Privacy Policy
Last updated: 8 July 2026
This policy explains what personal data Rooted collects, why we collect it, who we share it with and the rights you have. We've tried to keep it in plain English rather than legalese.
Who we are and how to contact us
Rooted is a fitness coaching community for South Asians. For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), Rooted is the "data controller" for the personal data described here.
If you have any questions about this policy or your data, email us at hello@example.com.
What we collect
Depending on how you use Rooted, we may collect:
- Account details — your email address and password (passwords are stored securely by our authentication provider, never in plain text).
- Profile information — your name or username, and details you choose to add such as your fitness goal, dietary pattern, height, weight and photo.
- Check-in records — your daily check-ins, weight entries and any optional photos you attach.
- Community posts — questions, answers and comments you post, including any images you upload.
- Coach conversation messages — the messages you exchange with the AI Coach.
- Payment status — whether you have an active subscription or trial. Card payments are handled by Stripe; we do not store your card details.
Why we collect it and our lawful basis
- To provide the service (your account, check-ins, community and coach) — our lawful basis is performance of a contract with you.
- To handle payments and prevent fraud — performance of a contract and our legitimate interests in running the service securely.
- To send reminders and service messages — your consent, which you can withdraw at any time.
- Special category data. Some information you add (such as health and fitness details) may count as health data. Where it does, we rely on your explicit consent, given when you choose to enter it.
Who we share it with
We only share your data with the service providers that help us run Rooted. They act on our instructions and are not allowed to use your data for their own purposes.
- Supabase — secure hosting of our database, authentication and file storage.
- Stripe — processing subscription payments.
- Our AI provider — powering your AI Coach conversations. Your messages and relevant context are sent so the coach can reply.
- Our email provider — sending reminders and account emails.
We may also disclose data if the law requires it. We do not sell your personal data to anyone.
How long we keep it
We keep your personal data for as long as you have an account. If you delete your account, we delete your personal data from our active systems, except where we're legally required to keep certain records (for example, basic payment records for tax purposes). Backups are overwritten on a rolling basis.
Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- ask us to correct anything that's wrong;
- ask us to delete your data;
- object to or restrict certain processing, and withdraw consent at any time;
- complain to the Information Commissioner's Office (ICO), the UK regulator, at ico.org.uk. We'd appreciate the chance to help first, so please contact us before you do.
To exercise any of these rights, email us at hello@example.com.
How deletion works
You can delete your account yourself at any time. Go to Settings and use the Delete account button. This removes your profile, check-ins, community posts, coach conversations and other personal data from Rooted. Deletion is permanent and can't be undone.