Roots Privacy Policy

Effective 11 June 2026

Roots is a family-connection app. This policy explains what data we collect, how it's stored, who can see it, and the rights you have over it. It applies to the Roots iPad app, the Roots companion app for iPhone, the forthcoming Roots desktop app for Mac, and any related services.

Who we are

Roots is built and operated by Luke Stephens as an independent project. Questions, requests, and complaints can be sent to lstephens341@gmail.com.

What we collect

How it's stored

Roots stores your data in Supabase, a hosted Postgres + object storage service running on AWS in the United States. Photos are stored in a private storage bucket; database tables are protected by row-level security so that only authorised households can read or change a given row.

Who can see your content

Third parties we rely on

Your rights

You can, at any time, from inside the app:

If you need additional help — for example, exporting your content or deleting data belonging to someone who can no longer access the app — email lstephens341@gmail.com and we'll respond within 14 days.

Children

Roots is built for families and can be used by children with the consent and involvement of a parent or guardian. Accounts are created with a Google sign-in, which has its own age requirements. If you believe a child has signed up without appropriate consent, email lstephens341@gmail.com and we will delete the account.

Data retention

We privately and securely keep your content for as long as your household exists. When you delete your account in "keep content" mode, your user record and authorship links are removed immediately while your authored content stays with your household for other residents; if you are the only resident, the household's content is removed on a rolling basis within 30 days. When you delete your account in "fully delete" mode, your authored photos and memories are removed from Roots' database and storage immediately, with a final scrub of any orphaned files within 30 days.

Security

Network traffic between the app and our backend is encrypted with TLS. Authentication tokens are stored in the device's secure keychain. Storage objects are served via short-lived signed URLs. No system is perfectly secure; if you believe your account has been compromised, email lstephens341@gmail.com.

Changes to this policy

We may update this policy as the app evolves. Material changes will be surfaced in-app the next time you open it. The "Effective" date at the top of this page indicates when the current version took effect.