Our Commitment to Data Privacy and Security

Effective Date: March 12, 2026
Last Updated: March 12, 2026

Notice to California Residents: This Privacy Policy contains important information about your rights under California law. Please see Section 9 for California-specific disclosures.

Root Evidence, Inc. (“Root Evidence,” “we,” “us,” or “our”) is committed to protecting personal data and handling it responsibly. This Privacy Policy describes how we collect, use, disclose, and otherwise process personal data (also referred to as "personal information" under California law) in connection with our website, platform, and related business operations.

[For individuals in the European Economic Area, United Kingdom, or Switzerland: This Privacy Policy also describes how we process "personal data" as defined under the General Data Protection Regulation (“GDPR”) and UK GDPR.]

This Privacy Policy applies to personal data collected from website visitors, prospective customers, customers, business partners, and other individuals who interact with us in a business context.

1. Personal Data We Collect

‍We may collect the following categories of personal data:

‍Information provided directly by you, such as:
‍
-name
-business
-email address
-phone number
-company name
-job title
-account and login information
-billing, contracting, and payment-related information
-communications submitted through forms, demos, onboarding, or support channels

‍Information collected automatically, such as:

-IP address
-browser type
-device and operating system information
-referring pages and URLs
-usage, log, and activity data
-date and time of access
-cookie and similar technology data

Customer data processed through the Services
In providing the Services, Root Evidence may process data made available by or on behalf of customers, including data relating to internet-facing assets, exposure intelligence, security telemetry, and associated metadata. To the extent such data includes personal data, Root Evidence processes that data in accordance with applicable contractual commitments and customer instructions.

[For Customers subject to the GDPR: When processing personal data on behalf of customers, Root Evidence acts as a data processor and processes such data only on documented instructions from the customer (data controller), in accordance with Article 28 GDPR and any applicable Data Processing Agreement.]

2. Purposes of Processing

‍We process personal data for the following purposes:

-to provide, administer, and support the Services
-to manage accounts, contracts, and commercial relationships
-to respond to inquiries, schedule demos, and provide customer support
-to operate, secure, maintain, and improve our website and Services
-to detect, prevent, and investigate fraud, abuse, security incidents, and unauthorized access
-to comply with legal, regulatory, and contractual obligations
-to protect the rights, property, and safety of Root Evidence, our customers, and others
-to carry out legitimate business operations, including internal reporting, analytics, and service improvement

Where permitted by law, we may also use aggregated and de-identified information for analytics, product development, benchmarking, and business operations. Under California law, we de-identify information in accordance with the standards set forth in California Civil Code Section 1798.140(m).

3. Legal Bases for Processing

‍Where the GDPR, UK GDPR, or similar laws apply, we process personal data on one or more of the following legal bases:

-performance of a contract
-compliance with a legal obligation
-legitimate interests, including operating, securing, and improving our business and Services
-consent, where required by applicable law [Under GDPR, consent must be freely given, specific, informed, and unambiguous]

4. Disclosure of Personal Data

‍We do not sell personal data. California residents: We do not "sell" or "share" personal information as those terms are defined under the California Consumer Privacy Act (Cal. Civ. Code 1798.140).

We may disclose personal data:

-to service providers, subprocessors, and advisors that support our business and Services
-to affiliates, where necessary for internal administrative purposes
-where required by law, regulation, legal process, or governmental request
-to protect the rights, security, and integrity of Root Evidence, our customers, or others
-in connection with an actual or proposed merger, acquisition, financing, reorganization, bankruptcy, or sale of assets
-as otherwise directed or authorized by the relevant customer or individual.

5. Cookies and Similar Technologies

‍We use cookies and similar technologies to operate our website, analyze traffic, improve functionality, and support security and performance. You may control cookies through your browser settings, subject to certain limitations in website functionality.Where required by law, we will obtain consent before using non-essential cookies. [For users in the EU/UK: We comply with the ePrivacy Directive and obtain consent for cookies that are not strictly necessary, in accordance with GDPR Article 6(1)(a).] For California residents: You have the right to opt out of the sale or sharing of personal information collected through cookies. To exercise this right, please [insert specific opt-out mechanism, such as "click here" or "visit our Cookie Preferences Center" or "enable the Global Privacy Control signal in your browser"].

6. Retention

‍We retain personal data for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and protect our legitimate business interests. 
‍
Specific retention periods include (without limitation):

-Account and contract data: Duration of the business relationship plus [7] years for legal and tax compliance.
-Support and communication records: [3] years from last interaction.
-Website usage and analytics data: [24] months.
-Security and fraud prevention logs: [12] months unless longer retention is required by law.

[Under GDPR Article 5(1)(e), we limit retention to what is necessary for the purposes of processing. California residents may request information about our retention practices by contacting us.]

7. International Transfers

‍Personal data may be transferred to and processed in countries other than the country in which it was collected, including to the United States. Where required by applicable law, we implement appropriate safeguards for cross-border transfers of personal data, including Standard Contractual Clauses approved by the European Commission (for EEA transfers), the UK International Data Transfer Agreement or Addendum (for UK transfers), or other lawful transfer mechanisms recognized under applicable law. [For GDPR compliance: We ensure that international transfers comply with Chapter V of the GDPR, including Articles 44-50, and we conduct transfer impact assessments where required.]

8. Data Protection Rights

‍Depending on your jurisdiction, you may have rights regarding your personal data, including the right to:

-request access to personal data
-request correction of inaccurate personal data
-request deletion of personal data
-object to or request restriction of certain processing
-request portability of personal data
-withdraw consent where processing is based on consent
-lodge a complaint with a supervisory authority

To exercise applicable rights, please contact us at [privacy@rootevidence.com]. We will respond to verified requests within the timeframes required by applicable law, including without limitation [within 30 days under GDPR Article 12(3), or] within 45 days under California law (with possible extension).

[Under GDPR requirements, we may request additional information to verify your identity before responding to rights requests. We will not charge a fee for requests unless they are manifestly unfounded, excessive, or repetitive, in accordance with Article 12(5) GDPR.

For California residents: We will acknowledge receipt of your request within 10 days and respond within 45 days, with a possible 45-day extension where reasonably necessary. We will not discriminate against you for exercising your rights under the CCPA/CPRA.]

9. California Privacy Notice

‍If you are a California resident, you may have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), including:

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share personal information.

Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.

Right to Correct: You have the right to request correction of inaccurate personal information.

Right to Opt-Out: You have the right to opt out of the sale or sharing of your personal information.

Right to Limit Use of Sensitive Personal Information: You have the right to limit our use and disclosure of sensitive personal information to certain permitted purposes.

Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights.

Right to Opt-Out of Automated Decision-Making: Where applicable, you have the right to opt out of automated decision-making technology, including profiling, in furtherance of decisions that produce legal or similarly significant effects.

You may designate an authorized agent to submit requests on your behalf. We may require verification of both your identity and the authorized agent's authority to act on your behalf, and may require you to directly confirm your identity and the permission granted to the authorized agent.Root Evidence does not sell personal information and does not share personal information for cross-context behavioral advertising.California residents may exercise applicable rights by contacting us at [privacy@rootevidence.com]. We will respond to verifiable consumer requests within 45 days of receipt, or notify you if we require additional time (up to 90 days total).

10. Customer Data and Controller/Processor Roles

‍To the extent Root Evidence processes personal data on behalf of customers in providing the Services, Root Evidence acts as a processor or service provider [, and where applicable, as a data processor under the GDPR,] and the relevant customer remains the controller or business [, or data controller under the GDPR,] as those terms are defined under applicable law, including the CCPA [and GDPR] where applicable.Customers are responsible for ensuring they have an appropriate legal basis under applicable law [, including under Article 6 of the GDPR where applicable,] to provide personal data to Root Evidence for processing through the Services, and for complying with their obligations as a controller or business under the CCPA [and, where applicable, as a data controller under the GDPR].

11. Security

‍Root Evidence maintains reasonable administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, and destruction. No security measure is absolute, and we cannot guarantee complete security.

‍12. Third-Party Sites

‍Our website or Services may contain links to third-party websites or services. We are not responsible for the privacy practices of third parties, and we encourage review of their privacy notices.1

3. Changes to This Privacy Policy

‍We may update this Privacy Policy from time to time. Any changes will be reflected by updating the “Last Updated” date above. Where required by law, we will provide additional notice of material changes.

‍14. Contact Information

‍If you have questions about this Privacy Policy or wish to exercise applicable privacy rights, please contact us at:

‍Root Evidence, Inc.
8059 W Preece Dr #1029
Boise, ID 83704
[privacy@rootevidence.com]

‍

‍‍