How Rootscript collects, uses, and protects data

This Privacy Policy applies to the Rootscript marketing site, application, onboarding flows, checkout flows, blog, support interactions, and related services that link to or reference this policy. In this policy, "Rootscript," "we," "us," and "our" refer to the operator of Rootscript and rootscript.io.

By using the service, you acknowledge that Rootscript needs to process certain data to authenticate users, provide analysis and publishing workflows, operate connected integrations, secure the service, and respond to legal obligations. If you do not agree with this policy, do not use the service.

Information you provide directly may include your name, email address, profile details, website URL, business description, target markets, competitor inputs, content instructions, generated or edited drafts, support messages, and any other information you submit through forms, emails, or the application.

Account and authentication data may include sign-in email addresses, verification email events, session identifiers, Google account details you authorize, and account profile information stored through the authentication system.

Billing and transaction data may include checkout session identifiers, Stripe customer identifiers, payment status, product metadata, and billing email addresses returned by the payment flow. Rootscript does not intentionally store full payment card numbers in its own database.

Workspace and project data may include scanned website content, extracted page titles and headings, SEO analysis results, search opportunity data, competitor references, keyword lists, content plans, publication status, authored drafts, Search Console performance data, sitemap status, and site configuration details.

Integration data may include WordPress site URLs, publishing usernames, application passwords, plugin connection keys, webhook URLs, Google Search Console refresh tokens, and related settings required to operate connected services. Rootscript encrypts certain stored credentials, including stored WordPress secrets and Google refresh tokens, when they are retained by the service.

Usage and technical data may include IP address, browser and device information, approximate location derived from network data, referrer URLs, pages viewed, interaction events, timestamps, log entries, cookies, and session data collected through the application, infrastructure, or analytics tooling.

• Create and manage user accounts, authenticate access, and maintain sessions.
• Run site scans, AI-assisted analysis, keyword research, drafting, quality scoring, and publishing workflows.
• Process purchases, connect purchased access to a workspace, and manage billing-related records.
• Send transactional emails such as sign-in links, service notices, and support responses.
• Connect, maintain, and execute third-party integrations you enable, including Google Search Console, WordPress, and webhook destinations.
• Monitor usage, detect abuse or security issues, troubleshoot failures, and improve the product.
• Enforce our terms, protect Rootscript and other users, and comply with legal obligations.

Where applicable law requires a legal basis for processing, Rootscript generally relies on one or more of the following: performance of a contract with you, your consent for optional actions or integrations, our legitimate interests in operating and securing the service, and compliance with legal obligations.

Rootscript may share information with service providers and subprocessors that help us run the service. Based on the current product implementation, these may include providers for AI processing, payments, authentication, email delivery, analytics, infrastructure, database hosting, keyword research, and connected publishing or search services, such as OpenAI, Stripe, Google, Mailgun, Vercel, MongoDB and hosting providers, DataForSEO, and destinations you choose to connect.

We may also share information when you direct us to publish or sync content to an external destination, when disclosure is necessary to investigate fraud or security issues, to enforce our agreements, to comply with law or valid legal process, or in connection with a merger, acquisition, financing, or asset transfer involving the service.

We do not sell your personal information in exchange for money. If applicable law treats certain analytics or advertising disclosures as a "sale" or "sharing," you may contact us to exercise any rights available to you under that law.

If you connect Google Search Console, WordPress, custom webhooks, or other external services, Rootscript will send and receive data needed to operate those integrations. Your use of those services is also subject to the third party's own terms and privacy practices.

When Rootscript scans a website or fetches content from a URL you submit, we process the content you instruct us to analyze. You are responsible for having the rights and permissions needed to submit that website, content, and integration credentials.

We retain personal data and workspace data for as long as reasonably necessary to provide the service, maintain account history, secure the platform, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary based on the type of data, whether the account remains active, the status of connected services, and whether we need the data for backup, audit, fraud prevention, or legal reasons.

If you request deletion, we will take reasonable steps to delete or de-identify data we control unless we need to keep certain information for legal, security, accounting, or operational reasons. Residual copies may remain for limited periods in backups or logs.

Rootscript uses reasonable technical and organizational measures designed to protect data against unauthorized access, disclosure, alteration, and destruction. Those measures may include access controls, encrypted credential storage for certain secrets, authenticated session handling, provider-side security features, and monitoring. No system is completely secure, and we cannot guarantee absolute security.

Rootscript and its service providers may process information in countries other than the country where you live. By using the service, you understand that information may be transferred to and processed in jurisdictions that may have different data protection rules than your own. Where required, we will use reasonable measures intended to support lawful cross-border transfers.

Depending on where you live, you may have rights to request access to personal data, ask for correction or deletion, object to or restrict certain processing, withdraw consent where processing is based on consent, or request a portable copy of certain data. You may also deactivate integrations, stop using the service, or contact us to request account changes.

You can control many browser-level technologies such as cookies through your browser settings. If you believe your rights have been violated, you may also have the right to complain to your local privacy or data protection regulator.

Rootscript is not directed to children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to Rootscript, contact us so we can review and delete the information if appropriate.

We may update this Privacy Policy from time to time. When we do, we will post the revised version with a new "Last updated" date. Your continued use of the service after the revised policy becomes effective means the revised policy will apply to your ongoing use, to the extent permitted by law.

For privacy questions, requests, or complaints, contact Rootscript at [email protected] or write to us through the contact methods available on https://rootscript.io.