RootCX
Docs
Pricing
RootCX/RootCXSource Available

Privacy Policy

Last updated: April 15, 2026

This Privacy Policy describes how RootCX ("RootCX", "we", "us") collects, uses, stores, and discloses personal data in connection with our websites, hosted platform, developer tools, and self-hosted software (collectively, the "Services").

We are committed to protecting personal data in accordance with the General Data Protection Regulation (GDPR) and applicable European and Belgian data protection laws.

Contents

  1. 1.Scope and applicability
  2. 2.Data we collect
  3. 3.Why we process your data
  4. 4.AI agents and model providers
  5. 5.Who we share data with
  6. 6.International data transfers
  7. 7.Data retention
  8. 8.Data security
  9. 9.Your rights
  10. 10.Cookies and tracking
  11. 11.Children’s privacy
  12. 12.Self-hosted deployments
  13. 13.Changes to this Policy
  14. 14.Contact

1. Scope and applicability

This Privacy Policy applies to:

  • visitors to our websites (including rootcx.com);
  • customers and their authorized users of the Services;
  • individuals who communicate with us for sales, support, or contractual purposes.

If your personal data is uploaded or processed by a customer through our Services, the customer is the data controller and we act as a data processor on its behalf. In that case, the customer's privacy policy governs how your data is handled. If you have questions about such processing, please contact the customer directly.

For personal data we collect in our own capacity (account registration, website analytics, billing), we are the data controller.

2. Data we collect

We collect only the personal data necessary to provide, secure, and improve the Services. The categories below describe what we collect and when.

CategoryExamplesWhen collected
Identity & contactName, email, company, job titleAccount signup, contact forms
CredentialsHashed passwords, SSO tokens, API keysAuthentication
Technical & usageIP address, browser type, device info, session duration, pages visited, feature usageAutomatically during use
Billing & transactionsCompany address, VAT/tax ID, subscription records, payment method (processed by Stripe)Checkout, invoicing
CommunicationsSupport tickets, emails, in-product messagesWhen you contact us
Audit logsUser actions within a project (login, data access, configuration changes)Automatically during use

We do not intentionally collect special categories of data (e.g., health, biometric, political opinions). If you believe such data has been submitted in error, contact us so we can delete it.

3. Why we process your data

PurposeLegal basis (GDPR Art. 6)
Provide the Services and manage your accountPerformance of a contract
Process billing and collect paymentsPerformance of a contract
Send transactional communications (account confirmations, security alerts, billing receipts)Performance of a contract
Respond to support requests and inquiriesPerformance of a contract / Legitimate interest
Improve service reliability, performance, and featuresLegitimate interest
Monitor and enforce security and acceptable useLegitimate interest / Legal obligation
Produce aggregated, de-identified analyticsLegitimate interest
Comply with tax, accounting, and legal obligationsLegal obligation
Send product updates or marketing (only with consent)Consent

Where we rely on legitimate interest, we have assessed that our interest does not override your fundamental rights and freedoms. You can request details of these assessments by contacting us.

4. AI agents and model providers

RootCX lets customers configure AI agents that call third-party model providers (for example, Anthropic, OpenAI, Mistral) using credentials the customer supplies. When an agent runs:

  • Customer Data sent to the model provider is governed by the model provider's terms and privacy policy, not this Policy. We recommend customers review their provider's data handling before enabling AI features.
  • We do not use Customer Data to train models. We do not operate our own foundation models and do not feed Customer Data into any training pipeline.
  • Audit logging. Every agent action is recorded in the project's audit log so the customer can review what data was accessed and what actions were taken.

5. Who we share data with

We do not sell personal data. We share data only in the following circumstances:

  • Service providers (subprocessors). We use a limited set of providers to operate the Services: cloud infrastructure, payment processing (Stripe), transactional email, and error monitoring. Each subprocessor is bound by a data processing agreement and processes data solely on our instructions.
  • Customer-enabled integrations. When a customer connects a third-party service (e.g., Notion, Gmail, Salesforce, Slack, GitHub, Stripe), data flows to that service under the customer's control and the third party's terms.
  • Legal requirements. We may disclose data where required by law, regulation, or valid legal process, or to protect the rights, safety, or property of RootCX, our customers, or the public.
  • Business transfers. In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction. We will notify affected users before their data is subject to a different privacy policy.
  • Professional advisors. Auditors, legal counsel, and accountants bound by professional secrecy obligations.

A current list of subprocessors is available on request at legal@rootcx.com.

6. International data transfers

RootCX is based in Belgium. Some of our subprocessors operate outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

  • European Commission adequacy decisions;
  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • supplementary measures where required by the circumstances of the transfer.

Customers who self-host RootCX control where their data resides and are responsible for their own transfer mechanisms.

7. Data retention

We retain personal data only as long as necessary for the purposes described in this Policy or as required by law. General retention periods:

Data typeRetention period
Account dataDuration of the contract + 90 days after termination
Customer Data (Cloud)Duration of the subscription; exportable for 30 days after termination, then deleted
Billing dataAs required by Belgian and EU financial regulations (typically 7 years)
Audit logsPer plan (7 days Free, 30 days Pro, 1 year Team/Enterprise)
Support communicationsUp to 365 days after resolution
Website analytics26 months (aggregated and de-identified where possible)

When data is no longer needed, we delete or anonymize it. Backups are purged on their normal rotation schedule.

8. Data security

We implement commercially reasonable technical and organizational measures to protect personal data, including:

  • encryption in transit (TLS 1.2+) and at rest;
  • role-based access controls and principle of least privilege;
  • encrypted secrets vault for API keys and credentials;
  • immutable audit logging of administrative and data-access events;
  • regular security reviews and dependency monitoring.

No system is completely secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant supervisory authority in accordance with GDPR Article 33 (within 72 hours where feasible).

9. Your rights

Under the GDPR and applicable data protection laws, you have the following rights regarding the personal data we control:

  • Access — obtain confirmation of whether we process your data and request a copy.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of your data where there is no compelling reason for continued processing.
  • Restriction — request that we limit processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest, including profiling.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at legal@rootcx.com. We will respond within 30 days. We may ask for proof of identity before processing your request. Some data may be retained where required by law or for legitimate business purposes (e.g., billing records).

If you believe we have not handled your request appropriately, you have the right to lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) or the supervisory authority in your country of residence.

10. Cookies and tracking

We use the following types of cookies and similar technologies:

TypePurposeConsent required
Strictly necessaryAuthentication, session management, securityNo (essential)
FunctionalPreferences, language, themeNo (essential)
AnalyticsAggregate usage statistics, performance monitoringYes

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may prevent the Services from functioning correctly.

11. Children’s privacy

The Services are not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Self-hosted deployments

When you self-host RootCX, your data stays on your infrastructure. We do not have access to it unless you explicitly grant access (for example, for support). This Privacy Policy does not govern data processed exclusively on self-hosted instances. You are responsible for your own privacy compliance in that context.

13. Changes to this Policy

We may update this Policy to reflect changes in our practices, the Services, or applicable law. If a change is material, we will notify you at least 30 days in advance by email or in-product notice. Non-material changes take effect when posted. The "Last updated" date at the top indicates the most recent revision.

14. Contact

For privacy-related questions, data subject requests, or to request our subprocessor list or Data Processing Addendum, contact us at legal@rootcx.com.

RootCX — Belgium. For general inquiries: contact@rootcx.com.

Questions about our Privacy Policy?

We're here to help with any privacy-related questions or data subject requests.

Contact Privacy Team

This document does not constitute legal advice. RootCX recommends you consult your legal counsel for compliance questions specific to your use case.

RootCX

The open-source platform for internal apps and AI agents. Database, auth, permissions, integrations, and deployment included.

Book a demo

Product

  • AI Agents
  • Internal Apps
  • Integrations
  • App Library
  • Infrastructure
  • Security
  • Claude Code

Solutions

  • Supply Chain
  • Fleet & Assets
  • Financial Services
  • Healthcare
  • Retail & DTC

Company

  • Documentation
  • Pricing

© 2026 RootCX Inc. All rights reserved.

Privacy PolicyTerms of Service
All systems operational