Privacy Policy
Privacy, in plain language.
Rooted Reality is built to keep household awareness local, reduce hidden inspection, and explain its privacy boundaries clearly. The most sensitive behavioral data stays on the device by default.
Boundaries
What stays local, what reaches servers, and what we never collect.
What stays on-device
- Foreground app name
- Browser hostname and path prefix
- Session timestamps
- Block-rule events
- Posture aggregates and new-source review lists
What can reach our servers
- Email address and password hash
- License and subscription status
- Stripe customer and subscription reference IDs
What we do not collect
- Page content or message text
- Query parameters or URL fragments
- Passwords or form inputs
- Microphone, camera, or location data
- Hidden employee or partner monitoring data
Privacy Matrix
What stays local, what reaches servers, and what is never collected.
A detailed breakdown of every data class, where it lives, and why.
Stays on this device
Foreground app name
The name of the app currently in use stays on the device and is never sent to our servers.
Browser hostname and path prefix
Domain-level context used for local posture signals. Full URLs and page content are not recorded.
Session timestamps
When a session starts and stops is stored locally to build posture aggregates on-device.
Block-rule events
Records of which rules were triggered stay on the device for the guardian to review.
Posture aggregates
Summarized posture signals are computed and stored locally. Raw behavioral data does not leave the device.
New-source review lists
Lists of newly encountered sources are kept on-device for guardian review before any action.
Reaches our servers
Email and password hash
Used for authentication only. Passwords are hashed before storage and never stored in plain text.
License and subscription status
Tracks whether the account has an active subscription so the app can enable licensed features.
Stripe reference IDs
Customer and subscription identifiers used by Stripe for billing. No behavioral data is attached.
Never collected
Page content or message text
We do not read, store, or transmit the content of pages visited or messages sent.
Query parameters or URL fragments
Search terms, URL parameters, and hash fragments are excluded from all data collection.
Passwords or form inputs
Form field values, including passwords and personal inputs, are never captured.
Microphone, camera, or location
The app does not request or access microphone, camera, or geolocation permissions.
Hidden partner monitoring
There is no covert data sharing with employers, partners, or third parties.
Local Control
The user controls the local posture store.
Local control
Local posture data lives in the app's local store and can be cleared by the user. The server has no copy of raw behavioral events to recover later.
No server copy of behavioral data
Raw behavioral events, posture signals, and guardian data are never transmitted off-device. The server has no copy to recover, share, or expose.
No analytics in v1
The launch plan excludes analytics SDKs and telemetry. Billing and account systems remain separate from posture systems.
Browser Companion
The browser companion is there to enrich local posture, not to build a cloud browsing log.
The browser companion communicates with the desktop app locally on the device. It provides hostname context only and does not create an internet-routed copy of behavioral posture data.
Hostname only
Domain and path prefix, not full-page contents.
No internet relay
Desktop and browser companion talk locally on the device.
Visible coverage
The product can show whether the browser bridge is connected.
See the signals these boundaries support.
Every signal Rooted Reality can surface is grounded in the local-first data boundaries described above. Browse the full dictionary.