account & Identity Data |
Username, email address, password (hashed) |
Provided by you at registration |
| Business & Billing Data |
Business/company name, billing address, payment card details (processed by Stripe; we do not store full card numbers) |
Provided by you |
| Contact Data |
Email address, name (when submitted via pop-ups on Customer websites) |
Provided by Users through Pop-up Service |
| Technical & Device Data |
IP address, browser type and version, operating system, device identifiers, screen resolution |
Collected automatically |
| Usage & Analytics Data |
Pages visited, time on site, page views, referrer URL, UTM parameters, click and interaction data |
Collected automatically |
| Location Data |
Approximate geolocation (country, state/region, city) derived from IP address |
Collected automatically |
| Transaction & Commercial Data |
Sale value, coupon usage, campaign interaction history, subscription plan details |
Collected automatically and from integrations |
| Integration Data |
Shopify store information (store name, domain, access tokens), WooCommerce site data, email marketing platform identifiers |
Collected via platform integrations (e.g., Shopify OAuth) |
5. Sources of Personal Data
We collect Personal Data from the following sources:
- 5.1 - Directly from you – when you create an Account, configure campaigns, contact us, or submit information through our website;
- 5.2 - From Users of Customer websites – when Users interact with our Pop-up Service on Customer websites (e.g., entering an email to spin a wheel);
- 5.3 - Automatically from your device – through cookies, pixels, and similar tracking technologies when you visit our website or interact with our Pop-up Service;
- 5.4 - From third-party platforms – via integrations such as Shopify, WooCommerce, Klaviyo, Mailchimp, Campaign Monitor, and ActiveCampaign when you connect these services to your Account;
- 5.5 - From payment processors – Stripe provides us with transaction confirmations and limited billing information.
6. How and Why Do We Use Your Personal Data (Purposes and Legal Basis)
6.1 - All Personal Data is processed lawfully, fairly, and transparently. Below we set out each processing activity, its purpose, and the legal basis relied upon:
| Processing Activity |
Purpose |
Legal Basis (GDPR Art. 6) |
| Account creation and management |
To provide and manage your Account and access to our services |
Performance of a contract (Art. 6(1)(b)) |
| Providing the Pop-up Service |
To deliver gamified pop-ups, collect email submissions, and deliver coupons on Customer websites |
Performance of a contract (Art. 6(1)(b)) |
| Payment processing |
To process subscription payments and manage billing |
Performance of a contract (Art. 6(1)(b)) |
| Customer support |
To respond to enquiries, troubleshoot issues, and provide technical support |
Performance of a contract (Art. 6(1)(b)) / Legitimate interests (Art. 6(1)(f)) |
| Service analytics and improvement |
To compute aggregated metrics (page views, visitor counts, conversion rates) and improve our services |
Legitimate interests (Art. 6(1)(f)) – improving our services and user experience |
| Email marketing and newsletters |
To send you product updates, tips, and promotional content (you may unsubscribe at any time) |
Consent (Art. 6(1)(a)) |
| Fraud prevention and security |
To detect, prevent, and address fraud, abuse, security threats, and technical issues |
Legitimate interests (Art. 6(1)(f)) – protecting our business and users |
| Legal compliance |
To comply with applicable laws, regulations, and legal processes (e.g., tax obligations, data subject requests) |
Legal obligation (Art. 6(1)(c)) |
| Third-party integrations |
To sync data with email marketing platforms (Klaviyo, Mailchimp, etc.) and e-commerce platforms (Shopify, WooCommerce) as configured by the Customer |
Performance of a contract (Art. 6(1)(b)) |
6.2 - Where we rely on legitimate interests, we have carried out a balancing test to ensure that our interests do not override your fundamental rights and freedoms.
6.3 - Where we rely on consent, you have the right to withdraw your consent at any time by contacting us at hello@crazyrocket.io or by using the unsubscribe link in our emails. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
6.4 - In some cases, the collection of data may be a statutory or contractual requirement, and we will be limited in the services we can provide you without your consent for us to be able to use such data.
7. Data Retention
We only keep your Personal Data for as long as necessary for the purposes set out in section 6. Our specific retention periods are:
| Data Category |
Retention Period |
| Account data (active accounts) |
For the duration of the account, plus 30 days after account deletion to allow recovery |
| Account data (inactive accounts) |
Deleted after 12 months of inactivity, following prior notice |
| Collected emails and campaign statistics |
Up to 12 months, or until deleted by the Customer, whichever is sooner |
| Billing and invoice data |
As required by applicable tax law (typically up to 10 years) |
| Usage and analytics data |
Aggregated and anonymised within 24 months; raw data deleted after 12 months |
| Customer support communications |
Up to 24 months after resolution |
| Cookies and tracking data |
See cookie durations in section 13 |
We conduct an annual review to ascertain whether we still need to retain your data. When data is no longer required, it will be securely deleted or anonymised.
8. How and Where Do We Store Your Data?
8.1 - Our primary data infrastructure is hosted on Amazon Web Services (AWS) servers located in EU zones (Ireland/Frankfurt).
8.2 - Information you provide to us is stored on secure servers. Encrypted connections using TLS/SSL technology are used for all data transmissions.
8.3 - We implement appropriate technical and organisational security measures in accordance with GDPR Article 32, including:
- Encryption of data in transit (TLS 1.2+) and at rest;
- Hashed and salted password storage;
- Role-based access controls limiting who can access Personal Data;
- Regular security reviews and vulnerability assessments;
- Secure backup procedures;
- Logging and monitoring of access to Personal Data.
8.4 - We take security seriously and privacy by design is embedded into our engineering and product development principles. However, as with any online service, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data but will promptly notify you and the relevant authorities of any breach in accordance with applicable law (see section 12).
9. Who Do We Share Your Data With?
9.1 - We may share your Personal Data with the following categories of third-party recipients, only to the extent necessary for the purposes described in section 6:
| Recipient |
Purpose |
Data Shared |
| Stripe (Payment Processor) |
Subscription billing and payment processing |
Billing details, transaction data |
| Amazon Web Services (AWS) |
Cloud hosting and data storage |
All data stored on our platform |
| MongoDB Atlas |
Database hosting |
Campaign data, account data, analytics |
| Shopify |
E-commerce platform integration |
Store data, order data as needed for Pop-up Service functionality |
| Klaviyo, Mailchimp, Campaign Monitor, ActiveCampaign |
Email marketing integrations (as configured by Customer) |
Email addresses and associated subscriber data |
| Google Analytics |
Website analytics |
Usage data, device/browser data (anonymised where possible) |
| Hotjar |
User experience analytics (heatmaps, session recordings) |
Usage data, interaction data |
| Meta (Facebook) |
Advertising measurement via Facebook Pixel |
Page visit events, conversion data |
9.2 - We may compile anonymised, aggregated statistics about the use of our website. Such data will not include any personally identifying information. We may share such data with third parties such as prospective investors, affiliates, partners, and advertisers, within the bounds of the law.
9.3 - In certain circumstances we may be legally required to share certain data held by us, which may include your Personal Data, for example where we are involved in legal proceedings or complying with the requirements of legislation, a court order, or a governmental authority.
9.4 -
We do not sell your Personal Data. See section 16 for additional information regarding the CCPA/CPRA.
10. International Data Transfers
10.1 - While our primary servers are in the EU, some of our third-party service providers are based in the United States and other countries outside the EU/EEA and UK. This means your Personal Data may be transferred to, and processed in, countries that may not provide an equivalent level of data protection to your home jurisdiction.
10.2 - When transferring Personal Data outside the EU/EEA or UK, we ensure adequate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission;
- UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as applicable;
- Adequacy decisions where available (e.g., EU-US Data Privacy Framework for certified US recipients);
- Contractual obligations on sub-processors to protect data to at least the same standard.
10.3 - You may request a copy of the safeguards we have in place by contacting us at hello@crazyrocket.io.
11. What Happens If Our Business Changes Hands?
11.1 - We may, from time to time, expand or reduce our business and this may involve the sale and/or transfer of control of all or part of our business. Personal Data provided by users will, where it is relevant to any part of our business so transferred, be transferred along with that part. The new owner or newly controlling party will, under the terms of this Privacy Policy, be permitted to use the data for the purposes for which it was originally collected by us.
11.2 - In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes. When contacted you will be given the choice to have your data deleted or withheld from the new owner or controller.
12. Data Breach Notification
12.1 - In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33;
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34;
- Comply with all applicable breach notification requirements under US state privacy laws, PIPEDA, and the Australian Notifiable Data Breaches scheme;
- Document all breaches, including the facts, effects, and remedial actions taken.
13. Cookies and Tracking Technologies
13.1 - Our website and Pop-up Service use cookies and similar tracking technologies. Below is a detailed overview of the cookies we use, categorised by purpose:
Strictly Necessary Cookies
These cookies are essential for the operation of our website and Pop-up Service. They cannot be switched off.
| Cookie Name |
Purpose |
Duration |
| __RequestVerificationToken |
Security – prevents cross-site request forgery (CSRF) attacks |
Session |
| cc_cookie |
Stores your cookie consent preferences (per category) |
12 months |
Functional / Pop-up Service Cookies
These cookies enable the core functionality of our Pop-up Service on Customer websites.
| Cookie Name |
Purpose |
Duration |
| crazyrocket_active |
Identifies the currently assigned campaign |
Session |
| crazyrocket_vid |
Identifies the current user visit |
30 days |
| crazyrocket_cid |
Used to force a cache refresh |
Session |
| crazyrocket-pageviews |
Tracks total number of pages visited in a session |
Session |
| crazyrocket-popup |
Stores whether the pop-up has been shown |
30 days |
| crazyrocket-totaltime |
Tracks total time on site |
Session |
| crazyrocket-bdn |
Stores whether a notification bar has been shown |
30 days |
| crazyrocket_countdown |
Manages countdown timer state |
Session |
| crazyrocket_countdown_coupon |
Stores coupon assigned to the countdown |
Session |
| crazyrocket_initial |
Records the first page reached by the user |
Session |
| crazyrocket_referrer |
Stores the referrer for the current visit |
Session |
| crazyrocket-launch-icon |
Stores whether the launch icon has been shown |
30 days |
| crazyrocket_completed |
Stores list of completed campaigns to prevent re-display |
90 days |
Analytics Cookies
These cookies help us understand how visitors interact with our website. They collect information in an aggregated form.
| Provider |
Purpose |
Privacy Policy |
| Google Analytics |
Website usage analysis, traffic measurement, audience insights |
policies.google.com/privacy |
| Hotjar |
User experience analytics (heatmaps, session recordings, feedback) |
hotjar.com/privacy |
Marketing / Advertising Cookies
These cookies are used for advertising measurement and retargeting. They require your consent.
| Provider |
Purpose |
Privacy Policy |
| Meta (Facebook Pixel) |
Conversion tracking, advertising measurement, retargeting |
facebook.com/privacy |
| Apollo.io |
Sales engagement and visitor identification |
apollo.io/privacy |
13.2 -
Managing Cookies: You can control and manage cookies in the following ways:
- Through our cookie consent banner when you first visit our website, where you can accept all, reject all, or choose individual categories (analytics, marketing);
- At any time by clicking the “Cookie Settings” link in our website footer;
- By adjusting your web browser's privacy settings to refuse or delete cookies;
- By using browser extensions designed to manage cookie preferences.
Please note that disabling strictly necessary or functional cookies may impact the functionality of our website and Pop-up Service.
13.3 - In addition to cookies, we and our third-party partners may use tracking pixels (web beacons) and similar technologies. These are subject to the same consent requirements as cookies under applicable law, including the UK DUAA 2025.
14. Your Rights Under GDPR and UK GDPR
If you are located in the EU/EEA or United Kingdom, you have the following rights under the GDPR and UK GDPR:
- Right of Access (Art. 15) – You have the right to request a copy of the Personal Data we hold about you.
- Right to Rectification (Art. 16) – You have the right to request correction of inaccurate or incomplete Personal Data.
- Right to Erasure (Art. 17) – You have the right to request deletion of your Personal Data where there is no compelling reason for its continued processing.
- Right to Restrict Processing (Art. 18) – You have the right to request that we restrict the processing of your Personal Data in certain circumstances.
- Right to Data Portability (Art. 20) – You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
- Right to Object (Art. 21) – You have the right to object to processing based on legitimate interests or direct marketing at any time.
- Rights Related to Automated Decision-Making (Art. 22) – You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
- Right to Withdraw Consent – Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint – You have the right to lodge a complaint with a supervisory authority. For the UK, this is the ICO (ico.org.uk). For the EU, contact the data protection authority in your country of residence.
15. Your Rights Under CCPA/CPRA (California Residents)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), provides you with specific rights regarding your Personal Data:
- Right to Know – You have the right to request that we disclose the categories and specific pieces of Personal Data we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties with whom we share it.
- Right to Delete – You have the right to request deletion of your Personal Data, subject to certain exceptions.
- Right to Correct – You have the right to request correction of inaccurate Personal Data.
- Right to Opt-Out of Sale/Sharing – You have the right to opt out of the sale or sharing of your Personal Data. We do not sell your Personal Data. However, our use of certain analytics and advertising cookies (e.g., Google Analytics, Meta Pixel) may constitute "sharing" under the CCPA/CPRA. You can opt out by adjusting your cookie preferences.
- Right to Limit Use of Sensitive Personal Information – You have the right to limit the use of sensitive personal information. We do not collect sensitive personal information as defined under the CCPA/CPRA beyond what is necessary to provide our services.
- Right to Non-Discrimination – We will not discriminate against you for exercising any of your privacy rights.
CCPA/CPRA Disclosures:
In the preceding 12 months:
- We have not sold Personal Data of consumers.
- We may have shared internet/electronic activity data with analytics and advertising providers (Google Analytics, Meta) for cross-context behavioural advertising purposes, which may qualify as "sharing" under the CCPA/CPRA.
- Categories of Personal Data collected are described in section 4.
16. Your Rights Under US State Privacy Laws
If you reside in a US state with a comprehensive privacy law (including but not limited to Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Indiana, Kentucky, Minnesota, Maryland, Rhode Island, and Utah), you may have similar rights to those described in section 15, including:
- Right to access, correct, and delete your Personal Data;
- Right to data portability;
- Right to opt out of targeted advertising, the sale of Personal Data, and profiling in furtherance of decisions that produce legal or similarly significant effects;
- Right to appeal a denial of your request.
To exercise these rights, please contact us using the details in section 22.
17. Your Rights Under Canadian Privacy Law (PIPEDA)
If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation grant you the following rights:
- The right to access your Personal Data held by us;
- The right to challenge the accuracy and completeness of your data and have it amended;
- The right to withdraw consent to the collection, use, or disclosure of your Personal Data (subject to legal or contractual restrictions);
- The right to file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca).
18. Your Rights Under Australian Privacy Law
If you are located in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) grant you the following rights:
- The right to access your Personal Data held by us (APP 12);
- The right to request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading data (APP 13);
- The right to complain about a breach of the APPs to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Where we disclose your Personal Data to overseas recipients (see section 10), we take reasonable steps to ensure they do not breach the APPs in relation to your data.
19. How to Exercise Your Rights
19.1 - To exercise any of the rights described above, you may:
- Email us at hello@crazyrocket.io with your request. Please include sufficient information so we can verify your identity and understand your request;
- Use the account management tools available within your CrazyRocket dashboard (to update, export, or delete your data).
19.2 -
Verification: We may need to verify your identity before processing your request. We will ask for information sufficient to confirm you are the person to whom the data relates (or an authorised agent).
19.3 -
Response Timeframe: We will respond to your request within:
- GDPR/UK GDPR: One month (extendable by two further months for complex requests);
- CCPA/CPRA: 45 days (extendable by an additional 45 days);
- PIPEDA: 30 days;
- Australian Privacy Act: 30 days.
19.4 -
Authorised Agents: Under CCPA/CPRA, you may designate an authorised agent to make a request on your behalf. The agent must provide proof of authorisation.
19.5 - We do not charge a fee for processing your request unless it is manifestly unfounded or excessive.
20. Automated Decision-Making and Profiling
20.1 - Our Pop-up Service uses automated rules to determine which campaigns and pop-ups to display to Users on Customer websites. These rules are based on factors such as page visited, referrer URL, time on site, pages viewed, geographic location, and device type.
20.2 - These automated processes do not produce legal effects or similarly significant effects on Users. They are used solely to personalise the display of promotional pop-ups.
20.3 - If you believe an automated decision has significantly affected you, you have the right to request human intervention, express your point of view, and contest the decision by contacting us at hello@crazyrocket.io.
21. Children's Privacy
21.1 - Our website and Pop-up Service are not directed at children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect Personal Data from children.
21.2 - If we become aware that we have inadvertently collected Personal Data from a child without appropriate parental consent, we will take steps to delete that data as soon as possible.
21.3 - If you believe that we may have collected information from a child, please contact us immediately at hello@crazyrocket.io.
22. Complaint-Handling Process
22.1 - If you have a complaint about how we handle your Personal Data, we encourage you to contact us first at
hello@crazyrocket.io so we can try to resolve the matter.
22.2 - We will acknowledge your complaint within 14 days and aim to provide a substantive response without undue delay.
22.3 - If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:
- UK: Information Commissioner's Office (ICO) – ico.org.uk
- EU: The data protection authority in your Member State of residence
- California: California Privacy Protection Agency (CPPA) – cppa.ca.gov
- Canada: Office of the Privacy Commissioner – priv.gc.ca
- Australia: Office of the Australian Information Commissioner (OAIC) – oaic.gov.au
23. Your Right to Withhold and Withdraw Information
- 23.1 - You may access our website without providing any Personal Data. However, to use all features and functions available on our website you may be required to submit or allow for the collection of certain data.
- 23.2 - You may restrict your internet browser's use of cookies or manage your preferences through our cookie consent banner.
- 23.3 - You may withdraw your consent for us to use your Personal Data at any time by contacting us at hello@crazyrocket.io, and we will delete your data from our systems. However, you acknowledge this may limit our ability to provide our services to you.
24. Contact Us
If you have any questions about our website, this Privacy Policy, or wish to exercise any of your data protection rights, please contact us:
Email: hello@crazyrocket.io
Please ensure that your query is clear, particularly if it is a request for information about the data we hold about you.
25. Changes to This Privacy Policy
We may update this Privacy Policy from time to time as may be necessary or as required by law. We review this policy at least annually to ensure it remains current and compliant with applicable regulations.
Any material changes will be communicated via:
- A prominent notice on our website;
- Email notification to registered Customers (for significant changes).
We recommend that you check this page regularly to keep up-to-date. The "Last Updated" date at the top of this policy indicates when it was most recently revised.