Privacy Notice

Last updated: May 9, 2026

Rooted is operated by Amy Ledbetter ("we", "us"). This notice describes what personal data we collect, how we use it, and your rights. For purposes of data protection law, we act as the data controller of your information.

1. What we collect

• Account data — email address, display name, login credentials.
• App content — supplements you add, photos you upload, schedules, intake logs, mood/symptom logs, notes.
• Usage & technical data — IP address, device/browser type, pages visited, error logs.
• Support communications — messages you send us.
• Payment data — handled by Paddle (our Merchant of Record). We receive subscription status and the last 4 digits of your card, but not your full card number.

2. How we use it

• To create and operate your account (legal basis: contract).
• To provide, secure, and improve the Service (legitimate interests).
• To send transactional notifications and reminders you've configured (contract).
• To respond to support requests (legitimate interests).
• To comply with legal obligations and prevent fraud (legal obligation, legitimate interests).

3. Who we share it with

• Service providers / subprocessors — hosting, database, and infrastructure (Lovable Cloud / Supabase), error monitoring, email delivery.
• Paddle — our Merchant of Record for sale of Rooted Plus, subscription management, payments, tax compliance, and invoicing.
• Professional advisers — legal and accounting, where reasonably necessary.
• Authorities — when required by law.

We do not sell your personal data.

4. International transfers

Data may be stored or processed in the United States or other countries where our subprocessors operate. Where applicable, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

5. Retention

We keep account and content data while your account is active. If you delete your account, we delete or anonymize your data within a reasonable period, except where retention is required by law (e.g. tax records).

6. Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict, port, or object to processing of your personal data, and to withdraw consent. You may also have the right to lodge a complaint with your local data protection authority. To exercise these rights, contact Amy Ledbetter at the support email associated with the Service. We aim to respond within one month.

7. Security

We use appropriate technical and organizational measures (encryption in transit, access controls, RLS at the database level) to protect your data. No system is 100% secure; please use a strong password.

8. Cookies

We use essential cookies and local storage to keep you signed in and remember preferences. We don't currently use advertising cookies. Paddle's checkout may set its own cookies — see Paddle's privacy notice for details.

9. Changes

We may update this notice. Material changes will be communicated through the Service.

10. Contact

Amy Ledbetter — contact via the support email associated with the Service.