Privacy Policy

PRIVACY POLICY Last updated: April 29, 2026 Effective date: April 29, 2026 BruceLabs (“we,” “us,” or “our”) operates the Rooted mobile application (“App”). This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data. We built Rooted with privacy in mind. We collect only what we need to make the App work, we never sell your data, and we automatically delete video content after 7 days. This policy explains the details. 1. INFORMATION WE COLLECT Information You Provide: - Email address -- used for account creation, login, and important account communications - Display name -- shown to your circle members - Profile photo (optional) -- displayed to your circle members - Video responses -- recorded in response to daily prompts and shared with your circle(s) - Text replies and reactions -- shared with your circle members Information Collected Automatically: - Device information -- device type, operating system version, and app version, used for compatibility and troubleshooting - Push notification tokens -- used to deliver notifications to your device - In-app usage events -- we log certain actions within the App (such as screen views and feature usage) to help us fix bugs and improve the experience. These events are stored on our own servers, not sent to third-party analytics services, and are automatically deleted after 90 days. - Notification delivery data -- we track whether push notifications were delivered, opened, or ignored, so we can avoid sending notifications that aren’t useful to you. This data is stored on our own servers. - Prompt feedback -- if you rate a daily prompt (thumbs up or down), we store that feedback to improve prompt quality over time. Information We Do NOT Collect: - We do not collect precise location data - We do not collect contacts or address book data - We do not use advertising identifiers - We do not use analytics SDKs that track you across other apps or websites 2. HOW WE USE YOUR INFORMATION We use your information for the following purposes: - Operating the App -- delivering daily prompts, storing and playing back video responses, and enabling circle interactions - Account management -- creating and maintaining your account and authenticating your sessions - Communications -- sending push notifications about daily prompts, circle activity, and new responses (with your consent) - Safety and moderation -- enforcing our Terms of Service, reviewing reported content, and maintaining a safe environment - Improving the App -- fixing bugs, improving performance, and developing new features based on aggregated, non-identifying usage patterns We process your information on the following legal bases: - Contract performance -- to provide the service you signed up for - Consent -- for push notifications and optional features - Legitimate interest -- for security, fraud prevention, and service improvement, balanced against your privacy rights 3. HOW WE SHARE YOUR INFORMATION Within Your Circles: Your video responses, text replies, reactions, display name, and profile photo are visible to members of the circle(s) you belong to. Video responses are automatically deleted 7 days after upload and are no longer accessible to anyone, including circle members. We do not sell, rent, or trade your personal information. We never have and never will. Service Providers: We use a limited number of third-party services that process data on our behalf: - Amazon Web Services (AWS) -- cloud hosting, video storage (S3), content delivery (CloudFront), messaging queues, and database infrastructure. All data is stored in AWS data centers in the United States. - Apple -- provides Apple Sign-In authentication. When you sign in with Apple, we receive a unique identifier, your name (if you choose to share it), and your email address (or an Apple relay address). Apple does not share your Apple ID password with us. - Expo (Expo Application Services) -- delivers push notifications to your device. Expo receives your device push token and notification content in order to deliver messages. Expo does not receive your videos or other content. These providers are contractually required to use your data only to provide their services to us and to protect it appropriately. We do not use Firebase, Google Analytics, Facebook SDKs, or any other third-party analytics or advertising services. Administrative Access: The App operator (BruceLabs) may access user data, including account information and content, for the purposes of providing customer support, investigating reports, enforcing our Terms of Service, and performing content moderation. This access is limited to what is necessary for these purposes. Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request, or when we believe in good faith that disclosure is necessary to protect the rights, safety, or property of our users or the public. 4. DATA STORAGE AND SECURITY Your data is stored on servers operated by Amazon Web Services (AWS) in the United States. We implement the following security measures: - All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security) - Video uploads use time-limited presigned URLs, so files are uploaded directly and securely to storage without passing through additional intermediaries - Passwords are never stored in plaintext; we use industry-standard hashing - Database access is restricted and monitored - Infrastructure follows AWS security best practices No system is perfectly secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security. If we become aware of a security breach that affects your personal data, we will notify you in accordance with applicable law. 5. DATA RETENTION - Video responses -- automatically and permanently deleted 7 days after upload. This deletion is handled by automated systems and is not reversible. - Account data (email, display name, profile photo) -- retained for as long as your account is active. When you delete your account, there is a 30-day grace period during which you can cancel and restore your account. After 30 days, your account data is permanently and irreversibly deleted. - Text replies and reactions -- retained for as long as your account is active or until the associated circle content is removed. - In-app usage events -- automatically deleted after 90 days. - Notification delivery data -- retained for analysis and automatically cleaned up over time. - Moderation and safety records -- records related to content reports, policy violations, and account actions may be retained after account deletion for safety, legal compliance, and abuse prevention purposes. - Backup data -- may persist in encrypted backups for a limited period after deletion, after which it is permanently removed. 6. YOUR RIGHTS All Users: Regardless of where you live, you can: - Access the personal data we hold about you - Correct inaccurate information on your account - Delete your account and associated data through the App (Profile > Delete Account) or by contacting us - Manage or disable push notifications through the App settings or your device settings For Users in the European Economic Area (GDPR): If you are in the EU/EEA, you also have the right to: - Request portability of your data in a structured, machine-readable format - Restrict or object to certain processing of your data - Withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing - Lodge a complaint with your local data protection supervisory authority Our lawful bases for processing are described in Section 2. Where we rely on legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms. For California Residents (CCPA/CPRA): If you are a California resident, you have the right to: - Know what personal information we collect, use, and disclose - Request deletion of your personal information - Opt out of the sale or sharing of personal information -- we do not sell or share your personal information for cross-context behavioral advertising, so there is nothing to opt out of - Not be discriminated against for exercising your privacy rights To exercise any of these rights, contact us at [email protected]. We will respond within the timeframes required by applicable law (generally 30 days for GDPR, 45 days for CCPA). 7. CHILDREN’S PRIVACY Rooted is not intended for children under 13. We do not knowingly collect personal information from anyone under the age of 13. Users must confirm they are 13 or older during registration. If you believe that a child under 13 has created an account or provided personal information to us, please contact us at [email protected]. We will promptly investigate and delete any such information. 8. PUSH NOTIFICATIONS When you first use the App, we ask for your permission to send push notifications. If you grant permission, we may send notifications about: - New daily prompts available for your circle - New video responses from your circle members - Other circle activity You can manage your notification preferences within the App settings. You can also disable notifications entirely through your device’s system settings. Disabling notifications does not affect any other aspect of your account or the App’s functionality. 9. DATA MINIMIZATION We are committed to collecting only the data we need. We do not collect data speculatively or “just in case.” Each piece of information we collect has a specific, stated purpose described in this policy. Our 7-day automatic video deletion is one example of this principle in practice -- we do not keep content longer than necessary for the App to function. 10. INTERNATIONAL DATA TRANSFERS Your data is stored and processed in the United States. If you are accessing the App from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. For users in the EU/EEA, we rely on appropriate safeguards for any transfer of personal data, including standard contractual clauses where applicable. 11. CHANGES TO THIS POLICY We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the App or via email to the address associated with your account. The “Last updated” date at the top of this policy indicates when it was most recently revised. Your continued use of the App after a change becomes effective means you accept the updated policy. If you do not agree with a change, you may delete your account. 12. CONTACT US If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at: Email: [email protected] Developer: BruceLabs (io.brucelabs.rooted) For data deletion, you can also delete your account directly in the App under Profile > Delete Account.