RootedReality
DemoDocs

GDPR Compliance

GDPR readiness in plain language.

The architecture is intentionally local-first to minimize what Rooted Reality processes server-side. This page describes the parts that do involve server processing and how we are planning for EU and UK data-subject rights.

Processing Summary

The current public GDPR summary.

This document reflects the current product architecture and is pending attorney review before commercial launch. EU users should note that no marketing is currently directed at EU residents.

Activities

Processing activities and legal bases.

Processing activityLegal basisData categoriesRetention
Account creation and authenticationContract performanceEmail address, password hashUntil account deletion + 30 days
License and subscription managementContract performanceLicense records, subscription status, Stripe Customer ID7 years (billing/tax compliance)
License validation on app startupContract performanceLicense token only - no behavioral dataPer session, not stored server-side
Transactional email deliveryContract performance / legitimate interestEmail address, recovery linkGoverned by email provider; not stored by Rooted Reality

Rights

Data-subject rights that matter for this product.

Right of access (Art. 15)

Request a copy of all personal data we hold about you. We will provide it within 30 days.

Right to rectification (Art. 16)

Request correction of inaccurate personal data. Contact us with the updated information.

Right to erasure (Art. 17)

Request deletion of your account and all associated server-side data. Local device data remains under your control and can be cleared directly in the desktop app.

Right to data portability (Art. 20)

Request your account data in a machine-readable format. Local posture data is already stored locally and is directly accessible to you.

Right to object (Art. 21)

Object to processing based on legitimate interest. We currently rely on legitimate interest only for transactional email.

Right to restriction (Art. 18)

Request that we restrict processing of your data while a dispute is resolved.

Processors And Controls

Processor list and current security posture.

Stripe

Payment card processing and subscription management

United States (Stripe Inc., with EU SCCs for EU data)

Available at stripe.com/legal/dpa

Transactional email provider

Account recovery and billing emails

To be confirmed on provider selection

DPA to be executed before EU launch

Hosting (Vercel)

Web platform hosting

United States / EU edge nodes

Available at vercel.com/legal/dpa

Passwords

bcrypt-hashed (cost 12) - plaintext is never stored

Transport

TLS 1.2+ on all server endpoints

License tokens

HMAC-SHA256 signed - validated server-side on every app start

Local data

Stored in the OS user-profile directory with OS-level access controls

Webhooks

Stripe-Signature header verified on every webhook delivery

Admin access

Protected by HTTP Basic Auth; upgrade to session-based auth planned before commercial launch