Roots Privacy Policy
Effective 11 June 2026
Roots is a family-connection app. This policy explains what data we collect, how it's stored, who can see it, and the rights you have over it. It applies to the Roots iPad app, the Roots companion app for iPhone, the forthcoming Roots desktop app for Mac, and any related services.
Who we are
Roots is built and operated by Luke Stephens as an independent project. Questions, requests, and complaints can be sent to lstephens341@gmail.com.
What we collect
- Account info. When you sign in with Google or with Apple, we receive your email address and display name from the provider. We do not receive your password. If you use Apple's "Hide My Email" relay, we only receive the relay address.
- Phone number. During first-time setup we ask you to verify a phone number so the people you invite can recognise it's really you, and so invitations sent to your number can find their way to you. The verification code is sent by SMS via Twilio Verify. We store the verified phone number on your account; we do not store the verification code itself.
- Household + profile info. The household name you choose, the residents you add (name, role, accent color, optional profile photo, optional birthday), and the per-group nicknames you set.
- Content you create. Photos you upload, memories you author (including titles, captions, decorations, audio, and video), and messages you send to other households.
- Photo metadata. Capture date and location stored in your photos' EXIF tags, used to organise photos by time and place. Location is only read from photos you choose to import.
- Connections. The other households you have connected with and the groups you are a member of.
- Invitations. When you invite someone to your household or to a group, we store the invite token, the role you assigned, and (if you used an email or phone invite) the contact address you entered. Invite tokens are single-use and expire.
- Diagnostic data. Anonymous error reports collected via Sentry to help us keep the app working. Personal identifiers (names, emails, phone numbers, household IDs) are scrubbed on-device before reports are sent. We do not use third-party advertising trackers.
- Beta testing data. While Roots is distributed through Apple TestFlight, Apple shares crash logs and any feedback you submit through TestFlight directly with us, in accordance with Apple's policies.
How it's stored
Roots stores your data in Supabase, a hosted Postgres + object storage service running on AWS in the United States. Photos are stored in a private storage bucket; database tables are protected by row-level security so that only authorised households can read or change a given row.
Who can see your content
- You and your household. Everyone signed in to your household sees all of that household's photos, memories, messages, and residents.
- Connected households. Households you connect with do not automatically see everything in your household — they see the specific photos, memories, and events you choose to share with them. When you share something with everyone you're connected to, every household you are connected with can see it, including households you connect with later. When you share with a specific house or group instead, only those households can. Changing a memory's audience or disconnecting a household removes their access going forward.
- No one else. Roots does not sell, rent, or share your content with advertisers, data brokers, or analytics resellers.
Third parties we rely on
- Supabase — database, authentication, object storage. supabase.com/privacy
- Google — sign-in only (OAuth). policies.google.com/privacy
- Apple — Sign in with Apple (OAuth) and app distribution via the App Store / TestFlight. apple.com/legal/privacy
- Twilio — SMS delivery for phone-number verification (Twilio Verify). twilio.com/legal/privacy
- Sentry — diagnostic and crash reports, scrubbed of personal identifiers before sending. sentry.io/privacy
Your rights
You can, at any time, from inside the app:
- Edit or remove any photo, memory, message, resident, group, or connection you have created.
- Rename your household and change your own display name and avatar.
- Sign out, which clears your session from the device.
-
Permanently delete your account from Settings → Delete account.
When you delete your account, you have two options:
- Keep my content with my household. Your account is removed and your authorship links are cleared, but the photos and memories you uploaded stay with your household and any group they were shared into, so other residents and connected households can still see them.
- Fully delete my account and content. Your account, your uploaded photos, and the memories you authored are permanently deleted from Roots' database and storage. Other households that had access to your shared content will lose it. Memories that other people built using photos you uploaded will have those photos removed from their layout.
If you need additional help — for example, exporting your content or deleting data belonging to someone who can no longer access the app — email lstephens341@gmail.com and we'll respond within 14 days.
Children
Roots is built for families and can be used by children with the consent and involvement of a parent or guardian. Accounts are created with a Google sign-in, which has its own age requirements. If you believe a child has signed up without appropriate consent, email lstephens341@gmail.com and we will delete the account.
Data retention
We privately and securely keep your content for as long as your household exists. When you delete your account in "keep content" mode, your user record and authorship links are removed immediately while your authored content stays with your household for other residents; if you are the only resident, the household's content is removed on a rolling basis within 30 days. When you delete your account in "fully delete" mode, your authored photos and memories are removed from Roots' database and storage immediately, with a final scrub of any orphaned files within 30 days.
Security
Network traffic between the app and our backend is encrypted with TLS. Authentication tokens are stored in the device's secure keychain. Storage objects are served via short-lived signed URLs. No system is perfectly secure; if you believe your account has been compromised, email lstephens341@gmail.com.
Changes to this policy
We may update this policy as the app evolves. Material changes will be surfaced in-app the next time you open it. The "Effective" date at the top of this page indicates when the current version took effect.