privacy policy.

introduction

This Privacy Policy explains how BlushLabs.io LLC ("Roots," "we," "our," or "us") collects, uses, stores, and protects your personal information when you use the Roots mobile application and related services (collectively, the "Service").

Roots is a hair tracking application designed for women with textured hair. We help you track your wash days, log products, monitor your hair's progress over time, and understand patterns in your routine. We built Roots because we believe your hair journey is yours, and the data you create while using our Service should be treated with the same care.

This policy applies to all users of the Service, regardless of where you live. We've worked to make this policy clear and readable rather than dense and legalistic. If you have questions about this policy or your privacy rights, contact us at privacy@therootsapp.io. For general questions, contact us at hello@therootsapp.io.

who we are

Roots is operated by:

BlushLabs.io LLC
1700 Northside Dr NW, Ste A7 #7200
Atlanta, GA 30318
United States

Privacy inquiries: privacy@therootsapp.io
General inquiries: hello@therootsapp.io

BlushLabs.io LLC is a limited liability company registered in the state of Georgia, United States, and serves as the data controller for the Service.

what data we collect

We collect the following categories of personal information when you use Roots:

account information

When you create an account, we collect:

• Your email address
• Your password (stored only in hashed/encrypted form — we never see your actual password)
• Your first name (optional, used to personalize your experience)

If you choose to sign in using a third-party authentication provider (such as Apple, Google, or another social platform), we receive only the information that provider chooses to share with us — typically your email address and a unique account identifier. We do not receive your social media profile, posts, friend list, or any other content from that provider.

hair profile information

When you complete onboarding and use the app, you provide:

• Your hair texture type (e.g., 3A-4C, straight, wavy, locs)
• Your hair length category
• Your wash frequency preferences

wash day activity

When you log a wash day, we collect:

• The date of your wash
• Wash type (e.g., full wash, conditioner-only)
• Products you used
• Treatments performed (e.g., deep conditioning, protein treatment)
• Notes you choose to add
• Photos you choose to capture or upload

product cabinet activity

When you use the products tab, we collect:

• Products you add to your "using," "tried," and "want to try" shelves
• Star ratings you assign to products
• Notes you write about products
• The dates you began using or stopped using products

photos and sensitive personal information

We treat your hair photos as sensitive personal information because they are images of you. This means we apply heightened protections:

• Photos are encrypted in transit and at rest
• Photos are stored only in association with your account
• Photos are never shared with third parties for marketing, advertising, or research purposes
• Photos are never used to train AI or machine learning models
• You can delete any photo at any time from the app
• When you delete your account, all photos are permanently removed from our systems

technical information

We automatically collect limited technical information to operate the Service:

• Device type (e.g., iPhone model)
• Operating system version
• App version
• General timezone information (to display dates correctly)

We do not collect precise location data. We do not collect your contacts. We do not access your camera roll without your explicit permission, and only to retrieve photos you choose to share with Roots.

usage and analytics data

We use third-party analytics services to understand how users interact with Roots. This helps us improve the Service, identify bugs, and prioritize new features. Analytics data we collect includes:

• An anonymous identifier assigned to your device or account (not linked to your email address in our analytics tools)
• Screen views and navigation patterns (e.g., which screens you open, in what order, and for how long)
• Feature usage (e.g., when you log a wash day, add a product, or upload a photo — but NOT the contents of those logs, products, or photos)
• App performance metrics (e.g., load times, crashes, errors)
• Device metadata (e.g., iOS version, device model, app version)

What we do not send to analytics services:

• Your photos
• The contents of your wash day logs, notes, or hair profile
• Your product ratings or notes
• Your email address
• Any data that could directly identify you outside the app

Analytics data helps us improve Roots — it does not give us or any third party visibility into your personal hair journey.

what we don't collect

To make this absolutely clear, here's what we do not collect:

• We do not collect data about other apps on your device
• We do not collect your contacts, calendar entries, or messages
• We do not track your precise location
• We do not collect data from third-party hair tracking apps, even if you grant such permissions on your phone
• We do not collect biometric data from your photos (no facial recognition, no body measurement extraction)
• We do not use cookies or web tracking on our mobile app
• We do not use third-party advertising SDKs

how we use your information

We use your personal information only for the following purposes:

to provide the service

We use your account information to authenticate you. We use your hair profile, wash day logs, products, and photos to display your data back to you, generate your progress timeline, and surface patterns in your routine.

to communicate with you about your account

We may use your email address to send service-related messages such as password resets, security alerts, or important changes to our policies. These are not promotional emails — you cannot opt out of them as long as you have an active account.

to improve the service

We may analyze aggregated, anonymized usage patterns (e.g., "what percentage of users complete onboarding") to improve Roots. This analysis never identifies individual users and never includes the contents of your hair logs or photos.

to comply with legal obligations

We may use or disclose your information when required by law, court order, or government request, or to protect the safety, rights, or property of Roots, our users, or others.

who we share your data with

We do not sell your personal data. We will never sell your personal data.

This is an unconditional commitment. Even if Roots is acquired in the future, the terms of this Privacy Policy and the commitment to not sell user data will be preserved in any transition.

We share your data only with the following categories of recipients, and only as necessary to operate the Service:

service providers (data processors)

We use the following trusted service providers to operate Roots. These providers act as data processors on our behalf and are contractually prohibited from using your data for any purpose other than providing services to us:

• Supabase Inc. — Provides our database, authentication, and file storage infrastructure. Supabase is based in the United States. Your data is stored in Supabase's secure AWS-based servers in the US-East-1 region.

• Apple Inc. — Provides the App Store and TestFlight infrastructure through which you download and update Roots. Apple's collection and use of data is governed by Apple's own privacy policy.

• Third-Party Analytics Providers — We use a third-party analytics service to understand app usage patterns and improve the Service. Analytics providers receive anonymized usage data as described in the "Usage and Analytics Data" section above. They do not receive your photos, hair logs, notes, or any sensitive content. We will update this policy with the specific provider name when we have selected and integrated one.

legal authorities

We may disclose your information to law enforcement, regulators, or other government agencies if legally required to do so. We will challenge overly broad or improper requests where we believe doing so is in our users' interests.

what we don't share

• We do not share your data with advertisers
• We do not share your data with data brokers
• We do not share your data with researchers, academic or commercial
• We do not share the contents of your hair logs, photos, products, or notes with any third party, including analytics providers

If you choose to sign in to Roots using a third-party authentication provider (such as Apple, Google, or another social platform), that provider will receive limited information confirming you have a Roots account. This is the minimum required to enable sign-in. We do not share your hair journey content with these providers, and they do not share your activity within Roots back to us beyond what is needed to authenticate you. Each authentication provider has its own privacy policy, which we encourage you to review.

your privacy rights

You have the following rights regarding your personal data, regardless of where you live:

access

You can see all the data Roots has about you at any time directly within the app. Your hair profile, wash day logs, products, and photos are all visible to you.

correction

You can edit your hair profile, modify your wash day logs, update your product ratings and notes, and replace your photos at any time within the app.

deletion

You can delete any individual wash day log, product entry, or photo within the app. You can also delete your entire account at any time from the Profile tab, which permanently removes all of your data from our systems within 30 days.

portability

You can request a copy of your data in a machine-readable format by contacting us at privacy@therootsapp.io. We will provide it within 30 days.

objection

You can object to specific uses of your data by contacting us at privacy@therootsapp.io. We will respond within 30 days.

withdraw consent

You can withdraw your consent to data processing at any time by deleting your account. Note that withdrawing consent means we can no longer provide the Service to you.

additional rights for specific regions

For California residents (CCPA/CPRA): You have the right to know what personal information we collect, to delete your personal information, to opt out of the sale of personal information (which we don't do anyway), and to non-discrimination for exercising these rights. To exercise these rights, contact us at privacy@therootsapp.io.

For EEA, UK, and Swiss residents (GDPR/UK GDPR): You have the rights described above, plus the right to lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns.

To exercise any of these rights, email us at privacy@therootsapp.io. We will respond within 30 days.

data security

We take reasonable technical and organizational measures to protect your personal information:

• All data is encrypted in transit using TLS
• Stored data is encrypted at rest using industry-standard encryption (AES-256)
• Access to user data is restricted to authorized personnel only
• We use strong authentication for our administrative systems
• We monitor for unauthorized access attempts

No system is perfectly secure. If we ever experience a data breach that affects you, we will notify you within 72 hours of discovery in accordance with applicable law.

data retention

We retain your data only as long as necessary:

• Active account data: Retained for as long as your account is active
• Deleted data: Permanently removed from our systems within 30 days of account deletion
• Backups: May persist for an additional 30 days before being overwritten
• Legal obligations: We may retain certain data longer if required by law (e.g., financial records for tax purposes)

children's privacy

Roots is intended for adult users. The minimum age to use Roots is 13 (16 in the European Economic Area, the United Kingdom, and Switzerland).

We do not knowingly collect personal information from children under 13. If we discover that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly.

Important: Adults using Roots must not log photos of children (anyone under 13) in the app. Photos uploaded to Roots should only depict the account holder, who must be 13 or older.

If you believe we have collected personal information from a child under 13, please contact us immediately at privacy@therootsapp.io.

international data transfers

Roots is operated from the United States, and your data is stored on servers located in the United States (specifically, AWS US-East-1 via Supabase).

If you access Roots from outside the United States, your data will be transferred to, processed in, and stored in the United States. By using Roots, you consent to this transfer.

For users in the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission as the legal basis for transferring your data to the United States.

changes to this policy

We may update this Privacy Policy from time to time as our practices evolve or as required by law. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify you within the app and via email at least 30 days before the changes take effect
• We will explain what changed and why

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

contact us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have any other privacy-related concern, please contact us:

Privacy inquiries (data rights, deletion, GDPR/CCPA requests): privacy@therootsapp.io
General inquiries (support, feedback, anything else): hello@therootsapp.io

Mail:
BlushLabs.io LLC
1700 Northside Dr NW, Ste A7 #7200
Atlanta, GA 30318
United States

We will respond to your inquiry within 30 days.

This Privacy Policy was last updated on May 12, 2026.