Privacy Policy

Effective date: May 21, 2026

1. Introduction

ClientRoot (“we,” “us,” or “our”) operates the ClientRoot field operations management platform (“Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

Information you provide directly

  • Account information: email address, password (stored as a secure hash)
  • Organization information: business name, phone number, address
  • Customer records: names, phone numbers, email addresses, service addresses, gate codes, and service notes that you enter for your own customers
  • Job and schedule data: service types, dates, notes, pricing
  • Invoice data: billing amounts, payment status

Information collected automatically

  • Log data: IP address, browser type, pages visited, time and date of access, and other standard server log information
  • Session cookies: We use authentication cookies issued by Supabase to keep you signed in. These are strictly necessary for the Service to function and are not used for advertising or tracking.

Payment information

We do not collect or store credit card numbers. Payment processing is handled entirely by Stripe, Inc. When you subscribe, you interact directly with Stripe's secure payment interface. We receive only a tokenized reference and high-level billing status from Stripe.

3. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Process your subscription and payments
  • Send transactional emails (account setup, password reset, billing receipts)
  • Respond to your support requests and communications
  • Monitor and improve the security and reliability of the Service
  • Comply with legal obligations

We do notuse your data or your customers' data for advertising, sell it to third parties, or use it to train artificial intelligence models.

4. Data Processor Role

When you enter your customers' personal information (names, addresses, phone numbers, email addresses) into ClientRoot, you are the data controller and we act as a data processor on your behalf. This means:

  • You are responsible for having a lawful basis to store your customers' data and for providing them with any required privacy notices
  • We process that data only as instructed by you (i.e., to provide the Service) and do not use it for our own purposes
  • We will notify you promptly of any security incidents involving your customers' data

5. Information We Share

We do not sell, trade, or rent your personal information. We share information only in the following circumstances:

  • Service providers (sub-processors): We use the following third-party services that may process your data:
    • Supabase, Inc. — database hosting and authentication (United States)
    • Vercel, Inc. — application hosting (United States / global CDN)
    • Stripe, Inc. — payment processing (United States)
    • Resend, Inc. — transactional email delivery (when configured)
    Each sub-processor is bound by appropriate data processing agreements.
  • Legal requirements: We may disclose information if required by law, court order, or government authority, or to protect the rights, property, or safety of ClientRoot, our users, or the public.
  • Business transfers: If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, with appropriate notice to you.

6. Data Retention

We retain your account data for as long as your account is active or as needed to provide the Service. If you cancel your subscription, your data is retained for 90 days to allow reactivation; after that period it is permanently deleted.

You may request deletion of your data at any time by contacting us at support@clientroot.app. We will fulfill deletion requests within 30 days, subject to any legal retention obligations.

7. Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS/HTTPS) for all data
  • Encryption at rest for database storage (provided by Supabase)
  • Row-Level Security (RLS) policies ensuring organizations can only access their own data
  • Hashed password storage (your plaintext password is never stored)
  • Session-based authentication with automatic timeout

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

8. Cookies

We use only strictly necessary cookies to operate the Service:

  • Authentication cookies: Set by Supabase to maintain your login session. Without these cookies, you would be signed out on every page load.

We do not use advertising cookies, third-party tracking cookies, or analytics that identify you personally. You can configure your browser to refuse cookies, but this will prevent you from using the Service.

9. Your Privacy Rights

Depending on where you are located, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate personal information
  • Deletion: Request deletion of your personal information
  • Portability: Request your data in a machine-readable format
  • Opt-out of sale: We do not sell personal information. This right is satisfied by default.

To exercise any of these rights, contact us at support@clientroot.app. We will respond within 30 days. We may need to verify your identity before fulfilling your request.

California residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale (we do not sell it). You also have the right not to be discriminated against for exercising these rights.

EEA/UK residents (GDPR/UK GDPR): Our lawful basis for processing your account data is contract performance (to provide the Service you subscribed to). For communications, our lawful basis is legitimate interest. You have the right to lodge a complaint with your local supervisory authority.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from a minor without parental consent, we will take steps to delete that information.

11. International Data Transfers

Our Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States, where data protection laws may differ from your jurisdiction. By using the Service, you consent to this transfer.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated effective date and, where required by law, by emailing you. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

ClientRoot

Email: support@clientroot.app

This site uses essential cookies to keep you signed in. No tracking or advertising cookies are used.