Privacy policy.

Effective 2026-06-01 · Olive Root Tech LLC · Norfolk, Virginia

The short version We collect the data you put into Rooted OS™ to make the product work for you. We don't sell it. We don't share it with advertisers. We delete it when you ask. We secure it as carefully as we'd want our own.

1. Who we are

Rooted OS™ is operated by Olive Root Tech LLC, a Virginia limited liability company based in Norfolk. When this policy says "we," "us," or "Olive Root Tech," that's who we mean. When it says "you," that's anyone who uses Rooted OS — operators (organization administrators), staff, members, parents, and visitors.

2. What we collect

You provide directly

Account info: name, email, role, password (hashed, never stored in plain text)
Organization info: name, address, contact details, brand assets (logo, colors)
Member data: anything you import or add (names, emails, phone numbers, giving history, attendance, notes, photos)
Content: announcements, sermons, documents, chat messages, AI-generated drafts
Payment info: routed directly to Square/Stripe — we never see your card number

We collect automatically

IP address and basic device info (browser, OS) for security and rate limiting
Logs of API requests and admin actions (audit trail)
Aggregated usage metrics (which modules are used, how often) — never tied back to individual non-admin users

What we don't collect

We don't run third-party advertising trackers (no Google Ads pixel, no Meta pixel)
We don't sell or share data with third-party advertisers
We don't use member data to train external AI models without explicit consent

3. How we use it

To deliver the Rooted OS platform to you
To send transactional emails (sign-in links, receipts, workflow notifications)
To secure the platform (audit logs, rate limiting, fraud prevention)
To improve the product (aggregated, de-identified usage metrics)
To support you when you ask for help

4. AI & third-party processors

Rooted OS uses these third-party services. Your data passes through them only as needed to deliver the platform:

SendGrid (Twilio) — sends transactional email
Anthropic Claude — generates AI copy drafts from the inputs you provide. Anthropic does not train on Rooted OS data per their commercial-tier API terms.
Cloudflare R2 — stores uploaded files (logos, photos, documents)
Railway — hosts the application
Square / Stripe — processes payments. They handle PCI compliance; we never store card data.

We use Anthropic's Claude only with data you explicitly submit (Q1-Q5 answers, content drafts). We do not feed member PII into prompts unless you explicitly ask us to (e.g., "draft an email to John").

5. Children's data · COPPA / FERPA

Rooted OS is not directed at children under 13. We don't knowingly collect data directly from children. When an organization (like a childcare center or school) uses Rooted OS to manage child records, that organization is the data controller; we are the data processor.

If you operate a childcare center, school, or any organization handling minors' data:

You are responsible for parental consent (COPPA) where applicable
You are responsible for educational record compliance (FERPA) where applicable
Rooted OS provides secure data isolation per tenant, role-based access, and audit logs — these support but do not constitute compliance
We do not certify the platform as COPPA-compliant or FERPA-compliant out of the box; operators must configure and verify their own setup

6. Health data · HIPAA

Rooted OS is not currently a HIPAA-covered platform. We will sign Business Associate Agreements only on enterprise plans with verified technical configuration. Do not store Protected Health Information (PHI) in Rooted OS unless you have explicitly arranged HIPAA terms with us in writing.

7. Security

Passwords are hashed with bcrypt; never stored or logged in plain text
Sessions use signed JWT cookies (httpOnly, secure in production)
Tenant data is isolated by org_id in every database query
Uploads pass through MIME-type allowlists before storage
Rate limiting on authentication, API, and admin endpoints
Daily backups (encrypted at rest)

We have not yet completed an external penetration test. We will publish results when we do.

8. Your rights

Access: request a copy of your data in machine-readable form
Correction: ask us to fix incorrect data
Deletion: ask us to delete your account and associated data
Portability: export your data in standard formats (CSV, JSON)
Restriction: ask us to pause certain processing

Email info@oliveroottech.com with subject "Data request" and we'll respond within 30 days.

9. Retention

Active accounts: data retained for the life of your subscription
Cancelled accounts: archived for 90 days, then permanently deleted unless you've exported it
Audit logs: retained for 7 years (financial compliance support)
Backups: rotated on a 30/90/365-day schedule

10. Where we store data

Primary servers are in the United States (Railway US-East). File uploads are in Cloudflare R2 (global edge). We don't currently offer EU or other regional residency; we will when our first regulated customer requires it.

11. Changes to this policy

We update this policy as the platform evolves. Material changes will be emailed to organization owners. The "Effective" date at the top reflects the current version. Prior versions are available on request.

12. Contact

Email: info@oliveroottech.com
Address: Olive Root Tech LLC · Norfolk, Virginia · United States